When the sprinkler system caused an interruption of the Miami-Seattle NFL game on Sunday, November 25, no one called it a hack. Neither am I.
But if you heard about the event prior to reading this, did it cross your mind that it could have been a hack? What about other unusual events?
If not, and you’re an IT auditor or a security pro, you should at least consider such things, at least briefly. If not, you might want to check your professional skepticism sensor.
No, I don’t think we need to assume an attacker is behind every door (backdoor, yes), but at the same time, we need to be careful not to accept what we’re told at face value.
Think about it. If your NFL sprinkler system was hacked, would you admit it? Law enforcement routinely withholds information. So do auditees. And companies lie all the time (they call it public relations).
A Miami Dolphins spokesman said that the sprinkler was operating on the Saturday schedule. Huh? On Saturdays, the sprinklers are set to run in the afternoon?
Now, I’m not a groundskeeper, and maybe that really is the schedule. As soon as I heard the story, I wondered, but when I heard about the ‘Saturday schedule’, all kinds of bells rang in my brain.
Probe with Good Questions
However, don’t wonder skeptically out loud too much, or you’ll be branded a conspiracy theorist. Instead, ask more questions about the event, but stick to Who, What, When, Where, Why, and How questions.
- Who is responsible for the sprinkler system and the schedule that it runs on?
- When was the last time the schedule was changed?
- How do you change the schedule when Saturday events occur?
- Have the sprinklers ever interrupted anything else? Describe it.
- Where is the system that controls the sprinklers located? It it in a secure location?
- Is the sprinkler system connected to the LAN? Can it be managed from the Internet?
and so on.
In other words, beat around the conspiracy bush with intelligent, innocent-sounding questions. Then you’ll have more data to work with, so you can decide whether the details sound reasonable or that the interviewee is hiding something.
Maybe it was just an old-fashioned prank. Either way, when something like this happens, be skeptical. Then ask good questions.
Here’s video of the event. This video is no longer available (see Comment below).
Are you skeptical enough? Paranoid? Or just lazy?
Update: Of course, with the Super Bowl loss-of-power incident, I wondered again. Details were sketchy. Probably not a hack, as no one took responsibility; who’d take out the Super Bowl and not brag about it? The important thing is to be skeptical without becoming a conspiratorial auditor.