Ransomware is already a concern for the enterprise, educational facilities, and healthcare providers, and now cybersecurity researchers have demonstrated that it is no challenge for the malware family to take down the core infrastructure our cities need to operate.
On Monday, cybersecurity researchers from the Georgia Institute of Technology revealed the development of a new, custom form of ransomware which was created specifically with industrial systems in mind.
The malware and subsequent attack on a simulated water treatment plant were designed to highlight how cyberattackers could disrupt key services which cater to our critical needs, such as energy providers, water management utilities, heating, ventilation and air conditioning (HVAC) systems, or escalator controllers.
The research was presented at the RSA Conference in San Francisco on Monday.
During the conference, the team described how they identified a number of common programmable logic controllers (PLCs) often found in industrial facilities. After obtaining three different devices, the researchers tested their security levels, including the status of password protections and how susceptible they were to malicious changes.
The PLCs were then combined with pumps, tubes, and tanks to simulate a water treatment facility. However, instead of chlorine -- which is used to disinfect water -- the team used iodine and added starch to the water supply.
The combined water would turn bright blue when an attacker added iodine to it.
A simulated attack using ransomware -- which infects systems through common attack vectors such as email phishing campaigns and malicious links -- closed and locked down critical systems.
Once closed off, if a true attacker used ransomware to hold a utility hostage, they could threaten to dump life-threatening amounts of chlorine in water supplies which could potentially poison entire cities.
The team was also able to attack the PLCs to shut valves and display false readings.
"In the right amount, chlorine disinfects the water and makes it safe to drink," said David Formby, a Ph.D. student in the Georgia Tech School of Electrical and Computer Engineering. "But too much chlorine can create a bad reaction that would make the water unsafe."
While exploring the accessibility of these PLCs, the researchers also discovered 1,400 examples of a single PLC type which was easily accessed from the internet. Many of these devices were located behind corporate firewalls -- but this only keeps them safe as long as network security holds.
Although there have been few true ransomware attacks launched against embedded industrial systems, we have already seen ransomware utilized against hospitals to massive effect. In some cases, the financial burden of paying ransom demands are nothing in comparison to how much disruption an ongoing attack would cause.
When it comes to hospitals, such disruption can place patients' lives at risk -- just as holding water systems to ransom have the potential to do.
Raheem Beyah, Motorola Foundation Professor and associate chair in the School of Electrical and Computer Engineering believes that while security flaws in industrial control systems have been recognized for at least a decade, as ransomware has now hit the spotlight and other targets become more difficult to compromise, industrial systems may become the next big thing for attackers.
"It's quite likely that nation-state operators are already familiar with this and have attacks that they could use for political purposes, but ordinary attackers have had no interest in these systems," said Beyah. "What we hope to do is bring attention to this issue. If we can successfully attack these control systems, others with a bad intention can also do it."