Water treatment plants may be hacked for ransom: study

A new form of ransomware that can take control of a water treatment plant has been developed by scientists who showed how hackers may manipulate the amount of chlorine added to water and display incorrect readings on gaining access to such management systems.
The simulated attack was designed to highlight vulnerabilities in the control systems used to operate industrial facilities such as manufacturing plants, water and wastewater treatment facilities, and building management systems for controlling escalators, elevators and HVAC systems.
Though no real ransomware attacks have been publicly reported on the process control components of industrial control systems, the attacks have become a significant problem for patient data in hospitals and customer data in businesses.

Attackers gain access to these systems and encrypt the data, demanding a ransom to provide the encryption key that allows the data to be used again.
Ransomware generated an estimated USD 200 million for attackers during the first quarter of 2016 and researchers believe it is only a matter of time before critical industrial systems are compromised and held for ransom.
"We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves," said David Formby, a PhD student at Georgia Institute of Technology in the US.

"That could allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities," said Formby.

"Compromising the programmable logic controllers (PLCs) in these systems is a next logical step for these attackers," he said.
Many industrial control systems lack strong security protocols, said Raheem Beyah, professor at Georgia Tech.
That is likely because these systems have not been targeted by ransomware so far and their vulnerabilities may not be well understood by their operators.
Researchers used a specialised search programme to locate 1,400 PLCs of a single type that were directly accessible across the internet.
However, most such devices are located behind business systems that provide some level of protection - until they are compromised. Once attackers get into a business system, they could pivot to enter control systems if they are not properly walled off.

"Many control systems assume that once you have access to the network, that you are authorised to make changes to the control systems," Formby said.
"They may have very weak password policies and security policies that could let intruders take control of pumps, valves and other key components of the industrial control system," he said.
Control systems may also have connections that are unknown to operators, including access points installed to allow maintenance, troubleshooting and updates.