Researchers have demonstrated how a ransomware attacker could hold a water treatment plant hostage until the operator pays up.
The potential for physical injury from a ransomware attack is already evident in recent attacks on hospitals, which depend on fast access to electronic patient records. In October the Northern Lincolnshire and Goole NHS Foundation Trust cancelled all operations for a day due to a cyberattack, believed to have been ransomware.
Ransomware typically relies on holding a victim’s data hostage to extract a payment, however researchers from Georgia Tech believe the ransomware model could be adapted to attack the control systems in critical infrastructure, such as water treatment facility, allowing the attacker to use a whole city's safety as a bargaining chip.
“We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves,” said David Formby, a Ph.D. student in the Georgia Tech School of Electrical and Computer Engineering.
“That could allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities. Compromising the programmable logic controllers (PLCs) in these systems is a next logical step for these attackers.”
Using a simulated water treatment plant, the Georgia Tech researchers demonstrated on Monday at the RSA conference they could hack into the plant and use access to its programmable logic controllers (PLCs) to shut valves, dump dangerous amounts of chlorine into the water, and display false readings.
PLCs are remote devices that are used to monitor and manage industrial processes. While malware for PLCs isn’t new, the risk of them being hacked came into focus after the discovery of Stuxnet in 2010, which targeted PLCs and Siemens’ software at an Iranian nuclear facility.
The researchers point out that most PLC devices are isolated from the internet, but if the can get inside the target’s business systems, they may be able to access control systems from there. Their research also found 1,400 PLCs of one type exposed on the internet.
“Many control systems assume that once you have access to the network, that you are authorized to make changes to the control systems,” Formby said.
“They may have very weak password policies and security policies that could let intruders take control of pumps, valves and other key components of the industrial control system.”
To create the simulated water plant, the researchers acquired three commonly used PLC devices and tested their security features, such as password protection and how easy it would be to change settings. They hooked these up to pumps, tubes and tanks to simulate the treatment facility. For the demonstration, they swapped chlorine for iodine, which turns blue when it mixes with starch they added to the water.
Formby said attack demonstrates that the ransomware model has given attackers a way to monetize attacks on control systems, which are known to have vulnerabilities but are less frequently attacked by financially motivated cybercriminals.
Just because a plant’s control systems can be held hostage doesn’t mean cybercriminals would choose to when it’s far easier to encrypted victims data.
However, Raheem Beyah, a Motorola Foundation Professor and associate chair in the School of Electrical and Computer Engineering and Formby’s faculty advisor, reckons PLCs could be next in line if people and companies get better at defending against file-encrypting ransomware.
“It’s quite likely that nation-state operators are already familiar with this and have attacks that they could use for political purposes, but ordinary attackers have had no interest in these systems,” said Beyah. “What we hope to do is bring attention to this issue. If we can successfully attack these control systems, others with a bad intention can also do it.”