Home Alone with Electronic Security

By Stephen Carter

Remember how clever Kevin McCallister (MacCaulay Culkin) was in Home Alone designing methods, systems, and devices to fortify his castle against the likes of Harry (Joe Pesci) and Marv (Daniel Stern)? We forget that what invited this potential home invasion was an early scene where Harry and Marv, posing as police officers, cased the leafy Chicago suburbs looking for residences with electronic security that would be easily compromised, finally finding one, chose Kevin’s home. Clearly, the bruises, scars, and humiliation they experienced suggests that advanced planning was not their strong suit.

Electronic security from home to car to workplace is, simply stated, what we are, or have become. No need to tick off examples. Every aspect of our daily living is influenced or managed by some application of electronic security. This is unlikely to change, and the odds are the applications will only become more pervasive. Some will embrace, some resist, some invent this inevitable future. What about prisons and jails?

What is so amazing about electronic security in the incarceration environment is how quickly we went from “zero to sixty” by not only adapting the devices in design but coming to rely extensively on these systems for community, staff, and inmate safety. Now, every project whether an upfit or purpose-built begins with a discussion of the anticipated incorporation of electronic security.

Those who are involved in the design, construction, manufacturing, installing, and maintenance of electronic security systems stand on the shoulders of architects like Jim Webster, Gary Mote, and Scott Higgins from the Bureau of Prisons who first pioneered the incorporation of electronic security systems in the early 1970’s. Very quickly Buford Goff, Jerry Forstater, Colin Lobo, Doug Fitzgerald, Jack Shedder and many other engineers and architects began to demonstrate how to integrate more than one security device and develop a “system” that now easily represents 10-15% of the construction cost.

So, what’s the issue? Correctional facilities are safer, more efficient, smarter, and actually accountable with the multiple examples of integrated electronic security and data systems. We should be celebrating what has been achieved in a generation and anticipating the next generation of electronic security that makes the daily routines of staff and inmates safer, predictable, and efficient, if not more interesting.

Enter the hackers. So far, prisons and jails have been spared the danger and embarrassment of having everything from food choices to health data exposed, altered, or deleted. However, we would be foolish to ignore the implications that could result from a serious hack of the integrated security systems in correctional facilities. We rely extensively on these systems to make the environments secure and efficient to operate. The truth is that the more we integrate the systems, the more devastating a breach could become.

Traditionally, our concern has been more focused on ensuring that inmates did not compromise the systems from the “inside”. However, drones became the “tip of the spear” by demonstrating how electronics controlled from outside the perimeter could seriously compromise security. Correctional managers have spent an incredible amount of time exploring and creating solutions to drone interference, but perhaps a greater threat is malware and ransomware that could literally neutralize the integrated security systems.

Cybersecurity is the practice of protecting critical systems and sensitive information from digital attacks whether those threats originate from inside or outside of an organization. In the private sector, a January 2020 report found that 48% of senior executives at midsized companies felt malware and ransomware are the greatest cyber threats. Despite the recognition of this threat, only 45% had a contingency plan in place should an attack occur. I don’t know but will hazard a guess that these percentages noted from the private sector are lower in the correctional system simply because cybersecurity has not yet become a priority.

If the integrated system is compromised, we just resort to key overrides and show of force. Right?

Inmates do not yet have access to the internet, but this will likely change in the future. Already has in some European prison systems. The resulting greater threat for prisons will be external whether for devious sport or serious havoc and mayhem.  I don’t need to describe worst case scenarios when control is compromised; just recall the New Mexico Penitentiary control room compromise three decades ago.

Look back at Home Alone for patterns that attackers/hackers use to compromise a place and a security system. First, they had a purpose (wealth enhancement) and plan (undetected access). Second, the dynamic dimwits gathered evidence to determine system weak points (complacent homeowners). Third, the fashionistas attempted to disguise themselves as repairmen. And last, they executed (nearly were) the plan.

According to CDW Corporation, a company providing technology services and products to government, “hacker-led attacks that can happen in a moment based on days and weeks of observing and planning so they can choose the most susceptible targets”. This is accomplished by learning systems and personnel and researching operations to find out which ones will have weak IT security in place.

To help minimize the possibility of a cyber-attack that could disrupt, compromise, or collapse an integrated security system, CDW suggests a 5-point approach:

  1. Have the right mindset: Understand and document the risk. This means acknowledging the threats and understanding where these threats can come from by keeping the right expertise in place to evaluate, understand, and identify potential breach points or areas of exposure in the infrastructure.
  2. Create a response plan – and keep it updated: Be ready the moment any attack occurs by having the right response plan in place. Know who and when to notify and what actions need to be taken to lock down the threat, secure systems, and mitigate any potential issues before they spiral. Finally, make sure plans are routinely updated. Technology changes rapidly, and plans must change as well.
  3. Train personnel to identify threats and take security seriously: The size of a prison or organization is irrelevant; everyone with access to the systems must be trained to identify potential threats as well as hackers. Educating on how to identify suspicious emails and identify potential social engineering attacks is essential; have a security best practices guide in place; review it annually; and send out practices and tests so that key personnel can see what threats look like in real-time.
  4. Get the right technology and strategy in place: Investigate the technology that can be utilized within the IT environment to help keep it secure, including next-gen firewalls, endpoint security with anti-ransomware capabilities, email security, and user training. Outdated technology is a potential threat, but inadequate (or nonexistent) user training creates the weakest link in the IT chain, so stay up-to-date with training and technology.
  5. Ask for help: Most governments now have in-house cybersecurity specialists. In addition, a significant number of private companies offer a range of planning and prevention services. There is no shame in asking for help to protect integrated security systems from potential threats as well as identify areas to reinforce. Hackers don’t execute attacks alone, and correctional organizations shouldn’t defend themselves alone either.

We all know things didn’t workout well for the hapless Harry and Marv. Combining the ingenuity of Kevin, a well-placed shovel of his neighbor, and local law enforcement, all ended well (until Home Alone II showed up). Finally, Harry and Marv are locked away, but a herd of hacker/attackers are not. So, now is a good time to consider a response to cybersecurity threats. 

Stephen Carter, AICP, is the executive vice president and global strategic development officer for Miami-based CGL.

Editor’s Note: This expert piece originally appeared in the May/June 2022 issue of Correctional News.