Cybersecurity researchers at the Georgia Institute of Technology have developed a new form of ransomware that was able to take over control of a simulated water treatment plant. After gaining access, the researchers were able to command programmable logic controllers (PLCs) to shut valves, increase the amount of chlorine added to water, and display false readings.
The simulated attack was designed to highlight vulnerabilities in the control systems used to operate industrial facilities such as manufacturing plants, water and wastewater treatment facilities, and building management systems for controlling escalators, elevators and HVAC systems. Believed to be the first to demonstrate ransomware compromise of real PLCs, the research is scheduled to be presented February 13 at the RSA Conference in San Francisco.
Though no real ransomware attacks have been publicly reported on the process control components of industrial control systems, the attacks have become a significant problem for patient data in hospitals and customer data in businesses. Attackers gain access to these systems and encrypt the data, demanding a ransom to provide the encryption key that allows the data to be used again.
Ransomware generated an estimated $200 million for attackers during the first quarter of 2016, and the researchers believe it’s only a matter of time before critical industrial systems are compromised and held for ransom.
“We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves,” said David Formby, a Ph.D. student in the Georgia Tech School of Electrical and Computer Engineering. “That could allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities. Compromising the programmable logic controllers (PLCs) in these systems is a next logical step for these attackers.”
Many industrial control systems lack strong security protocols, said Raheem Beyah, the Motorola Foundation Professor and associate chair in the School of Electrical and Computer Engineering and Formby’s faculty advisor. That’s likely because these systems haven’t been targeted by ransomware so far, and because their vulnerabilities may not be well understood by their operators.
Formby and Beyah used a specialized search program to locate 1,400 PLCs of a single type that were directly accessible across the internet. But most such devices are located behind business systems that provide some level of protection – until they are compromised. Once attackers get into a business system, they could pivot to enter control systems if they are not properly walled off.
“Many control systems assume that once you have access to the network, that you are authorized to make changes to the control systems,” Formby said. “They may have very weak password policies and security policies that could let intruders take control of pumps, valves and other key components of the industrial control system.”
In the past, control systems weren’t designed for connection to the internet, and many users of the systems assume they aren’t on the public network and therefore not susceptible to attack. Control systems may also have connections that are unknown to operators, including access points installed to allow maintenance, troubleshooting and updates.
“There are common misconceptions about what is connected to the internet,” said Formby. “Operators may believe their systems are air-gapped and that there’s no way to access the controllers, but these systems are often connected in some way.”
To launch the research, the researchers identified several common PLCs in use at industrial facilities. They obtained three different devices and tested their security setup, including password protection and susceptibility to settings changes. The devices were then combined with pumps, tubes and tanks to create a simulated water treatment facility. In the place of chlorine normally used to disinfect water, the researchers used iodine. They also added starch to their water supply, which turned bright blue when a simulated attack added iodine to it.
“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom,” Formby said. “In the right amount, chlorine disinfects the water and makes it safe to drink. But too much chlorine can create a bad reaction that would make the water unsafe.”
Vulnerabilities in control systems have been known for more than a decade, but until the growth of ransomware, attackers had not been able to benefit financially from compromising the systems. As other ransomware targets become more difficult, Beyah believes attackers may turn to easier targets in the industrial control systems.
“It’s quite likely that nation-state operators are already familiar with this and have attacks that they could use for political purposes, but ordinary attackers have had no interest in these systems,” he said. “What we hope to do is bring attention to this issue. If we can successfully attack these control systems, others with a bad intention can also do it.”
In addition to improving password security and limiting connections, Beyah says operators of these devices need to install intrusion monitoring systems to alert them if attackers are in the process control networks. Beyah and Formby have launched a company to make their strategies for protecting systems broadly available to control system operators.
Learn more: Simulated Ransomware Attack Shows Vulnerability of Industrial Control
[osd_subscribe categories=’industrial-controls’ placeholder=’Email Address’ button_text=’Subscribe Now for any new posts on the topic “INDUSTRIAL CONTROLS”‘]
Receive an email update when we add a new INDUSTRIAL CONTROLS article.
The Latest on: Vulnerability of industrial controls
[google_news title=”” keyword=”vulnerability of industrial controls” num_posts=”10″ blurb_length=”0″ show_thumb=”left”]
via Google News
The Latest on: Vulnerability of industrial controls
- F5 Patches Dangerous Vulnerabilities in BIG-IP Next Central Manageron May 9, 2024 at 2:57 am
F5 has patched two potentially serious vulnerabilities in BIG-IP Next that could allow an attacker to take full control of a device.
- Thirty-eight percent of riskiest cyber-physical systems overlooked by traditional vulnerability management approaches, Claroty’s Team82 findson May 8, 2024 at 9:04 pm
Claroty, the cyber-physical systems (CPS) protection company, today released new proprietary data revealing that 38% of the riskiest CPS assets are overlooked by traditional approaches to ...
- The energy shift is the economic race of the century. What will the US do to win?on May 7, 2024 at 11:00 am
However, this paradigm shift in the global economy is a marathon, not a sprint. That means America can still catch up. To do so, the next administration must double down on the Inflation Reduction Act ...
- New Android security flaw lets hackers seize control of apps — how to stay safeon May 6, 2024 at 8:04 am
"Arbitrary code execution can provide a threat actor with full control over an application’s behavior," Microsoft said in a security bulletin this week. "Meanwhile, token theft can provide a threat ...
- Is Your Android Smartphone At Risk From A ‘Dirty Stream’ Attack?on May 3, 2024 at 6:00 am
Microsoft has discovered a serious new security vulnerability that impacts popular Android apps and puts billions of devices at risk. “The implications of this vulnerability pattern” its report warns, ...
- Guardians of critical infrastructure: Where are the control systems?on April 25, 2024 at 1:34 pm
Guardians of Critical Infrastructure”, but there are critical issues with seminar’s agenda Critical infrastructures include electric power, water/wastewater, manufacturing, transportation, chemicals, ...
- Maximizing Power Grid Securityon April 23, 2024 at 10:59 am
Regardless of motive and intent, future energy grid planning—and the planning of all cyber-physical systems for that matter—are destined to use AI as a foundation for optimization, according to PNNL, ...
- Cybersecurity startup that helps companies secure industrial systems opens Seattle officeon April 15, 2024 at 7:14 am
One of his biggest takeaways from that experience was the vulnerability of industrial ... a former security engineer for industrial control systems at Amazon, and Feliks Pleszczynski, who also ...
- 3 things industrial control system enterprises should do to boost cyber-resilienceon April 11, 2024 at 10:55 am
This OT network (e.g., spanning an industrial plant floor) is then managed via distributed and/or centralised IT and OT control using ... (from MITRE's National Vulnerability Database) for each ...
via Bing News