Could ransomware take over control of programmable logic controllers (PLCs) that manage industrial systems?

Researchers at Georgia Tech developed a form of ransomware that did just that, taking over a simulated water treatment plant and causing damage.

Although few if any industrial systems have been targeted, the team says that it’s only a matter of time before such attacks happen. Attackers have already accessed patient data in hospitals and customer data in businesses. Many control systems lack robust security protocols, leaving them vulnerable to invasion and compromise.

The researchers set out to demonstrate vulnerabilities that systems operators ignore, often because they wrongly believe that their systems are not accessible to outside networks. Access can come through back doors installed to allow system maintenance, for example.

To kick off the project, the team built a mock-up of a water treatment system. They identified some common PLCs and obtained three different devices, testing their password protection and susceptibility to settings changes. The controllers were incorporated into the mock-up, which used iodine and starch to indicate when a software invader successfully attacked and added more chlorine—the iodine—to the water supply.

Demonstrating the small systems’ vulnerability is intended to alert industrial systems’ owners to the real vulnerabilities in these systems. The researchers pointed out that system operators can take simple steps, like password protection and limiting network access, to improve security. Intrusion monitoring systems should also be incorporated to provide additional protection.