News Feature | February 16, 2017

Chlorine Flow Vulnerable To Hacking, Experiment Shows

Sara Jerome

By Sara Jerome,

computer reg new (1)

A recent experiment by a cybersecurity researcher exposed vulnerabilities in the water system.

“David Formby, a PhD student at Georgia Institute of Technology, conducted his experiment to warn the industry about the danger of poorly-secured [computers, known as programmable logic controllers (PLCs)]. These small dedicated computers can be used to control important factory processes or utilities, but are sometimes connected to the internet,” PC World reported.

Formby says many PLCs are exposed to hackers through online access. He said hackers can essentially hold these industrial computer systems ransom. “Ransomware is typically used to encrypt data like hospital records or business files until the victim agrees to pay a monetary ransom,” TechRepublic reported.

This type of attack poses a major threat to industrial systems.

The hacker “can threaten to permanently damage this really sensitive equipment,” Formby said, per the report. “For example, a power grid transformer can take months to repair.”

Formby simulated a water system in an experiment, which is detailed in YouTube video. In the simulation, PLCs controlled the flow of water and chlorine at the plant.

“In a month's time he developed a ransomware-like attack to control the PLCs to fill the storage tank with too much chlorine, making the water mix dangerous to drink. Formby also managed to fool the surrounding sensors into thinking that clean water was actually inside the tank. A hacker wanting to blackmail a water utility could take a same approach, and threaten to taint the water supply unless paid a ransom, he warned,” PCWorld reported.

Tightening up cybersecurity controls at water systems will play a critical role in combatting this kind of attack.

"Many control systems assume that once you have access to the network, that you are authorized to make changes to the control systems," Formby said, per TechRepublic. "They may have very weak password policies and security policies that could let intruders take control of pumps, valves and other key components of the industrial control system."

To read more about potential security threats at treatment plants visit Water Online’s Resiliency Solutions Center.

Image credit: "Katowice, miasto otwarte," Sebastian Sikora © 2012, used under an Attribution 2.0 Generic license: