Hacker Claims He Broke Into Wind Turbine Systems

itwbennett writes "Claiming revenge for an 'illegitimate firing,' someone has posted screenshots and other data, apparently showing that he was able to break into a 200 megawatt wind turbine system owned by NextEra Energy Resources, a subsidiary of Florida Power & Light. In an e-mail interview, Bgr R said he's a former employee who discovered a vulnerability in the company's Cisco security management software that he then used to hack into the SCADA systems used to control the turbines. His motive was to embarrass the company, he said."

You don't need a weatherman

[JamesonLewis3rd]

I'm sure that NextEra Energy Resources, a subsidiary of Florida Power & Light, was mortified.

Re:

[The Mysterious Dr. X]

Wow. This just proves that you can never be too careful with your wind energy security... I had always thought of NextEra Energy Resources as one of the most secure energy systems in all of Florida, but this guy's success would seem to prove otherwise. I'll have to be more careful in the future. I may even have to privatize all of my wind energy needs... Anyone selling a turbine?

Re:

[Anonymous Coward]

Wow. This just proves that you can never be too careful with your wind energy security... I had always thought of NextEra Energy Resources as one of the most secure energy systems in all of Florida, but this guy's success would seem to prove otherwise. I'll have to be more careful in the future. I may even have to privatize all of my wind energy needs... Anyone selling a turbine?

To be fair, it doesn't really prove anything. It could be a hoax, as the article mentions, and FPL is denying any knowledge of the incident ever occurring. He also didn't really give any info about the supposed vulnerability in the Cisco architecture.
But on the other hand, they DO use a Siemans controlling system, and it would not surprise me at all if he stumbled across one of the government's "secret" backdoors.

So without any details, the juries still out as to whether this was really hacked or not. But i

Re:

[The Mysterious Dr. X]

I can't tell if my sarcasm was too subtle or if yours is simply more so.

Re:

[dr2chase]

Zen sarcasm.

Re:

[plover]

Supposedly he accessed the SCADA system. If so, he could alter the behavior of any or all of the mechanical controls: he could disable the logic that locks the wind turbine blades when the wind is too strong in order to prevent damage. He could shut off the lubricating pumps, and send phony sensor data back indicating the bearings are all operating within normal temperature and vibration parameters. He could remove the generator load, allowing the blades to freewheel, then instantly reconnect the full l

Re:

[SCHecklerX]

Luckily, real engineers, and not computer programmers, are the ones that design the systems themselves, and the mechanical failsafes typically cannot be programmed or overridden by software. Still, the security nightmare that is SCADA needs to be fixed.

Re:

[plover]

Do you know for sure that's true, or is that something you desperately want to believe with all your heart that we're not stupid enough to turn over all mechanical functions to embedded systems? Because I have to say I've been amazed to learn of the diversity of different physical systems that have been turned over to software control. Sensors, motor speed controllers, pumps, switches, relays, etc., all are frequently software operated, or have some measure of software control over them.

Power companies are

Re:

[uninformedLuddite]

I have privatised all of my energy and water needs. It is a very good feeling. I haven't had a power bill in 4 years. I have had to run a generator at times mainly for battery maintenance. The fuel came mostly came from chip shop waste. Adding another 3.5Kw over the next twelve weeks which will cut generator use to pretty much battery maintenance only. If I could privatise my communications that would be great but it's never going to happen.

Former employee?

[atari2600a]

Well that pretty fucking much limits the list of possible suspects now doesn't it?

Re:

[Anonymous Coward]

If I was a random hacker thats what i would say!

Re:

[taiwanjohn]

Hope he covered his tracks well. Not sure how useful Cisco hacking skills would be in prison.

Re:Former employee?

[fostware]

At least he's used to port protection and possibly port blocking

Re:

[karnal]

He'll be taught all the joys of port address translation.

Re:

[jimbolauski]

I'm sure he is more worried about a SQL injection.

Re:

[Anonymous Coward]

He'll learn all about the proper use of SOAP too.

Re:

[Tx]

Yes, he'd have to worry more about securing his own backdoor, rather than exploiting anyone else's.

Re:

[DoofusOfDeath]

Hope he covered his tracks well.

Do you mean that literally? Because honestly, I hope people who hack into power systems get caught.

Re:

[Sky Cry]

1) Depends on how many people you fire every day.
2) It's dangerous to believe everything your enemies tell you.

This seems like a terrible plan...

[fuzzyfuzzyfungus]

Given that getting hacked is practically an Industry Standard Best Practice(tm) by now, I'm pretty sure that some random subsidiary of a utility company that most of its customers think of as "the power bill" will be largely immune to embarrassment, even in financial terms. If you then narrow the list of suspects down, the odds are higher than you would like of getting some slammer time in exchange for basically nothing.

Unless pen-testing them is your job, I would say that you should either stay the hell

Re:

[WrongSizeGlass]

... or go in with a clever plan to have them shake themselves apart.

So something like Stuxnet for wind turbines?

Re:

[fuzzyfuzzyfungus]

That was the example that I had in mind.

Hacker breaks wind

[Anonymous Coward]

News at 11.

Re:

[Smallpond]

Especially when "hacked in" might be "used the default password"

Sounds dodgy to me...

[BrokenHalo]

In an e-mail interview, Bgr R said he's a former employee who discovered a vulnerability in the company's Cisco security management software that he then used to hack into the SCADA systems

That just tripped my bullshitometer. Most Cisco systems (in my experience) are pretty robust, but an employee would have been in a good position to create an open door for himself to use later. So the "vulnerability" (if I'm right) would simply be his employer's misplaced trust in him.

Re:

[amanicdroid]

Oo oo I love Cisco Jeopardy! I'll go with:

What is he had remote access to the KVM that the Cisco's console port was connected to?

Re:

[olden]

...or he just knew that the password to remotely administer the thing was 'cisco'.
But if it was indeed so easy, he's certainly not the only one to have figured that out by now. :/

Re:

[Charliemopps]

They are more robust than the people maintaining them. Most systems I've worked on have been years behind in updates and how do they maintain their logins? Does the entire site use the same login like I saw at one place? Did his boss keep his login and pass on a sticky note on his desk?

Re:

[Anne_Nonymous]

I was at a friend's workplace on Sunday and needed web access. Fortunately a co-worker had written her password on the bezel of her monitor with a Sharpie.

Re:

[drinkypoo]

There have been tons of remote holes in Cisco routers over the years, there are plenty of advisories just lying around for the googling. If they're running outdated IOS for some reason, it makes it all the more likely.

Re:

[aardwolf64]

I worked for a Fortune 500 company (who shall remain nameless) that distributed the Cisco VPN client with the group password already set. I took the config file and Googled the hash, and came up with the password. Turns out that's the same password they used for the Domain Admin. I'd be surprised if it didn't go to other important things as well...

Re:

[splatter]

Damn I never thought of googling a hash to get a plain text, that is clever. I bow to your google-Fu...

Re:

[KnownIssues]

It could have been a vulnerability in the configuration of the company's Cisco security management software.

"His motive was to embarrass the company"

[Huntr]

Um, not gonna work. Like most power companies, FP & L has no shame.

Why Use The Internet To Communicate

[rally2xs]

Saaaayyy... something this important, why are these jokers doing communications through the internet? It should be bloody difficult to even intercept control signals for these wind turbines, nuke power plants, etc. IOW, they should be using dedicated wires and microwave point-to-point communications with encryption, not broadcasting it all over the entire planet for everybody to be able to try to "hack" it.

Re:

[skids]

Well, this hack is probably a hoax, but to answer your question, a lot of the small power industry is full of people who do not let security get in the way of the bottom line, or expedience. This is less true of the well established, institutional systems... but new upstart companies and newly acquired subsidiaries sometimes shoot from the hip while they are building things. I remember reading of a hydro refurb where they were using SMS for controls on a dam. I guess part of it is that we now have people

Alternate Headline

[Anonymous Coward]

Hacker Claims He Broke Wind Into Turbine Systems

Just waiting for the follow-up...

[BagOCrap]

When the shit hits the fan.

Re:

[groslyunderpaid]

I haven't chuckled that well on /. in a while. Thank you, sir, and your u/n for the double wordplay.

OPC involved?

[anchovy_chekov]

I'm never surprised when I hear about industrial systems getting hacked for two reasons: (1) the venerable OPC protocol and (2) the mad insistence of IT departments that everything - including process control systems - has to come under their control.

There's nothing wrong with OPC per se, but it relies on DCOM (which isn't secure). Even if they've moved to the better OPC UA or some other architecture there's still the craziness of making industrial systems accessible over the corporate network.

Re:

[pnewhook]

Glad to be living on the seacoast in NH.

Well since you are so paranoid, I'd like to point out that Ontario Canada generates over 200 times the nuclear generation capacity of Florida, and it's right next door to NH !

Re:

[tnk1]

Not to mention when the megatsunami from the Canary Islands arrives at some point in the future, you can expect that your house will be upgraded to houseboat in one easy step.

Re:

[dimethylxanthine]

I'd like to point out that Ontario Canada generates over 200 times the nuclear generation capacity of Florida

[citation needed]

Oh no!

[chill]

What if he were a terrorist? Al-queda could sabotage the wind turbines, creating a MASSIVE wind spill! Think of the economic impact...the devastated lives...the broken families! Did we learn nothing from BP in the Gulf?

Oh the humanity!

We need Michael Bay to create a movie to fully articulate the possibilities of such a disaster. Wind everywhere...

Re:

[GameboyRMH]

Actually on a serious note, if he had control over the direction of the nacelle and/or the blade pitch, he might be able to break the turbine. These things are actively controlled, they have wind sensors on them that measure the wind speed and direction, and then electric motors are used to point the nacelle into the wind and adjust the blade pitch (and possibly also some settings on a gearbox inside the nacelle). I imagine that if he could accelerate the blades to a high speed and then quickly turn it side

Stupid goal

[DoofusOfDeath]

He'll risk prison just to break wind in public?

Dear world....

[Lumpy]

MOST SCADA systems are horribly protected. idiot managers and phb's want remote access to systems that should be on protected and isolated networks. Please sack the managers that demand remote internet access to SCADA systems that do not have a legitimate reason other than to satisfy the demand of that manager.

I know of several Water filtration plants that are horribly open to attack because the supervisor of them is too damn lazy to drive in to do his work. And YES you can easily make a secure connecti

Re:

[pnewhook]

Yes. And if you dont want anyone breaking into your house, only put in an OUT door and cut the IN door. lol - you do realize internet lines are not only one way, right?

Re:

[pnewhook]

If you were going to go through the bother of rewriting the code so it didn't check for the handshakes just so you can cut the receive wires, then why not just write the software so it doesn't accept incoming packets? Please get a basic understanding of how things work before you go off and comment on them.

Re:

[Lumpy]

You obviously don't understand how ethernet works at all.
Please come back when you have a basic education about the topic at hand.

Re:

[pnewhook]

I do. If you think you can cut the receive lines and leave only the transmit, and still have a functioning ethernet system then you are a complete moron. You are the one that needs basic education about the ethernet protocol.

Re:

[Lumpy]

I suggest you learn networking as well as Ethernet, oh and take your lithium your Bipolar is showing.

Here is some reading material that might be too advanced for you, but I like to share...

http://www.sun.com/bigadmin/content/submitted/passive_ethernet_tap.jsp [sun.com] -- how to receive only network traffic.
http://www.public.asu.edu/~sksrini2/Projects/TFTP/AP36.pdf [asu.edu] -- basics on how to broadcast data on transmit only, might be too advanced for you.
http://www.stearns.org/doc/one-way-ethernet-cable.html [stearns.org] -- more info for

Yes, but

[Fr05t]

pics or it didn.... oh.

Not so illigitimate.

[Restil]

Justification for his firing is sounding better and better all the time.

-Restil

FAKE

[StickyWidget]

FAA: "Wind power company sees no evidence of reported hack
" http://www.itworld.com/security/156817/wind-power-company-sees-no-evidence-reported-hack [itworld.com]

Also:
http://seclists.org/fulldisclosure/2011/Apr/264 [seclists.org]
http://seclists.org/fulldisclosure/2011/Apr/265 [seclists.org]

~Sticky

Well that blows ...

[tgd]

*waits for applause and laughter*

*sulks away*

Link to pics?

[vlm]

Anyone got a link to the actual pics that the article merely talks about? Would be hilarious if he's trying to pass off vendor instruction / tech manual screen shots as his "proof".

The guy could have caused a heck of a lot more disruption if he knew he was going to be canned and collected his screenshots first... You can imagine the extremely expensive chaos if he later publishes screenshots of a system that in fact cannot be remotely broken into. Millions of dollars spent trying to figure out how he got

Re:

[StickyWidget]

http://seclists.org/fulldisclosure/2011/Apr/264 [seclists.org] [seclists.org]
http://seclists.org/fulldisclosure/2011/Apr/265 [seclists.org] [seclists.org]

~Sticky

Re:

[johnny cashed]

Sure, one wind farm, you can't cause any trouble. However, if you hack a whole bevy of windfarms, you can command the grid to back feed the wind turbine, turning them into gigantic fans that can then alter the rotation of the earth itself. Not to mention the ability to blow away small towns. Truly a threat of S.P.E.C.T.R.E proportions.

...and commit a Felony

[realsilly]

Is this guy really touting that he hacked this stuff, because he was let go from his job? Embarrassing a company is nothing new these days. Assuming his claims are indeed true, he's now boasted about his mis-deeds and it will only served to be used against him in a court of law.

Re:

[nedlohs]

And the government will do enough squinting to frame it as an terrorist attack on essential energy infrastructure.

Re:

[tnk1]

Idiots that carry out these actions don't do it so that they can get away with it, otherwise it would be very carefully made to look like an accidental malfunction. They want everyone to know how much smarter they are than their employer.

The problem with their tactics are that:

a) getting caught means they will get in a lot more trouble than simply losing their job, proving beyond a doubt that they are self-destructive and stupid.
b) having something break isn't going to show how stupid the company is, they'

Air Humor

[Fnord666]

"It's probably still up in the air as to whether this was a real threat or a hoax," Cusimano said.

Hopefully he put air quotes around that as well.

What this probably is.

[DarthVain]

I have been to a wind farm and seen the setup. I would not be surprised if this is possible at all.

Basically you have a company that runs the windmills and you have a different company that actually builds the damn things.

So while NextEra Energy Resources may run the stupid things, likely someone like Siemens actually built the things. Generally speaking while NextEra Energy Resources may maintain things, Siemens would really be the technical experts.

Thus this is why I was told companies like Siemens can ac

Re:Wind turbines? Insecure! Let's abolish them!

[mug funky]

yes. too much can go wrong. this has the potential to be another Windscale.

i suggest we go to nuclear as soon as feasible.

Re:

[GameboyRMH]

this guy want to blow us all!

And how is that a bad thing? I personally don't swing that way, but I can only applaud this guy's generosity.

Re:

[GameboyRMH]

I heard their foundations are built with a material composed partly of dihydrogen monoxide! 8-(

Re:

[cbiltcliffe]

No kidding.

That stuff makes the sweat pour off me....

Re:

[burni2]

Yes because a wind turbine going havoc causes the public order to collapse, instead of a nice and silent nuclear reactor meltdown.