Proof-of-concept ransomware to poison the water supply

plc-ransomware-623x425

Ransomware is a big problem.

Home users and organisations around the world have found themselves at the sharp end of high profile attacks that have encrypted their files, and demanded substantial amounts of money for their data’s safe recovery.

The extortionists are earning themselves a fortune, as computer users and businesses feel compelled to pay up if they hadn’t taken adequate preventative steps before the attack took place.

This is the present we’re living in. But what might the future of ransomware looks like?

Researchers at Georgia Institute of Technology painted one picture this week, presenting their exploration of how ransomware could potentially attack industrial control systems (ICS), and demonstrating how new malware threats might target core infrastructure, holding entire cities hostage.

In their paper, “Out of Control: Ransomware for Industrial Control Systems”, the researchers describe how they developed their own proof-of-concept ransomware that was able to hijack control of a simulated water treatment plant, and poison the water supply.

“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom. In the right amount, chlorine disinfects the water and makes it safe to drink. But too much chlorine can create a bad reaction that would make the water unsafe.”

The threat of such an attack which would, of course, put the public’s safety at risk could merit the demand for a much higher ransom to be paid than those typically requested from businesses and home users.

Even if there is little prospect of danger to human life, the risk of an industrial ransomware attack causing downtime, and putting equipment health and worker safety at risk could make them an attractive target for some criminals.

History suggests that ICS networks, like schools and hospitals, have struggled to keep pace with modern security practices to combat digital attacks. In the case of educational and medical facilities that has often been because of a lack of funding, but with industrial control system networks it is more likely due to the relative rarity of real-world attacks and the perception that there are few threats out there.

But if criminals perceive that ICS systems could be a big cash cow then that could change very quickly, and key services may wake up to the fact that it may not be only state-sponsored attackers from another country who are interested in hacking into their networks.

As ESET security specialist Mark James explains, the right response is not to panic but to take sensible steps to reduce threat exposure by adopting a layered defence:

“Usually targeted malware is configured and aimed at a particular industry or sector. With so much of our industry digitally operated or maintained this could prove in its worst case scenario very bad indeed. But the same rules apply to any area that may be the target of ransomware, it has to be installed and it has to be able to gain complete control. With the right levels of security we can limit its attack vector and have mechanical failsafes to override anything software can instigate.”

“All environments in our digital world are susceptible to attack and need to be protected. Making sure operating systems, applications and security programs are kept up-to-date is one of the first lines of defence and one that often is overlooked or just not possible on bespoke systems designed to do a single task or job.”

Ransomware attacks against water treatment systems aren’t happening yet. It’s important to note that what the researchers achieved was just a simulation, not a real world exercise. But by painting a worrying picture of a potential future, they may have helped raise awareness amongst those who protect critical infrastructure to take the threat seriously.

As ever, being prepared and taking steps to reduce the risk now is a lot easier than trying to mop up the mess later.

by Graham Cluley, ESET We Live Security


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s