The simulated attack was designed to highlight vulnerabilities in the control systems used to operate industrial facilities such as manufacturing plants, water and wastewater treatment facilities, and building management systems for controlling escalators, elevators and HVAC systems.
Though no real ransomware attacks have been publicly reported on the process control components of industrial control systems, the attacks have become a significant problem for patient data in hospitals and customer data in businesses.
Ransomware generated an estimated USD 200 million for attackers during the first quarter of 2016 and researchers believe it is only a matter of time before critical industrial systems are compromised and held for ransom.
"We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves," said David Formby, a PhD student at Georgia Institute of Technology in the US.
Also Read
Many industrial control systems lack strong security protocols, said Raheem Beyah, professor at Georgia Tech.
That is likely because these systems have not been targeted by ransomware so far and their vulnerabilities may not be well understood by their operators.
Researchers used a specialised search programme to locate 1,400 PLCs of a single type that were directly accessible across the internet.
However, most such devices are located behind business systems that provide some level of protection - until they are compromised. Once attackers get into a business system, they could pivot to enter control systems if they are not properly walled off.
"They may have very weak password policies and security policies that could let intruders take control of pumps, valves and other key components of the industrial control system," he said.
Control systems may also have connections that are unknown to operators, including access points installed to allow maintenance, troubleshooting and updates.
Disclaimer: No Business Standard Journalist was involved in creation of this content