RESEARCHERS have developed a form of ransomware able to take control of a simulated water treatment plant, raising concerns over the security of critical infrastructure.
Once the ransomware had ‘gained access’, the researchers from the Georgia Institute of Technology in the US, were able to command programmable logic controllers (PLCs) to shut valves, increase the amount of chlorine added to water, and display false readings.
“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom,” said researcher David Formby. “In the right amount, chlorine disinfects the water and makes it safe to drink. But too much chlorine can create a bad reaction that would make the water unsafe.”
Operators may incorrectly assume that their control systems are not connected – or air-gapped – from the internet. This is a poor assumption they warn, noting that control systems may have connections that are unknown to the operators, including access points installed to allow maintenance, troubleshooting and updates.
The team estimates that ransomware attacks that held business data hostage generated US$200m for hackers in the first quarter of 2016. They believe theirs is the first demonstration of using ransomware to compromise PLCs and say hackers may turn to critical infrastructure in the future as business data becomes more secure and harder to hack.
“We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves,” said Formby. “That could allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities. Compromising the (PLCs) in these systems is a next logical step for these attackers.”
Javvad Malik, security advocate at cyber security firm Alien Vault, is a little more cautious about the appetite for attacking critical systems: “We’ve seen ransomware grow rapidly, and there is growing attraction to hit more critical targets such as hospitals that are more likely to pay larger sums quickly.
“In that regard, it is no stretch to imagine attacks against SCADA systems are on attacker wish-lists. However, many attackers will be concerned about the level of scrutiny such an attack could place on them. Many ransomware attackers are cybercriminals wanting to make some money in an easy manner, and probably don’t want the attention associated with being labelled a ‘cyber’ terrorist or having declared an act of war.”
Commenting on what operators can do to reduce their vulnerability to attacks, Mark James, IT security specialist at IT security company ESET, said: “All environments in our digital world are susceptible to attack and need to be protected. Making sure operating systems, applications and security programs are kept up-to-date is one of the first lines of defence and one that often is overlooked”.
In preparation for their attack, the Georgia Tech team identified several common PLCs in use at industrial facilities, bought three different devices and tested their security setup, including password protection and susceptibility to settings changes. The devices were then combined with pumps, tubes and tanks to create a simulated water treatment facility.
While this demonstration is a first for ransomware, there have been a number of other forms of successful cyber attacks against real-world industrial facilities. In 2014, German authorities revealed that hackers had forced an unnamed German steel mill into an uncontrolled shutdown that caused massive damage to the plant. While it’s been widely reported that ThyssenKrupp was the victim of that attack, a company spokesperson told The Chemical Engineer that an external audit has proved this claim is untrue.
Industrial hacking’s big break into the public consciousness came in 2010 when it was revealed that the Stuxnet virus – thought to be created by US and Israeli intelligence – altered the settings on centrifuges being used in Iran’s nuclear enrichment programme, destroying equipment and setting back work by months or even years.
Catch up on the latest news, views and jobs from The Chemical Engineer. Below are the four latest issues. View a wider selection of the archive from within the Magazine section of this site.