Ransomware Used to Seize Control Of Simulated Water Plant

Cyber security researchers at Georgia Tech university have created a new form of ransomware that can take over the controls of simulated water treatment plant, highlighting the vulnerabilities than can be found in industrial control systems.

The researchers managed to use the ransomware to gain access to the simulated water plan and then command its programmable logic controllers (PLCs) to shut valves, display false readings, and worryingly, increase the chlorine levels added ot the water.

Believed to be the first cyber attack of its kind to demonstrate how ransomware can be used to compromise real PLCs, the simulated attack indicated the dangers cyber attacks pose to real-world core infrastructure.

Cracking PLCs

To conduct the simulated attack, the researchers found several common PLCs used at industrial facilities and put their security set up through their paces. These PLC were attacked to pumps, tanks and tubes to create a simulated water treatment plant on a small scale.

They then used custom ransomware spread through normal attack vectors such as email phishing and malicious links, to gain access to the PLCs exploit their vulnerabilities and effectively seize control of the simulated water treatment plant.

“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom,” said David Formby, a Ph.D. student in the Georgia Tech School of Electrical and Computer Engineering. “In the right amount, chlorine disinfects the water and makes it safe to drink. But too much chlorine can create a bad reaction that would make the water unsafe.”

Infiltrating infrastructure

PLC are commonly found in many industrial facilities, so the ransomware, if it was developed by a malicious group rather than researchers, could wreak havoc across all manner of facilities responsible for the critical infrastructure of urban areas.

An attack against a water plant could be particularly problematic, causing a disruption in water supply but also potentially putting people in danger of drinking water not suitable for human consumption.

The researchers used a specialised search program to locate 1,400 PLCs of a single type that were directly accessible via the Internet.

PLCs are normally located behind business systems with firewalls that offer a degree of protection from cyber attacks from the Internet But if the business system is compromised by ransomware, a hacker could gain access to the PLCs if they are not properly isolated from the business system.

“Many control systems assume that once you have access to the network, that you are authorised to make changes to the control systems,” said Formby “They may have very weak password policies and security policies that could let intruders take control of pumps, valves and other key components of the industrial control system.”

While previously such control systems were not connected to the internet, the addition of access points for maintenance updates and troubleshooting and connections unknown to facility operators means they now have more connectivity than before.

“There are common misconceptions about what is connected to the internet,” Formby explained. “Operators may believe their systems are air-gapped and that there’s no way to access the controllers, but these systems are often connected in some way.”

While such exploits are not commonly the targets of cyber criminals harnessing ransomware, with their preferred targets normally being banks, Formby noted that attacks on critical infrastructure could be used to hold cities hostage: “Compromising the programmable logic controllers (PLCs) in these systems is a next logical step for these attackers.”

“It’s quite likely that nation-state operators are already familiar with this and have attacks that they could use for political purposes, but ordinary attackers have had no interest in these systems,” he added. “What we hope to do is bring attention to this issue. If we can successfully attack these control systems, others with a bad intention can also do it.”

With the continued rise of ransomware as a major vector for cyber attacks, security researchers and companies may have their work cut out for them.

Quiz: Are you a security pro?

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

View Comments

  • Well done to Mr Formby, for stating "...If we can successfully attack these control systems, others with a bad intention can also do it."

    May I draw attention to AI and robotics development. There appears to be talk of 'agreements' to restrict how far AI and robotic systems should progress with reference to the level of intelligence and decision making. How would such agreements prevent the bad actors from taking advantage ? The current laws, within each country do not prevent cyber crime. Thankfully we have a researcher quoted in an article, stating the fact that others could take advantage of a situation with the use of ransomware. The same thought process MUST be applied to the advancement of AI and robotics, if we are to remain 'safe'.

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

5 hours ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

6 hours ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

8 hours ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

1 day ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

1 day ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

1 day ago