A security expert conducted an experimental ransomware attack showing the potential damage of a malicious campaign against water supply facilities.
Water Supply Facilities Under Attack In a Likely Scenario
The dangers of a well-planned attack against critical facilities is always an alarming scenario. In most cases these campaigns are conducted for the sole purpose of instituting sabotage. The PhD student David Formby has conducted a series of experiments that exhibit another dangerous idea – a ransomware infection upon vulnerable programmable logic controllers (PLCs) that operate water supply. The campaign was carried out against a simulated water treatment facility that is based on actual PLC controllers.
The goal of the researcher is to present the risk associated with running insecure devices on critical infrastructure and related facilities. The targeted PLCs are by definition the most important devices as they control the important processes that run the water supply services. Some of them are connected directly to the Internet in several cases which is a dangerous prerequisite for a hacker intrusion.
Formby discovered that about 1500 of them are accessible online during a presentation at the RSA cybersecurity conference on Monday (13 February 2017). It would not be difficult to see how computer criminals can attempt to exploit them in a possible intrusion attack. Such events can be substantially more damaging than ordinary sabotage due to the following two characteristics:
-
Critical system can be controlled or shut down if the owners do not pay the offered ransomware fee by the operators. Physical damage can be caused by reconfiguration and that if that is done on sensitive equipment the whole facility can be impacted.
-
Advanced strains can feature persistence which means that even if the ransomware fee is paid the virus can continue to operate in the background. This leads to both income generation from infected hosts and a continuing option of sabotage.
The expert suggests that such devices should be air-gapped and segregated from the Internet. If remote access is required this should be done following a strict security access policy. In many cases some of the important PLCs are older generation devices and they aren’t built to withstand emerging web attacks. The controllers are not devised to withhold brute force attacks and other popular forms of intrusion attempts.
The devised simulation has shown how a ransomware attack can fill the storage tank with excess chlorine thereby poisoning the water. At the same time the expert was able to hijack the related sensors into displaying that the contents is clean and without any contamination. A likely scenario is a criminal attack against the controllers with criminal threats that are related to extortion.
The expert made an in-depth scan of some of the production facilities across the globe. He identified hundreds of vulnerable controllers across India, China and the USA.