Continued from page 1

In many prisons, technical support staff would add connections to enable them to update the system’s software remotely after the ICS systems were installed by security specialists.

“We saw that a lot, a lot,” said Mr. Teague.

Mr. McGurk said he found Internet connections in every one of the 400-plus onsite inspections of control systems in the government and private sector he had overseen in three years at the Homeland Security Department.

“In no case did we ever not find connections,” he said. “They were always there.”

Even systems that were successfully cut off from the Internet could be attacked by malicious insiders or anyone with enough access to insert a thumb drive into a computer work station, Mr. Strauchs said.

“The mostly likely vector would be to bribe a prison guard to insert a USB drive with malicious programming. Hard to stop and hard to find out who did it,” he said.

Mr. Teague said the team’s attack was “pretty easy” to develop.

“I had no prior experience with programming ICS” Mr. Newman said, “We did not spend a lot of time, it was cheap, and we did it in my basement.”