Cybersecurity researchers at the Georgia Institute of Technology have developed a new form of ransomware — one that took control of a simulated water treatment plant, the university said in a release. After they gained control over the “plants,” the “hackers” were able to shut down values and increase chlorine levels.
In an age of heightened concerns over cyber security — recall the Russian hacks of the Democratic National Party’s emails — this is drawing renewed fears among industrial facilities — from water plants to wastewater treatment plants to manufacturing outlets. Even elevators and HVAC systems are at risk, the researcher say.
The simple solutions involved complex password and limiting access to critical systems, all to avoid either the intentional or the unintentional acts of giving up vital info.
Ransomware attacks have become public at hospitals, which puts patient information at risk. It has also been an issue for businesses and their consumer data; Target was hacked and consumer credit cards were put at risk.
Attackers gain access to these systems and encrypt the data, demanding a ransom to provide the encryption key that allows the data to be used again, the university says, adding that ransomeware generated $200 million in the first quarter of 2016, for the attackers.
“We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves,” said David Formby, a Ph.D. student in the Georgia Tech School of Electrical and Computer Engineering. “That could allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities. Compromising the programmable logic controllers (PLCs) in these systems is a next logical step for these attackers.”
The scary part is, the school continues, is that many industrial control systems lack strong security protocols, said Raheem Beyah, the Motorola Foundation Professor and associate chair in the School of Electrical and Computer Engineering and Formby’s faculty advisor.
Formby and Beyah used a specialized search program to locate 1,400 systems directly accessible across the internet. But most such devices are located behind business systems that provide some level of protection – until they are compromised. Once attackers get into a business system, they could pivot to enter control systems if they are not properly walled off, the university says. The Internet is the key to access — something that didn’t exist a generation ago.
“Many control systems assume that once you have access to the network, that you are authorized to make changes to the control systems,” Formby said. “They may have very weak password policies and security policies that could let intruders take control of pumps, valves and other key components of the industrial control system.
“There are common misconceptions about what is connected to the internet,” said Formby. “Operators may believe their systems are air-gapped and that there’s no way to access the controllers, but these systems are often connected in some way.”
In addition to improving password security and limiting connections, Beyah says operators of these devices need to install intrusion monitoring systems to alert them if attackers are in the process control networks, the school says.