Busting someone out of prison? Forget about the hacksaws. Hack the SCADA system

By | April 18, 2012

Posted in: Network Security Trends

Rocky: “Pass the word, we’re busting out at 2 a.m. Everyone.”

Snake: “Everyone? How we gonna’ open all the cells. How about the gates? Hah?

Rocky: “We have a brain who is gonna get into the SCADA system and exploit its vulnerabilities

Snake: Oh.

We all know about the concern about the vulnerability of SCADA systems that control manufacturing processes and, more alarmingly, critical infrastructure — electrical utilities, water, power, etc. But prisons? Yep, before the Internet, federal and state authorities started installing SCADA systems in prisons because they were simple and needed minimal wiring. And wiring, it turns out, accounted for 20% to 40% of the cost of building a prison. These prison SCADA systems are highly vulnerable, according to researchers who have demonstrated proof of concept, presenting at Source Boston.

For decades, industrial control systems were considered safe by isolation — closed, proprietary systems with no connection to the Internet. But SCADA vendors have moved to commodity hardware and software, client-server architecture, Ethernet networks and TCP/IP to tie SCADA systems to remote locations and control devices, such as programmable logic controllers (PLC). And these controllers open and close doors. Researchers found that every one of 400 facilities that said their control systems were isolated were, in fact, connected to the Internet.

The three researchers presenting their findings —Tiffany Rad, Professor at University of Southern Maine, Security Researcher at Battelle Institute; physical security expert John Strauchs (her dad) and penetration tester/security researcher Teague Newman — painted a picture of alarming possibilities and lax security procedures.

For example, they found bored correctional facility personnel checking Gmail on controller computers that should not have Internet access. Staff admitted their stations were probably infected because they watched videos over the Internet.

The possibilities of a compromised control system are frightening. An exploit could be used to open and close cell doors, yard doors, and outside gates. Moreover, it would be trivial to “fool” the system into showing everything is normal while the break is on. In addition to security systems, such as doors, the controller systems are connected to surveillance systems, emergency overrides in case of fire, alarms, etc. Even where there are no direct Internet connections, control systems may be tied to secondary systems (those in the commissary in one case), that have Internet access. Cars patrolling the perimeter communicate over unencrypted channels that could be hacked. Unsecured WiFi leaks outside the gates. Even without Internet connectivity, a system could be compromised by an infected flash drive (as in the Stuxnet infection that wrecked a number of Iranian centrifuges).

The researchers hacked a vulnerability in a Siemens system, but cautioned that many other vendors systems are popular in prisons and are vulnerable. Perhaps most frightening is that these are “forever day” vulnerabilities, because the cost of reprogramming the equipment or replacing millions of PLCs is prohibitive.

So what can be done? For starters, when people are told not to use control stations to check their email or watch videos, make sure they don’t. These are single-purpose computers. Period. Proper network segmentation can render these systems as close to Internet proof as possible. Then enforce physical security procedures that ensure that no one brings a thumb drive or CD into the control room.

You May Also Be Interested In: