Raheem Beyah, left, associate chair in the Georgia Tech School of Electrical and Computer Engineering, and David Formby, a Georgia Tech Ph.D. student, created a model of a water treatment plant to highlight the potential of ransomware attacks on programmable logic controllers. (Image courtesy of Georgia Tech).
The equipment inside factories and other industrial plants is increasingly being linked to the internet to enable remote monitoring and control. But that connectivity is creating vulnerabilities for hackers that stand to gain from hijacking the electronics inside them.
A paper released Monday describes a type of ransomware that could infect devices known as programmable logic controllers (PLCs) used to automate power plants, water treatment facilities, and factory assembly lines. The software would give hackers the ability to control, shut down, or destroy equipment until a ransom is paid.
The researchers behind the paper, from the Georgia Institute of Technology, created a strain of ransomware to prove their point. The malicious code was able to hijack several popular brands of PLCs hooked up to a model of a water treatment plant. It enabled the researchers to shut valves, display false readings, and add poisonous levels of chlorine to the water.
No ransomware attacks on industrial control systems have been reported yet, but the researchers are sounding the alarm so that no one is taken by surprise. Now that hackers are taking over hospital and corporate networks for ransom, it might not be long before industrial equipment is targeted, they said.
“We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves,” said David Formby, a Ph.D. student who along with Raheem Beyah - the associate chair in the Georgia Tech School of Electrical and Computer Engineering - and Srikar Durbh presented the paper at RSA Conference in San Francisco on Monday.
Formby and Beyah have also started a company called Fortiphyd to share security strategies with the manufacturers and users of industrial equipment. Logic controllers also used in building management systems for controlling escalators, elevators and air conditioning systems.
The logic controllers inside these applications usually have weak security, the researchers said, and they think that's because the companies using them don't perceive hackers to be a threat. But a ransomware attack on industrial control systems or critical infrastructure can start much the same way as attacks on personal computers or corporate networks.
The researchers' ransomware, called Logic Locker, could start infecting industrial controls after something as simple as an employee clicking the link in a phishing email. With access to the company’s network, certain types of logic controllers will allow hackers to make unauthenticated changes to their underlying code.
Hackers could also pry into industrial control systems by guessing the PLCs' default factory passwords. And vulnerable devices are not difficult to find. The researchers used Shodan, a specialized search engine for connected devices, to find 1,400 devices of a single brand that were directly accessible on the internet.
These attacks are not a walk in the park, the researchers said, but the incentive for victims to pay up could be extremely high. With control over a power plant, hackers could threaten to cut off power to thousands of homes unless a ransom is paid. A company could lose millions of dollars in production if one of its factories is hacked and taken offline.
These vulnerabilities have been known about for years. Last year, researchers Ralf Spenneberg and Maik Bruggemann devised a computer worm to spread malware into Siemens logic controllers. Others have written programs known as rootkits to silently break into the devices. But criminals have largely avoided ransomware attacks because it is easier to target an individual's data, the researchers said.
Programmable logic controllers have "so far remained largely unscathed by malware not because they are more secure than traditional networks," they wrote in the paper, "but because cybercriminals have yet to figure out a profitable business model to make such attacks worth their time."