Cyber security researchers at Georgia Tech university have created a new form of ransomware that can take over the controls of simulated water treatment plant, highlighting the vulnerabilities than can be found in industrial control systems.
The researchers managed to use the ransomware to gain access to the simulated water plan and then command its programmable logic controllers (PLCs) to shut valves, display false readings, and worryingly, increase the chlorine levels added ot the water.
Believed to be the first cyber attack of its kind to demonstrate how ransomware can be used to compromise real PLCs, the simulated attack indicated the dangers cyber attacks pose to real-world core infrastructure.
They then used custom ransomware spread through normal attack vectors such as email phishing and malicious links, to gain access to the PLCs exploit their vulnerabilities and effectively seize control of the simulated water treatment plant.
“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom,” said David Formby, a Ph.D. student in the Georgia Tech School of Electrical and Computer Engineering. “In the right amount, chlorine disinfects the water and makes it safe to drink. But too much chlorine can create a bad reaction that would make the water unsafe.”
An attack against a water plant could be particularly problematic, causing a disruption in water supply but also potentially putting people in danger of drinking water not suitable for human consumption.
The researchers used a specialised search program to locate 1,400 PLCs of a single type that were directly accessible via the Internet.
PLCs are normally located behind business systems with firewalls that offer a degree of protection from cyber attacks from the Internet But if the business system is compromised by ransomware, a hacker could gain access to the PLCs if they are not properly isolated from the business system.
“Many control systems assume that once you have access to the network, that you are authorised to make changes to the control systems,” said Formby “They may have very weak password policies and security policies that could let intruders take control of pumps, valves and other key components of the industrial control system.”
While previously such control systems were not connected to the internet, the addition of access points for maintenance updates and troubleshooting and connections unknown to facility operators means they now have more connectivity than before.
“There are common misconceptions about what is connected to the internet,” Formby explained. “Operators may believe their systems are air-gapped and that there’s no way to access the controllers, but these systems are often connected in some way.”
While such exploits are not commonly the targets of cyber criminals harnessing ransomware, with their preferred targets normally being banks, Formby noted that attacks on critical infrastructure could be used to hold cities hostage: “Compromising the programmable logic controllers (PLCs) in these systems is a next logical step for these attackers.”
“It’s quite likely that nation-state operators are already familiar with this and have attacks that they could use for political purposes, but ordinary attackers have had no interest in these systems,” he added. “What we hope to do is bring attention to this issue. If we can successfully attack these control systems, others with a bad intention can also do it.”
With the continued rise of ransomware as a major vector for cyber attacks, security researchers and companies may have their work cut out for them.
Quiz: Are you a security pro?
British regulator invites feedback on major partnerships Microsoft and Amazon have struck with smaller AI…
Another 20 staff have been fired by Google over Israel protest and their “completely unacceptable…
Censorship row brewing down under, after the Australian Prime Minister calls Elon Musk an 'arrogant…
Financial regulator asks New York judge to impose $5.3 billion in fines against Terraform Labs…
Lightweight artificial intelligence model launched this week by Microsoft, offering more cost-effective option for Azure…
ByteDance protest falls on deaf ears, as Senate passes TikTok ban or divest bill, with…
View Comments
Well done to Mr Formby, for stating "...If we can successfully attack these control systems, others with a bad intention can also do it."
May I draw attention to AI and robotics development. There appears to be talk of 'agreements' to restrict how far AI and robotic systems should progress with reference to the level of intelligence and decision making. How would such agreements prevent the bad actors from taking advantage ? The current laws, within each country do not prevent cyber crime. Thankfully we have a researcher quoted in an article, stating the fact that others could take advantage of a situation with the use of ransomware. The same thought process MUST be applied to the advancement of AI and robotics, if we are to remain 'safe'.