For now, it’s just a lab experiment, but the researchers behind the first industrial control system ransomware believe it’s just a matter of time before criminals take note.
Imagine a group of hackers was able to infect the tiny computers that control critical infrastructure, such as power plants or water treatment facilities, also known as Programmable Logic Controllers or PLCs. The hackers could then lock these computers up and demand a ransom or else cause a blackout or poison the city’s water.
While that’s a scary scenario, it fortunately hasn’t happened—yet. But a group of researchers from the Georgia Institute of Technology warn that could change very soon, and to prove it they have developed and tested in their lab a working proof of concept ransomware that specifically targets three types of PLCs.
The researchers call it LogicLocker, and they detailed how it would work in a new paper. In their scenario, a group of cybercriminals targets PLCs that are exposed online and infects them with custom malware designed to reprogram the tiny computer with a new password, locking out the legitimate owners. The hackers then alert the owner, asking for a ransom. If the owners pay, they get their PLC back. If they don’t, they’ll pay a different price: having a malfunctioning plant, or worse, physical damage to their machinery or even to humans.
“If you have a determined group, a reasonably group of cybercriminals that have interest in doing this they can absolutely do it.” Raheem Beyah, one of the authors of the paper, told Motherboard in a phone call. “It’s very possible, and I think it will happen soon unfortunately.”
“It’s very possible, and I think it will happen soon unfortunately.”
“Ransomware” is a specific type of malicious software that infects computers and locks or encrypts their content, demanding a ransom to return the machines to their original state. It’s been extremely popular in the last couple of years, and is often successful because it’s usually easier for victims to pay the ransom than try to decrypt the files on their own. Initially, ransomware targeted regular internet users indiscriminately, but there have already been cases of attacks against hospitals, hotels and other businesses. (And there will soon be attacks on Internet of Things too)
Thus, the researchers argue, it’s inevitable that criminals will soon target critical infrastructure directly.
If they do, targets won’t be hard to come by. Beyah and his colleagues David Formby and Srikar Durbha searched the internet for the two models of PLCs that they attacked in the lab and found more 1,500 that were exposed online.
With their research, Beyah said, the three hope that industrial control systems administrators will start adopting common security practices such as changing the PLCs default passwords, putting them behind a firewall, and scanning the networks for potential intruders. If they don’t, they might find their systems locked, and the consequence could spill into the physical world.