Ransomware seems like it’s everywhere in the news lately. Ransomware is software that installs itself on a computer, often when the user opens a seemingly harmless email attachment. Once installed, the ransomware blocks access to critical files and data until the user meets the demands of the person remotely controlling the ransomware. This usually involves a cash payment. A widely reported case at the University of Calgary in 2016 saw key parts of the institution’s computer network, including staff and faculty email, ‘locked’ by hackers until a $20,000 ransom was paid.
What does all of this have to do with water? Well, actually a lot. Researchers at the Georgia Institute of Technology have just released the results of an experiment they conducted on how custom ransomware could impact municipal water treatment plants. The study tested the security of commonly used programmable logic controllers (PLCs). These PLCs show up in many embedded industrial systems and in the case of water treatment, they often control valves and pumps. What the researchers found was that if network security could be breached through a malicious email link, they could gain control over the system PLCs. Once in remote control of a municipal water system, a hacker could extort a large sum of money by threatening to damage critical infrastructure or worse, alter the quality of the output water.
“We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves,” said David Formby, a Ph.D. student in the Georgia Tech School of Electrical and Computer Engineering, in a news release announcing the results of the experiment. “That could allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities. Compromising the programmable logic controllers (PLCs) in these systems is a next logical step for these attackers.”
To address this concern the news release says that, in addition to improving password security and limiting connections, operators of PLC devices need to install intrusion monitoring systems to alert them if attackers are in the process control networks. “What we hope to do is bring attention to this issue. If we can successfully attack these control systems, others with a bad intention can also do it,” Formby went on to say in the release.
At LuminUltra, we work with clients around the world who are managing water treatment systems. Our focus is on preventing microbial proliferation in these systems, but we understand that’s only part of the picture. Staying on top of the latest water industry threats and opportunities is important to us and for all water industry professionals.