Will ransomware attackers target critical infrastructure next? They would certainly be able to do so, according to the results of a recent project by cyber crime researchers in the US.
A team at the Georgia Institute of Technology have developed a new kind of ransomware that successfully seized control of a simulated water treatment plant, ordering computers to shut valves, display false readings and increase the amount of chlorine added to water.
They are warning that ransomware could increasingly be used to target control systems in critical infrastructure as attackers broaden their repertoire and move on from simply holding victim or business data hostage in return for payment.
“We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves,” said David Formby, a Ph.D. student in the Georgia Tech School of Electrical and Computer Engineering.
“That could allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities.”
The researchers say there are many vulnerabilities in the control systems used to operate industrial facilities like manufacturing plants and water facilities as well as building management systems for escalators, lifts and air-conditioning systems.
They identified some common programmable logic controllers (PLCs) in use at industrial facilities before obtaining three different devices and testing their security set-up, including password protection and vulnerability to settings changes.
The devices were then combined with pumps, tubes and tanks to create a simulated water treatment facility. In the place of chlorine normally used to disinfect water, the researchers used iodine. They also added starch to their water supply, which turned bright blue when a simulated attack added iodine to it.
“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom,” Formby said.
“In the right amount, chlorine disinfects the water and makes it safe to drink. But too much chlorine can create a bad reaction that would make the water unsafe.”
The researchers say city infrastructure is particularly vulnerable to ransomware attacks because many industrial control systems lack strong security protocols and because their vulnerabilities might not be fully understood by operators.
That there are vulnerabilities in control systems is not new – this has been known for more than a decade. Yet until the growth of ransomware, attackers had been unable to benefit financially from compromising systems. Until now.
“It’s quite likely that nation-state operators are already familiar with this and have attacks that they could use for political purposes, but ordinary attackers have had no interest in these systems,” said Raheem Beyah, the Motorola Foundation Professor and associate chair in the School of Electrical and Computer Engineering.
“What we hope to do is bring attention to this issue. If we can successfully attack these control systems, others with a bad intention can also do it.”
Ransomware generated an estimated $200 million (£161 million) for attackers during the first quarter of 2016 alone. The Georgia Tech researchers believe it is “only a matter of time” before critical industrial systems are compromised and held for ransom.