Critical Infrastructure Systems Are Vulnerable to a New Kind of Cyberattack

The researchers developed an approach that’s easier to deploy than typical attacks on industrial or infrastructure systems, which usually require some sort of access privileges or on-site presence. It’s difficult to detect, with the ability to wreak havoc and then erase all traces of its presence. And it’s sticky: the malware can resurrect itself if operators discover the malfunctions and reset controllers or even replace hardware.

“We believe this is one of the first attacks at the application layer of PLCs to compromise industrial systems,” said Raheem Beyah, senior author on the study, a professor in ECE, and dean of the College of Engineering. “This is opening a door to new field that hasn’t really been studied yet.”

This new cyberattack strategy is the result of a shift in recent years in software and devices used to control and monitor various industrial systems. Instead of a dedicated terminal or control pad running custom software specific to the device, manufacturers have turned to web-based management. Now, devices have embedded web servers. The human-machine interfaces — think keypads or control panels — are actually mini web browsers rendering a web page with readouts of the current status and digital visualizations of the controls.

The approach means operators can work on the go, using a tablet computer for example, or even keep tabs on the system off-site.

“The old school idea of Homer Simpson in a control room has now turned into a website where you have little web visualizations,” Pickren said. “You can imagine a worker walking around the facility with an iPad or a control room with Google Chrome open.”

Malware designed to exploit these web vulnerabilities is particularly powerful because it doesn’t have to be customized to a specific PLC before it can be deployed, according to Saman Zonouz, associate professor in ECE and the School of Cybersecurity and Privacy and study co-author. In fact, the research team’s investigation showed their proposed attack would work on PLCs produced by every major manufacturer.