At the recent Hackers Halted convention in Miami, researchers John J. Strauchs and his daughter Tiffany Strauchs Rad told the audience how with only $2,500 and some basic equipment, they were able to develop a cyberattack on a simulated prison computer system with potentially catastrophic results
At the recent Hackers Halted convention in Miami, researchers John J. Strauchs and his daughter Tiffany Strauchs Rad told the audience how with only $2,500 and some basic equipment, they were able to develop a cyberattack on a simulated prison computer system with potentially catastrophic results.
By seizing control of a prison system’s industrial control system (ICS), a hacker could overload the electrical system which controls prison doors. According to Strauchs, a retired CIA operations officer, “You could open every cell door, and the system would be telling the control room they are all closed.”
Hackers could also shut down a prison’s communications systems and short-circuit closed-circuit television monitors, leaving prison guards in the dark.
Vulnerabilities in ICSs are a growing area of concern for cybersecurity specialists as, in addition to the prison system, much of the critical infrastructure in the United States is run by them including pharmaceuticals, electrical utilities, and factories.
The devastating potential of attacking ICSs first came to light in 2009, when the Stuxnet worm targeted ICS at Iran’s Bushehr nuclear facility, causing a number of centrifuges to spin out of control resulting in significant delays to the country’s nuclear program. More recently, in September, the Duqu virus, also known as the “son of Stuxnet,” was discovered in computers across Europe. The new virus is thought to be a precursor to another Stuxnet-like attack, gathering intelligence on industrial control systems for a targeted attack later.
Meanwhile, last month, the hacker group Anonymous expressed their intent to target ICSs at various facilities in the United States.
In practice critical control systems like those in U.S. prisons should not be connected to the Internet, affording them a layer of protection from hackers. But in reality, this is not usually the case.
Teague Newman, a member of Strauchs’s cybersecurity research team, said, “In our experience, there were often connections” to the Internet, which would allow hackers access to prison networks. During the course of their research, the team found that in some locations, prison guards were using the computers which controlled the facility’s ICS to check personal email, providing a direct gateway for malware.
The problem exists in virtually every prison, said Sean P. McGurk, who headed the DHS’s efforts to secure ICS. “In no case did we ever not find connections,” he said. “They were always there.” In fact, Internet connections were found in every one of McGurk’s 400-plus onsite inspections during his career.
To effectively defend against hackers, the solution is much more difficult than making sure prison ICSs are not connected to the Internet. For instance with Stuxnet, determined hackers scattered USB drives infected with the worm around the Iranian nuclear facility and curious employees ultimately plugged them in, inadvertently releasing the worm. In the case with prisons, hackers could even bribe a guard to install malware.
The multiple layers of physical security at U.S. prisons would make a breakout an unlikely motivation behind cyberattacks, but Strauchs believes assassinations are a greater threat. “You create chaos as a way to [implement a plan to] kill someone,” he said.