RSA 2017: Researchers create ransomware for industrial control systems

News by Max Metzger

At this week's RSA conference researchers simulated a piece of ransomware taking control of a water treatment plant and poisoning a city's water supply.

The piece of ransomware that works on industrial control systems and municipal water supplies is here.

Thankfully, it was created by the safe hands of Georgia Institute of Technology researchers and the water treatment plant on which it took effect was entirely simulated at this week's RSA conference in San Francisco.

The custom-built ransomware was created as a proof-of-concept by the researchers, David Formby, a PhD student in the Georgia Tech School of Electrical and Computer Engineering, and Raheem Beyah, the Motorola Foundation Professor and associate chair in the School of Electrical and Computer Engineering and Formby's faculty advisor.

They constructed a simulated water treatment plant complete with programmable logic chips (PLCs) and deployed their code. The ransomware was able to take control of the PLCs to profoundly alter its functioning. Aside from merely locking out the proper operators of the plant, the ransomware allows attackers to control the plant's valves and regulate the supply of chlorine into the water supply.

This effectively allows the controller to poison a water supply by flooding. The researchers used Iodine to demonstrate the possibility of a massive chlorine contamination, turning the water bright blue in the demonstration and potentially poisoning a water supply in real life. The ransomware, once in control, would also allow an attacker to feed false information to the operators.

The demonstration is the fruit of the researchers attempts at testing the security of the PLCs, commonly used in critical infrastructure. Aside from being able to create ransomware to defeat these devices, researchers also demonstrated the feasibility of an attack by revealing that they had discovered 1400 internet accessible PLCs.

This kind of threat is an oft-discussed fear of those in the security industry. If university researchers can do it, then why couldn't somebody with far less scientific aims?

Stephen Gates, chief research intelligence analyst at NSFOCUS IB told SC Media UK that the greatest threats to industrial control system operators are the loss of visibility over critical components: “Anything that causes a denial of service for operators can result in some pretty scary scenarios. From systems running completely out of control on their own, to operators making wrong decisions due their loss of view, these situations are disasters in the making.”

The hypothetical case that the researchers put forward, is more likely than some expect, “due to the primitive security measures implemented on most ICS technologies, and the antiquated operating systems and applications in use, the likelihood of a ransomware infection is quite higher than most would like to admit.”

“Any threat that can have real world consequences is something that needs to be addressed and monitored closely”, Mark James, IT security specialist at ESET told SC. While most malware is designed to get into as many targets as possible, targeted malware, like the kind that might be used to attack critical infrastructure proves a more difficult problem is highly specific to its target: “With so much of our industry digitally operated or maintained this could prove in its worst case scenario very bad indeed.”

One of the principally cited problems within critical infrastructure is the age of the technology used to, say, run a nuclear power plant.  Many pieces of infrastructure on which modern countries are run come from before the prospect of actually hacking into a power plant was  even a prospect. Trying to implement security over the top of a system that is fundamentally insecure is often ineffective, and complete retrofits are often impractical.

There are, however, few clear public examples to point to. Ransomware has been used, often to great effect, against hospitals and public institutions but not conspicuously yet on a large piece of infrastructure.

Javvad Malik, security advocate at AlienVault, told SC that, “it is no stretch to imagine attacks against SCADA systems are on attacker wishlists. However, many attackers will be concerned about the level of scrutiny such an attack could place on them.” Many ransomware attackers are merely in it for the money and going after such a big target, with such high stakes, would draw a dangerous amount of attention.

Industrial control and SCADA systems are also often physically segregated and not publicly accessible, making it harder for an attacker to make a jump into them. That fortunate situation may not hold, added Malik: “The scope of what is deemed critical national infrastructure is ever-increasing. There is an increased reliance on the internet to keep systems running which results in more systems being exposed. There is also the drive towards ‘smart cities' which will further expose critical systems to the public internet. What this means is that even if  attackers can't compromise SCADA systems directly, they can likely compromise systems that SCADA rely on, thus having a similar effect.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop