Researchers simulate a ransomware attack on industrial controls

Researchers at the Georgia Institute of Technology have created a form of ransomware that can hit us where it really counts: the water supply. Their program installed itself in a model water plant and allowed the researchers to change chlorine levels, shut down water valves, and send false readings to monitoring systems.

“We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves,” said David Formby, a Ph.D. student and co-author of the study. “That could allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities. Compromising the programmable logic controllers (PLCs) in these systems is a next logical step for these attackers.”

Obviously, in theory, there is security in place to prevent this sort of thing but the researchers were easily able to find 1,400 partially-accessible PLCs connected to the Internet and one piece of malware could open them to hacking.

“There are common misconceptions about what is connected to the internet,” said Formby. “Operators may believe their systems are air-gapped and that there’s no way to access the controllers, but these systems are often connected in some way.”

All an attacker would need to do to take over an entire industrial operation is get behind the firewall through a phishing attack and then force those PLCs to connect out to the Internet through the firewall. Even though a machine may be disconnected there are still plenty of vectors for attack, especially when devices have Internet connectivity built in. While, once upon a time, the dream was to be able to control everything remotely it’s clear that thanks to poor IoT security entire systems can be stomped in a few keystrokes. The potential for damage is pretty scary.

“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom,” Formby said.

The researchers are discussing their work at the RSA conference in San Francisco today.