Research team
Raheem Beyah, associate chair in the Georgia Tech School of Electrical and Computer Engineering, and David Formby, a Georgia Tech Ph.D. student

Researchers from the Georgia Institute of Technology (GIT) have created a proof-of-concept ransomware strain named LogicLocker that can alter programmable logic controller (PLC) parameters. The research team presented their work yesterday, at the RSA cyber-security conference in San Francisco.

PLCs are the devices at the heart of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks. These devices acquire data from physical systems, relay the information to a company's computer network, and translate commands from human operators into mechanical movements or electrical signals.

In the real-world, PLCs are devices that control valves, motors, pumps, sensors, elevators, escalators, voltage inputs, timers, HVAC systems, and other mechanical systems.

Because PLCs are usually deployed in the field, these devices can be controlled via a central location, using special SCADA software running on normal computers.

PLC ransomware is only a proof-of-concept

GIT researchers have developed ransomware that can identify when it's running on computers with PLC software, lock the device, and alter PLC parameters under the hood.

A possible attack scenario would be if the ransomware would infect a water treatment facility's critical network, alter water treatment parameters to add more chlorine or other chemicals to drinkable water, and then demand a huge ransom to unlock and restore the PLC.

Depending on the number of affected PLCs and the time needed to manually reset devices spread at different locations, operators might be forced to pay the ransom before the altered water reaches consumers.

PLC ransomware only a matter of time

No such ransomware has been seen in the wild until now, but researchers say this is only a matter of time.

"We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves," said David Formby, a Ph.D. student in the Georgia Tech School of Electrical and Computer Engineering.

"That could allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities. Compromising the programmable logic controllers (PLCs) in these systems is a next logical step for these attackers."

Bad security practices will favor PLC ransomware infections

Until now, attackers have hit hospitals, police stations, government agencies, and even water and lighting utility providers. Nevertheless, in most attacks, the ransomware locked access to computers controlling critical systems but has never done anything outside to encrypt files.

There's a notion that PLCs and most SCADA systems are air-gapped from the rest of an organization's network, and isolated from the Internet.

In reality, this was proven many times to be false, even by the GIT researchers, who said they identified several PLCs connected to the Internet, in use at industrial facilities, which they could have very easily attacked.

In past cyber-incidents that hit ICS systems, there was a direct line from PLCs to the management systems used by human operators to control them, and the rest of an organization's network. One weak point in the company's firewall or one hacked user usually led to a total compromise of the entire network.

PLC ransomware a good way to hide nation-state attacks

Researchers argue that companies and organizations working with PLCs and other SCADA equipment follow best industry practices and isolate these devices from the Internet and the rest of their network.

Despite their proof-of-concept ransomware experiment, GIT experts argue that the greatest danger to industrial systems will come from nation-state actors, rather than ransomware operators.

Many security experts theorize today that a ransomware infection is probably one of the best methods to hide both nation-state attacks and financially-motivated cybercrime. This is because companies would often opt to wipe systems or restore from backups, deleting logs or other clues that might have exposed more complex hacks.