Study Shows Ransomware Could Poison Water Supply – by Ron Benvenisti

Researchers at the Georgia Institute of Technology (GIT) have demonstrated the capability of ransomware to dangerously disrupt the critical infrastructure our cities to create unprecedented catastrophe.

The GIT researchers created a ransomware that was able to gain control of a water treatment plant and threaten to shut off the entire water supply or poison the city’s water by increasing the amount of chlorine in it.

LogicLocker was shown at the 2017 RSA Conference in San Francisco and allowed the researchers to alter what are known as Programmable Logic Controllers (PLCs) which control power plants and water treatment facilities. They could open or shut valves, control the amount of chlorine in the water, and display bogus readouts. The simulated attack by researchers was created to highlight how attackers could disrupt vital services; water management utilities, energy providers, mall escalator controllers, HVAC systems, and other mechanical systems like railroad switches.

LogicLocker infects The Programmable Logic Controllers with a new password, thereby locking the legitimate owners out and demanding ransom, holding the utility hostage.

If the owners pay, they get their control over the PLC back. If not, the hackers could cause malfunctions to the water plant or release life-threatening amounts of chlorine in the water supply that could poison entire cities.

GIT researchers found more than 1,500 PLCs that were exposed online. “There are common misconceptions about what is connected to the internet,” says researcher David Formby. “Operators may believe their systems are air-gapped (isolated from the net) and that there’s no way to access the controllers, but these systems are often connected in some way.” Targeting industrial control and SCADA systems is not new, cybercriminals and foreign nation-state have been doing it for years. Surely you remember Stuxnet used against the Iranian nuclear plant centrifuges. The twist here is that ransomware will soon add a financial element to these types of cyber-attacks.

It is inevitable that money-motivated criminals will target our critical infrastructure directly. Foreign enemies often hide their intentions under ransomware operators.

Industrial control systems and SCADA operators better start adopting standard security practices like changing the PLCs default passwords, putting their connections behind firewalls, scanning their networks for potential threats with routine assessments, and installing real-time intrusion detection systems.

I’ve constantly written about the exposures facing the community, and the threats are worse than even – and it’s not going to get better. Already local businesses have been, and are being disrupted, or worse.

Hopefully, this research will open more eyes and our community members will start to take this seriously. At this point, there is way too much at stake not to act now.

This adds a frightening new dimension to the phrase often used by shakedown artists, “Pay or Die”.

Ron Benvenisti
CyVision Technologies, Inc

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 20,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.

4 COMMENTS

  1. Unless I don’t understand this, it sounds like they can just go in and do whatever they want and not tell anybody or ask for anything? If this is real, does anyone know if the MUA or the other utilities have done anything about this. I, for one, would like to know. What if they do this little by little? Will we still smell it? Does the MUA test or just rely on the readouts? I just read that an increased risk of bladder cancer may be seen in communities that drink chlorinated water. Chlorinated water may have an effect on lipid levels, such as increases in high density lipoproteins (HDL) and low-density lipoproteins (LDL). Chlorinated water may elevate the cholesterol and HDL ratio. Asthma may be triggered by chlorinated water. It looks like if I buy a water filter that uses a charcoal filter that will take out the chlorine? Does anybody know?

  2. @worried

    This was an experiment by a security group, in a controlled environment just to show it is possible. Nobody had done this for real, and it would be instant headlines if it did happen. This article is a little fear mongering, bit it is technically possible for an attack like this to happen. Not in the near future though, and we would know about it. Source: I test systems like this for my job.

  3. Great. Now the hackers know to look for the 1500 exposures on the net. I think this has been done for real as I remember the headlines about Israel or the US taking down the Iranian nuke plants. It’s happened to the Kemuri Water Company last March when Verizon discovered hacktivists compromised the water utility’s control system and changed the levels of chemicals being used to treat tap water. There are other documented cases from around the world. I don’t think Mr. Benvenisti is off base here.

  4. @cissp the Iran nuclear thing was a state sponsored attack, terrorists do not have this kind of money or skill. The Verizon thing was discovered because it did not have a high level of sophistication and did not falsify logs. The idea that an organized crime ring can create and carry out the attack of the researchers is way off base. Attacks with a lower level of sophistication can occur, but that is not the discussion. There is nothing to worry about, stop scaring people. The things open to the Internet have been open for years, shodan is available free, this is not news, it is fear mongering. There is no need to scare people who do not understand the details of the attack.

Comments are closed.