A new form of ransomware can take over control of a simulated water treatment plant to shut valves, increase the amount of chlorine added to water, and display false readings.
Developed by cybersecurity researchers at the Georgia Institute of Technology, the simulated attack was designed to highlight vulnerabilities in the control systems used to operate industrial facilities such as manufacturing plants, water and waste water treatment facilities.
"We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves. That could allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities," said David Formby from Georgia Institute of Technology.
During their research, cybersecurity experts were able to simulate a hacker who had gained access to simulated water treatment facility holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom.
No real ransomware attacks have so far been reported on the process control components of industrial control systems, but these attacks have become a significant problem for patient data in hospitals and customer data in businesses.
"Attackers gain access to these systems and encrypt the data, demanding a ransom to provide the encryption key that allows the data to be used again," researchers said.
According to Formby, ransomware generated an estimated $200 million for attackers during the first quarter of 2016.
"Many control systems assume that once you have access to the network, that you are authorised to make changes to the control systems. They may have very weak password policies and security policies that could let intruders take control of pumps, valves and other key components of the industrial control system," Formby said.
Since industrial control systems have not been targeted by ransomware, they lack strong security protocols, and their vulnerabilities may not be well understood by their operators.
"There are common misconceptions about what is connected to the internet. Operators may believe their systems are air-gapped and that there's no way to access the controllers, but these systems are often connected in some way," Formby said in a paper that was presented at the RSA Conference in San Francisco.
As other ransomware targets become more difficult, researchers believe attackers may turn to easier targets in the industrial control systems.
"In addition to improving password security and limiting connections, operators of these devices need to install intrusion monitoring systems to alert them if attackers are in the process control networks," said Raheem Beyah, Professor at Motorola Foundation.