By Robert Sadler, Larry Jaffe and David Campbell
An offender at a correctional facility overdosed on illegal drugs in one of the common areas, and a thorough review of security camera footage and a search of the correctional facility revealed no trace of trafficking. Two weeks later, another offender overdosed on similar illegal drugs. Again, the cameras showed no trafficking. Upon deeper inspection of the video camera network, the correctional facility discovered that organized crime hacked into the system and manipulated video content to conceal drug trafficking in and around the correctional facility. Though the facility took immediate action, nothing erases the damage inflicted. When hacking impacts justice facilities, the results can be life-threatening and difficult to pinpoint.
Follow the numbers
Justice facilities and law enforcement are attractive targets for cyber threats. The numbers relating to the Federal Bureau of Prisons (FBOP) balance sheet as of September 30, 2017, showed $6.701 billion in total assets. The considerable investment in justice facilities attracts cyber threat actors seeking to cash in on these investments, deploying various extortion means.
In May 2021, the Washington D.C. police department was attacked by cyber threat actors using ransomware, demanding $4 million to prevent leaked documents. The police department unsuccessfully attempted to negotiate a $100,000 payout, resulting in the cyber threat actors leaking official police department documentation to the internet.
Cyber threat actors often use social engineering as an avenue to gain access to vulnerable cyber systems and leverage that information for a high-dollar payout. Social engineering is the practice of manipulating a person or company into divulging personal private information (PPI), and cybercriminals are subject matter experts at finding and exploiting cyber system vulnerabilities. Correctional facilities could be extorted to pay significant amounts of money to protect this information – and their reputations.
Cybersecurity crimes can happen at your facility
According to the Federal Bureau of Investigation, 4.2 billion was lost to cybercriminals in 2020. In March of 2021, Verkada security cameras in jails and prisons were compromised by Swiss-based hacker activist group APT-69420, seeking to prove the vulnerability of security cameras. In October 2013, the Belgian port Antwerp was hacked by cyber threat actors contracted by organized crime drug traffickers to transport illegal drugs. The Antwerp attack approach leveraged port security cameras as part of their effort and could be leveraged by other cyber threat actors to enable the transport of contraband in and out of detention facilities.
The threat is real. It has financial, human health and safety, and day-to-day operational impact for justice facilities.
Don’t let this happen to you
What can you do about it? In an ideal world, you would have a complete cybersecurity program with people assigned specific roles and responsibilities for maintaining the cybersecurity of your critical infrastructure. But there are a few things you can do to reduce a facility’s risk of falling victim to the next cyberattack.
The ultimate strategy uses defense-in-depth to provide improved mitigation, including tactics like:
- A combination of physical security and cybersecurity investments
- Good network maintenance
- Investment in cybersecurity training for workers and leadership
- Establishing a cybersecurity culture for the long haul
If you want to take immediate action, here are three things you can do right now to reduce your facility’s risk and reduce vulnerabilities:
- Disconnect or protect your system from the internet
Failing to disconnect or protect your system from the internet is by far the most severe error a critical infrastructure owner can make – and it’s the most common. For example, facility leadership may want to see facility video footage from their home in the middle of the night, but that opens the door for bad actors to gain a foothold on the network, and from there, they can attack all other systems within the facility.
- Increase the physical protection around all network connections
Ensure all network switches and other network devices are in locked cabinets or kept in a locked room. If the facility has managed network switches, turn off any ports that are not in use. If switches are unmanaged, unplug cables going to unused wall outlets.
- Take an inventory of everything on your network
You cannot protect what you don’t know you have. Therefore, security support personnel should run a passive network scan to identify all connected devices and locate any rogue devices.
- Secure your PLC
Programmable Logic Controllers (PLC’s) are used as a standard for correctional facility door control systems. PLC systems do not have virus software, are an open platform and are particularly vulnerable to cyber-attack. Particular care needs to be taken to protect PLC systems from infiltration. These systems need to be air-gapped or kept behind a very secure firewall in order to maintain security of the system. Interface to video systems and systems that connect to outside networks should be connected by serial connections to disallow infiltration through an ethernet connection. USB flash drive ports need to be disabled to keep viruses from the system. Access to a keyboard and windows needs to be removed from the Human Machine Interface (HMI) system to keep threats away from the system.
Cybersecurity awareness is another important measure for protecting a facility
The Cybersecurity and Infrastructure Security Agency (CISA) and US-CERT provide free online resources and training to personnel that oversee the IT and OT infrastructure in facilities across all U.S. sectors. The first step toward securing infrastructure is the awareness stage, knowing you have a threat, then learning what resources are available to help counter the threat. From there, it’s possible to quickly implement people, processes, and technology to counter threats.
Once you’ve taken those initial steps toward a more secure network, keep your momentum going. Check AIT’s website for specific instructions on assessing your facility’s network and attached devices so you can identify vulnerabilities and develop a prioritized list of fixes. Contact MSE for help assessing your facility’s security infrastructure including door control, perimeter detection, intercom, paging, security video, duress and security UPS systems.
Robert Sadler is the Cybersecurity and Engineering Subject Matter Expert, Applied Integrated Technologies, Inc.; Larry Jaffe serves as Principal, Cyber Mission Assurance Capabilities, Applied Integrated Technologies, Inc.; and David Campbell, P.E., is Owner, Maximum Security Engineering.
This article originally appeared in the January-February 2022 issue of Correctional News.