Security researchers have highlighted the weaknesses inherent in industrial control systems by designing a new strain of ransomware to compromise the programmable logic controllers (PLCs) used in many manufacturing plants, water treatment facilities, and building management systems.
Boffins at the Georgia Institute of Technology obtained three PLC types commonly used at industrial facilities and then combined them with pumps, tubes and tanks to create a simulated water treatment facility.
“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom,” PhD student David Formby said.
Many such systems are still reliant on security-by-obscurity, and are further exposed by weak password and security policies, he explained.
“There are common misconceptions about what is connected to the internet,” said Formby. “Operators may believe their systems are air-gapped and that there’s no way to access the controllers, but these systems are often connected in some way.”
That makes them vulnerable to hackers. But while nation states have long been the primary concern for IT security bosses in industrial environments, Georgia Institute of Technology wanted to highlight that financially motivated cybercriminals may also be a threat.
The college recommended improved password security, limiting internet connectivity, and installing intrusion monitoring systems to help fortify PLCs against attack.
Edgard Capdevielle, CEO at Nozomi Networks, argued that hackers have already been able to turn the lights off in Ukraine by attacking power stations there, and claimed human lives could be at risk if industrial systems become a major target for hackers.
“Fortunately, innovations in machine learning and anomaly detection are being applied that can help monitor and protect ICS systems, such as the PLCs used in this demonstration,” he added.
“The question that remains is whether experiments by research teams will be enough to demonstrate the potential attacks aimed at critical infrastructure and drive broad adoption of these new technologies that will help keep us all safe.”
AlienVault security advocate, Javvad Malik, argued that the growth of smart cities will further expose critical systems to hackers via the public-facing internet.
“What this means is that even if attackers can’t compromise SCADA systems directly, they can likely compromise systems that SCADA rely on, thus having a similar effect,” he said.