Proof of concept ransomware could poison water supply
Wed 15 Feb 2017
Researchers at the Georgia Institute of Technology have developed ransomware that, in a simulated environment, was used to seize control of a water treatment plant and successfully change additives to the water supply.
The simulated attack was created to highlight the vulnerability of infrastructure and industrial control systems to malicious agents.
To conduct the simulated water treatment facility attack, David Formby, Ph.D candidate and his faculty advisor Professor Raheem Beyah created a simulated water treatment facility in their lab, using common programmable logic controllers (PLCs) to control pumps, tubes and tanks.
Formby said, “We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom.”
In the simulated environment, Formby and Beyah were able to use ransomware to compromise the PLCs, commanding them to open and shut valves and to display false readings in addition to changing the amount of chlorine in the water.
The researchers used a specialized search engine to locate 1400 programmable logic controllers of a single type that were directly connected to the internet. Operators of systems using PLCs may believe that because the controllers were not designed for direct internet access, or because they are not on a public network, the systems are not vulnerable to attack. Because of this, PLCs are often not subject to additional layers of security such as firewalls or intrusion monitoring. In essence, the system assumes that once a user has access, they are entitled to make changes to PLCs.
Once a business system is compromised by an attacker, programmable logic controllers are vulnerable.
Formsby said, “There are common misconceptions about what is connected to the internet. Operators may believe their systems are air-gapped and that there’s no way to access the controllers, but these systems are often connected in some way.”
While the vulnerability of industrial control systems has been acknowledged for some time, until the rise in ransomware, there was no way for an attacker to profit from seizing control of an industrial system.
Thus far the bulk of ransomware has been used to hold data hostage in exchange for payment. An attacker will gain control of a network and lock up critical data, then offer the encryption key to the user to unlock their data at a price.
However, Formby and Beyah believe that the compromising of critical systems is the next logical step for attackers. Instead of holding data hostage, hackers could seize control of water treatment plants, manufacturing facilities, HVAC systems, or even elevators by attacking the programmable logic controllers (PLCs) used to operate these systems. Using very real threats to critical systems, the attackers could demand payment to relinquish control back to the authorities.