Edinburgh Napier University

  Industrial Control Systems (ICS) have faced a growing number of threats over the past few years. Reliance on isolated controls networks or air-gapped computers is no longer a feasible solution when it comes to protecting ICS. It is because the new architecture of control networks requiring interaction with Internet technologies. Such connection has allowed businesses to access the data from Distributed Control Systems (DCS) or Programming Logic Controllers (PLC) from anywhere in a real-time manner. On the other hand, this connectivity exposes control networks, with low or poor security in place, to a wide range of new attacks such as ransomware, trojans and malware. Moreover, the human factor is one of the biggest threats on ICS given that unintentional mistakes or disgruntled employees can potentially cause hazardous changes/damages in the control process. In this paper, we present a stealthy malware named as WaterLeakage that exfiltrates information from an uninterrupted clean water supply system using a visual covert channel. For the experiment, we physically modelled such system using the Festo Rig MPA Compact Workstation. Our developed plug and play WaterLeakage malware is placed on a Raspberry Pi connected to the control network. The malware extracts vital information from the PLC such as CPU Model, Vendor, and Input Memory Values and then exfiltrates this information using two lamps connected to the output memory of the PLC. In our experiments, a receiver has been configured with two different resolutions to record the exfiltrated information and further decode them back to the original sensitive data. The results show that by using our WaterLeakage malware an attacker can successfully collect the important information from the control process, which can be used further to plan more sophisticated attacks on ICS.