Iran is still trying to recover from Stuxnet, a cyberattack on its nuclear program thought to be initiated in late 2009. As recent as January 2010, the International Atomic Energy Agency said at least a quarter of their centrifuges were still disabled. Stuxnet is a malicious program that altered Iran’s programmable logic controllers (PLCs), slowing down operations for months. Now, a group of researchers says the same vulnerability exists in the U.S. prison system. All but the smallest U.S. correctional facilities use PLCs to open and close doors. A similar attack on U.S. prisons wouldn’t be costly to produce and could cause chaos, disabling doors and rendering parts of the security system inoperable.
Security engineer John Strauchs, along with his daughter Tiffany Rad, who is president of ELCnetworks, and security consultant Teague Newman, published a report last week warning of these vulnerabilities. Strauchs recently briefed the FBI and other federal agencies on the issue and will present the findings later this week at Defcon 19.
Strauchs has done security engineering or consulting for more than 60 detention facilities in his career. “When I read about the Stuxnet attack in Iran," said Strauchs, "I thought back and said ‘Wait a minute, prisons and jails use PLCs. Wouldn’t that be the same vulnerability?’” PLCs are essentially mini computers with a basic design to perform basic functions - to spin centrifuges in Iran, for example. They’re most common in the machine industry where they control automated tasks. They use a simple programming language called Ladder Logic to make them easier to program and troubleshoot, but it’s this simplicity that makes them vulnerable to being exploited.
PLCs are used in prison because it reduces the amount of wiring needed when there are hundreds of access points to be controlled. They consolidate controls for intercoms, video systems, door and lock alarms, and lighting controls, so a successful attack could cause chaos that would allow prisoners to escape, bring something into the prison, or even carry out a murder.
It would take a fairly sophisticated hacker to carry it out, but the hardware to do it can be bought for around $500. “Someone with malicious intentions could wreak widespread pandemonium by severely damaging door systems and shutting down security, communications, and video systems,” the report states. If no one addresses the problem, it’s only a matter of time until someone exploits this weakness, Strauchs said.
The fix is more procedural than technical. Strauchs said following basics guidelines would reduce much of the threat. Keeping computers that control security systems off networks that are connected to the Internet is one way, for example. Strauchs recommends making sure any outside connections, like the commissary’s online connections to suppliers, are completely separate from the security control system. Originally, prison designs were made without Internet connections.
Cutting off prisons from the Internet is impractical now, however, because of their need for access to local, state, and federal databases, so a dedicated server separate from the security system is suggested. Separate servers would run a facility no more than three or four thousand dollars, said Strauchs, while it would cost well over a million dollars to replace a door system after a Stuxnet-type attack. And that's not to mention the nonfinancial issues if prison security were breached.
But even without an Internet connection, the Stuxnet or some other virus could get into a prison system's computers the same way that the Stuxnet is believed to have gotten into the Iranian computers, through a trick where a thumb drive with the malicious code is left somewhere corrections personnel would be likely to pick it up and insert it into a prison computer.
photo by hagge from flickr