Malware was able to take control of a simulated water treatment plant in tests run by a team of cybersecurity researchers at the Georgia Institute of Technology, team members say.
The computer scientists created a ransomware application that was able to instruct computer systems within the utility to shut valves, increase chlorine levels in drinking water, and display false readings to staff members.
The researchers ran the simulated attack to dramatize security failings in control systems that operate manufacturing plants, power generating facilities, water and wastewater treatment sites, and building management systems for controlling HVAC systems, elevators, and escalators.The researchers intend to present their findings on February 13 at the annual RSA Conference in San Francisco.
Industrial control systems have publicly reported no ransomware attacks on their process control components, but the attacks have become common, significant problems in other industrial sectors.Hospitals have lost access to patient data in ransomware attacks and businesses have lost customer data.
In a ransomware attack, hackers infect target systems with malware that encrypts data, demanding owners pay a ransom for the decryption key that will restore the system to usefulness.Researchers say hackers made about $200 million through ransomware attacks in the first quarter of 2016.It is inevitable that industrial systems will be targeted eventually, they say.
"We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves," said David Formby, a student at the Georgia Tech School of Electrical and Computer Engineering. "That could allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities.Compromising the programmable logic controllers (PLCs) in these systems is a next logical step."