have moved from consumer computers to health care networks, and they are likely to go after manufacturing companies next, according to researchers at the Georgia Institute of Technology.

At the RSA Conference in San Francisco, the researchers showed a new type of ransomware can take over a water treatment plant, shut off valves, increase the amount of chlorine added to water, and display false readings. The good news is they had developed the ransomware themselves, and the water treatment plant was a simulated environment in the lab. The bad news is that the research underscores how vulnerable industrial control systems are to attack.

“We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves,” said David Formby, a doctoral student in the Georgia Tech School of Electrical and Computer Engineering.

Security experts have been saying for several years that a campaign against critical infrastructure, such as electric grids, traffic control systems, or water treatment plants, was imminent, and their warnings are beginning to sound like Chicken Little’s cries of “The sky is falling!” While there have been assaults on utility companies—the and the BlackEnergy attack against three Ukrainian regional power companies, notwithstanding—we haven’t seen a catastrophic attack yet.