Georgia Tech researchers have created ransomware that can attack critical infrastructure
Cyber security researchers at Georgia Tech university have created a new form of ransomware that can take over the controls of simulated water treatment plant, highlighting the vulnerabilities than can be found in industrial control systems.
The researchers managed to use the ransomware to gain access to the simulated water plan and then command its programmable logic controllers (PLCs) to shut valves, display false readings, and worryingly, increase the chlorine levels added ot the water.
Believed to be the first cyber attack of its kind to demonstrate how ransomware can be used to compromise real PLCs, the simulated attack indicated the dangers cyber attacks pose to real-world core infrastructure.
To conduct the simulated attack, the researchers found several common PLCs used at industrial facilities and put their security set up through their paces. These PLC were attacked to pumps, tanks and tubes to create a simulated water treatment plant on a small scale.
They then used custom ransomware spread through normal attack vectors such as email phishing and malicious links, to gain access to the PLCs exploit their vulnerabilities and effectively seize control of the simulated water treatment plant.
“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom,” said David Formby, a Ph.D. student in the Georgia Tech School of Electrical and Computer Engineering. “In the right amount, chlorine disinfects the water and makes it safe to drink. But too much chlorine can create a bad reaction that would make the water unsafe.”
PLC are commonly found in many industrial facilities, so the ransomware, if it was developed by a malicious group rather than researchers, could wreak havoc across all manner of facilities responsible for the critical infrastructure of urban areas.
An attack against a water plant could be particularly problematic, causing a disruption in water supply but also potentially putting people in danger of drinking water not suitable for human consumption.
The researchers used a specialised search program to locate 1,400 PLCs of a single type that were directly accessible via the Internet.
PLCs are normally located behind business systems with firewalls that offer a degree of protection from cyber attacks from the Internet But if the business system is compromised by ransomware, a hacker could gain access to the PLCs if they are not properly isolated from the business system.
“Many control systems assume that once you have access to the network, that you are authorised to make changes to the control systems,” said Formby “They may have very weak password policies and security policies that could let intruders take control of pumps, valves and other key components of the industrial control system.”
While previously such control systems were not connected to the internet, the addition of access points for maintenance updates and troubleshooting and connections unknown to facility operators means they now have more connectivity than before.
“There are common misconceptions about what is connected to the internet,” Formby explained. “Operators may believe their systems are air-gapped and that there’s no way to access the controllers, but these systems are often connected in some way.”
While such exploits are not commonly the targets of cyber criminals harnessing ransomware, with their preferred targets normally being banks, Formby noted that attacks on critical infrastructure could be used to hold cities hostage: “Compromising the programmable logic controllers (PLCs) in these systems is a next logical step for these attackers.”
“It’s quite likely that nation-state operators are already familiar with this and have attacks that they could use for political purposes, but ordinary attackers have had no interest in these systems,” he added. “What we hope to do is bring attention to this issue. If we can successfully attack these control systems, others with a bad intention can also do it.”
With the continued rise of ransomware as a major vector for cyber attacks, security researchers and companies may have their work cut out for them.
Quiz: Are you a security pro?