A simulation shows how a ransomware could hack PLCs in a water treatment plant

Pierluigi Paganini February 14, 2017

The security researchers at the Georgia Institute of Technology have simulated a ransomware-based attack on PLCs in a water treatment plant.

The security researchers at the Georgia Institute of Technology have conducted an interesting research on the potential impact of ransomware on industrial control systems (ICS).

The researchers David Formby, a Ph.D. student in the Georgia Tech School of Electrical and Computer Engineering, and his faculty advisor, Raheem Beyah, have simulated a ransomware-based attack on a water treatment plant.

The team of researchers has developed a new strain of ransomware that was able to take over control of a simulated water treatment plant, then it allowed the attackers to command programmable logic controllers (PLCs) with serious consequences.

“The simulated attack was designed to highlight vulnerabilities in the control systems used to operate industrial facilities such as manufacturing plants, water and wastewater treatment facilities, and building management systems for controlling escalators, elevators and HVAC systems. Believed to be the first to demonstrate ransomware compromise of real PLCs” reads the blog post published by the Georgia Tech.

The experts have tested a number of commonly used programmable logic controllers (PLCs) trying to hack them.

ransomware ICS attack

The expert simulated a water treatment facility hosting the tested PLCs that also included pumps, tubes, and tanks.

The researchers simulated an attack on the PLCs, they interacted with valves and exploited the access to the logic controllers to display false information to the operator. As a result, they added the overall amount of chlorine added to the water.

“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom,” Formby said. “In the right amount, chlorine disinfects the water and makes it safe to drink. But too much chlorine can create a bad reaction that would make the water unsafe.”

The second phase of the research if the analysis of publicly exposed PLC that could open the doors to similar attacks. The security duo discovered 1,400 instances of a single PLC type exposed on the Internet and easily hackable. The experts highlighted the false sense of security of the organizations that are housing the control devices, they also explained that ransomware could represent a serious threat to every industry.

“But most such devices are located behind business systems that provide some level of protection – until they are compromised. Once attackers get into a business system, they could pivot to enter control systems if they are not properly walled off.” Formby said. 

“Many control systems assume that once you have access to the network, that you are authorized to make changes to the control systems,” “They may have very weak password policies and security policies that could let intruders take control of pumps, valves and other key components of the industrial control system.”

The extortion practice could look with increasing interest to compromise control systems.

“We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves,” said David Formby, a Ph.D. student in the Georgia Tech School of Electrical and Computer Engineering. “That could allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities. Compromising the programmable logic controllers (PLCs) in these systems is a next logical step for these attackers.”

Critical infrastructure is exposed to such category of malware as demonstrated by the researchers.

In April 2016, the Lansing Board of Water and Light (BWL) utility has had to shut down systems, phone lines in response to a ransomware-based attack.

Formby and Beyah have no doubts, profit-driven cybercriminals will target also poorly protected PLCs.cybercriminals will target also poorly protected PLCs.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – PLCs hacking, ICS)

[adrotate banner=”13″]



you might also like

leave a comment