Ransomware gangs have moved from consumer computers to health care networks, and they are likely to go after manufacturing companies next, according to researchers at the Georgia Institute of Technology.
At the RSA Conference in San Francisco, the researchers showed a new type of ransomware can take over a water treatment plant, shut off valves, increase the amount of chlorine added to water, and display false readings. The good news is they had developed the ransomware themselves, and the water treatment plant was a simulated environment in the lab. The bad news is that the research underscores how vulnerable industrial control systems are to attack.
“We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves,” said David Formby, a doctoral student in the Georgia Tech School of Electrical and Computer Engineering.
Security experts have been saying for several years that a campaign against critical infrastructure, such as electric grids, traffic control systems, or water treatment plants, was imminent, and their warnings are beginning to sound like Chicken Little’s cries of “The sky is falling!” While there have been assaults on utility companies—the power failure in the Ukrainian capital Kiev and the BlackEnergy attack against three Ukrainian regional power companies, notwithstanding—we haven’t seen a catastrophic attack yet.
Perhaps we need a different definition of catastrophic.
The assumption has long been that attacks against critical infrastructure and manufacturing would have a nation-state element. However, with the rise of ransomware attacks, it’s very possible that cybercriminals would shift their sights to manufacturing systems now that they can make the attacks pay off financially.
Ransomware gangs are motivated by money, and the back-of-envelope calculations suggest that targeting manufacturing companies could be extremely profitable. Researchers found 1,300 MicroLogix 1400 programmable logic controllers (PLCs) and 200 Modicon M221 PLCs directly accessible via the internet. Assuming a $10,000 ransom and a 50 percent payment success rate—a figure Formby said was “conservative”—attacks against these two models alone could net criminals approximately $7.5 million.
The figure climbs even higher when taking into account the many control systems that are not directly accessible on the internet, but exist behind a corporate firewall. The corporate network, with the web server, business workstations, and email, should be completely walled off from the control network, which directly interfaces with the physical plant. If the two networks aren’t properly separated, attackers who’ve compromised a business system and gained a foothold in the corporate network would be able to pivot into the control network and take over PLCs, historian systems, engineering stations, and human machine interface systems.
There are many similarities between health care networks and manufacturing, which would allow attackers to easily make this shift. Health care networks are obvious targets for ransomware because they typically have older equipment, a weak security posture, and intense time pressure to stay up and running. That sounds a lot like manufacturing networks, where many of the industrial control systems are years old and have little to no security controls.
For example, Schneider Electric’s M241 PLC had no brute-force password protections, so attackers could repeatedly try logging in with different password strings without getting locked out. Other commonly used models expected the engineering software that communicated with the PLC to perform basic password checking, which meant attackers could directly send commands to the PLC and manipulate its operations without worrying about passwords.
“Many control systems assume that once you have access to the network, you are authorized to make changes to the control systems,” Formby said.
Researchers obtained three commonly used PLCs—Schneider Electric’s Modicon M241, Schneider Electric’s Modicon M221, and Rockwell Automation MicroLogix 1400—and combined them with pumps, tubes, and tanks to create a simulation of a water treatment facility. The researchers were able to reprogram the M241, which was running a PLC runtime environment with no protections against brute-force password attacks, to scan the internal network and grab the model numbers of other systems.
“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom,” Formby said. “In the right amount, chlorine disinfects the water and makes it safe to drink. But too much chlorine can create a bad reaction that would make the water unsafe.”
The fact that control systems have vulnerabilities and poor security controls is widely known. While some vendors have responded to concerns with patches, the difficulties of updating systems in production means the systems remain susceptible to attack.
The simulation highlighted the vulnerabilities in control systems used to operate industrial facilities like manufacturing plants; water and wastewater treatment facilities; and building management systems for controlling escalators, elevators, and HVAC systems. Network operators need to segment the networks so that it isn’t easy for attackers to pivot from the corporate network into the control network, limit direct connections to the PLCs, and improve password security.
“Compromising the PLCs in these systems is a next logical step for these attackers,” Formby said. Attackers have already targeted the corporate networks belonging to critical infrastructure operators—the ransomware attack against San Francisco light rail transit system is one example. That’s an “early sign” more of these attacks are coming, he said.