The simulated attack was designed to highlight vulnerabilities in the systems used to control facilities such as manufacturing plants, water treatment facilities and building management systems.
Although there have been no public reports of industrial facilities being held to ransom in this way, such attacks have become a significant problem for businesses holding customer data and hospitals with patient data. Attackers can gain access to this data and encrypt it, demanding a ransom to provide a key to unlock the data.
According to the cyber-security expert SonicWall, the number of ransomware attacks detected has grown dramatically from 3.8 million in 2015 to an “astounding” 638 million in 2016. By the end of the first quarter of 2016, targeted companies had paid $209m in ransom, it reports, and by mid-2016, almost half of all organisations were saying that they had been targeted in the previous 12 months. And, according to an IBM study published in December, seven out of ten US businesses infected with ransomware have paid out, with most paying more than $10,000.
The Georgia Tech researchers believe that it is only a matter of time before critical industrial systems are compromised and held for ransom.
“We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves,” says David Formby, a PhD student in the School of Electrical and Computer Engineering. “That could allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities. Compromising the PLCs in these systems is a next logical step for these attackers.”
Many industrial control systems lack strong security, points out Professor Raheem Beyah, associate chair in the School and Formby’s advisor. “That’s likely because these systems haven’t been targeted by ransomware so far, and because their vulnerabilities may not be well understood by their operators.
Formby and Beyah used a special search program to locate 1,400 PLCs of one type that were directly accessible via the Internet. Most such devices have some level of protection – until they are compromised. Once attackers get into a company’s business system, they can enter its control systems if they are not properly protected.
“Many control systems assume that once you have access to the network, that you are authorised to make changes to the control systems,” says Formby. “They may have very weak password and security policies that could let intruders take control of pumps, valves and other key components of the industrial control system.”
Many users assume that control systems are not on the public network and therefore not susceptible to attack. Control systems may also have connections that are unknown to operators, including access points for maintenance, troubleshooting and updates.
“There are common misconceptions about what is connected to the Internet,” Formby warns. “Operators may believe their systems are air-gapped and that there’s no way to access the controllers, but these systems are often connected in some way.”
The US researchers obtained three PLCs and tested their security setup, including password protection and susceptibility to settings changes. They then combined the PLCs with pumps, tubes and tanks to create a simulated water treatment facility. Instead of the chlorine normally used to disinfect water, they used iodine. They also added starch to their water supply, which turned bright blue when a simulated attack added iodine to it.
“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom,” Formby explains. “In the right amount, chlorine disinfects the water and makes it safe to drink. But too much chlorine would make the water unsafe.”
As other ransomware targets become more difficult, Beyah suspects that attackers may turn to easier targets in industrial control systems.
“It’s quite likely that nation-state operators are already familiar with this and have attacks that they could use for political purposes, but ordinary attackers have had no interest in these systems,” he remarks. “What we hope to do is bring attention to this issue. If we can successfully attack these control systems, then others with a bad intention can also do it.”
As well as improving password security and limiting connections to the Internet, Beyah says that PLC users need to install intrusion monitoring systems to alert them if attackers are in their control networks. Beyah and Formby have formed a company to make their strategies for protecting systems available to control system operators.