Wind Power Firm Sees No Evidence of Hack

alphadogg writes "One day after a hacker posted screen shots and data to a hacking mailing list, saying he had broken into a New Mexico wind turbine facility, the company that runs the turbines says it has seen no evidence of a computer intrusion. The hacker, who calls himself Bigr R, made the claims Saturday, posting screenshots of the facility's management interface, screenshots of an FTP server and project management system, as well as Web server info and configuration data from a Cisco router."

LOW!

[clang_jangle]

Congrats, you've set the bar super low -- not only did you not bother to RTFA OR TFS, you actually failed at parsing TFH(eadline). Go, moron!

Language

[bezking]

If you look at the screenshots he posted (example [imageshack.us]) you'll see that some of the screens were in the German language or a derivative thereof. Why would a New Mexican power plant have its systems in German!?

Re:

[TaoPhoenix]

Quoting The Previous F Article

"If this is a hoax, it's really well done".

Is *Faking* break-ins the new L33T?

Re:

[clang_jangle]

I think the recent escapades of "Anonymous" has fired up the imaginations of a lot of wannabes. So yes, faking it is the new 1337 -- for some people.

Re:

[kelemvor4]

Code kiddies and wannabees always have been and always will be.

Re:

[Lumpy]

Among the script kiddies? yes, yes it is.

Re:

[Anrego]

Is *Faking* break-ins the new L33T?

Oh it always has been. From the kids who copy+pastes stuff from their windows system file into msn messanger so his/her friends think they are being "hacked", to people using hostnames to determine where someone lives on IRC and try to scare them with the information...

Re:Language

[0100010001010011]

Germans Make Good Stuff.

Seriously, if you start getting into high level automation of PLC and other industrial systems, there are only a few key players in the game. Siemens [siemens.com] is one of those companies. Sure enough, if you search for SINAMICS S120, the Siemens page is the first hit.

How often do you dump your error codes into 5-10 languages? If you go to Europe and use a piece of GE technology you'll probably get errors in English.

Re:

[Lumpy]

Allen Bradley is out there quite heavy. in fact I saw far more of it than siemens stuff.

Re:

[mooboy]

Allen Bradley is out there quite heavy. in fact I saw far more of it than siemens stuff.

AB is big in the US only. Siemens is by far the largest controls systems provider internationally.

Re:

[Asic Eng]

Doesn't really matter, SINAMICS S120 is clearly Siemens gear.

Re:

[frozentier]

Germans Make Good Stuff.

No shit, look at the ShamWow! Vince wasn't kidding.

Re:

[Themer]

All of the Siemens PLC error codes come out in English for English interfaces. I have used them extensively.

Re:

[Anonymous Coward]

Wait, I seem to recall something in the news recently about some security problems with Siemens controllers in some industrial equipment. Something about a virus or worm getting into software on the computers that ran the facility, and from there into the controller software itself, where it proceeded to mess up the industrial gear. I'm having a little trouble remembering the details, though. Hmmm... it was all in the news a while ago. I think maybe the problems were in Iran?

Re:

[shish]

Looking at that example, a more confusing thing comes to mind: why would their systems be built with MS-Paint o_O?

Re:

[somersault]

Hahahahah.. I didn't consider the screenshots worth looking at until you said that.. that's some extremely unprofessional interface design.. geez.

Re:

[Anonymous Coward]

that's some extremely unprofessional interface design

Actually that's highly professional. Industrial/professional UIs are never pretty because it's not a requirement. Why waste time and money on making things pretty? These aren't consumer products where the buyer first and foremost looks at how it looks instead of what it does.

Re:

[somersault]

There's a difference between "not pretty" and "shitty". Right angled lines would have been better than freehand in MS paint. It would have taken all of 3 seconds more, and look infinitely better.

Re:

[tlhIngan]

that's some extremely unprofessional interface design

Actually that's highly professional. Industrial/professional UIs are never pretty because it's not a requirement. Why waste time and money on making things pretty? These aren't consumer products where the buyer first and foremost looks at how it looks instead of what it does.

I've grown to think that the more expensive and/or specialized the program, the worse the UI is. And it's not about making the UI "pretty" but more "usable".

Sure the program is design

Re:

[__aaqvdr516]

Sinamic is a Siemens product. Siemens is one of the larger producers of controls for industry. I use a number of their products at my job. It's not uncommon for these types of controls to offer multi-language support. I wonder if that wasn't part of this guys hack.
I don't know much about the Siemens "front end" though, as the plant I work for uses a different control interface.

Re:

[DoofusOfDeath]

If you look at the screenshots he posted (example [imageshack.us]) you'll see that some of the screens were in the German language or a derivative thereof.

English?

Re:

[Bobfrankly1]

If you look at the screenshots he posted (example [imageshack.us]) you'll see that some of the screens were in the German language or a derivative thereof.

English?

Yes.

ABB is Swiss

[tacokill]

ABB also makes DCS systems and they are a swiss company (ie: speak German).

Another poster already pointed out Siemens as well.

Re:

[Bobfrankly1]

If you look at the screenshots he posted (example [imageshack.us]) you'll see that some of the screens were in the German language or a derivative thereof. Why would a New Mexican power plant have its systems in German!?

Because if the hacker got into anything, it was the honeypot that he/she was meant to get into.

Re:

[superdave80]

Not unheard of. Here in California, I actually have a injection molding press at my factory that has its control screens set for English, but it still spits out some German words from time to time.

Re:

[Asic Eng]

That looks more like a page from a manual rather than a screenshot, though. Wold have expected the screenshot to look more like this [siemens.com].

Re:

[Internetuser1248]

Germany manufacture a lot of mechanical parts and also have a strong industrial relationship with mexico. It is not unlikely that the hacker was employed in some part of the process of building the plant.

It should also be noted how major the difference is between a hack at a wind farm and a hack at a nuclear power facility, even a fake hack. Whats the worst you could do if you hacked a wind turbine? Well you could probably break it given the right wind conditions.

None of this means it didn't happen

[royallthefourth]

It's possible that the IT staff who failed to secure the networks and websites also lack the expertise to detect an intruder. It's certainly not easy, and if they were able to cleanly socially engineer (or perhaps guess) passwords to get it done, there may be no way to detect it at all.

Re:

[Anrego]

One day seems a bit quick to do an investigation.

That said, I do think this was probably a hoax.

Re:

[afidel]

Not really, with a good IDS system you should have no trouble. We log everything that happens on our server and DMZ vlan's to a Network General box and could easily pull up all conversations between the firewall and any server box, or any workstation and any DMZ box. I would hope critical infrastructure such as a SCADA system is at least as well monitored.

Re:

[Anonymous Coward]

I am sorry to disappoint you, having worked at a company developing SCADA systems... these systems are developed a bit like this:

Assumption 1: SCADA systems... should be on a completely separate infrastructure.
Assumption 2: If the system is on a separate, secure infrastructure... we have no need for additional security measures.

Reality-check 1: 'I want to see what they h*ck is going on at the site when I'm at home!!!'
Reality-check 2: Nobody listens to the security-conscious-g

Re:

[Lumpy]

No it's not. Most do not have any IDS let alone any decent networking. Most SCADA systems are lowest bidder and competent IT and networking staff are not in the equation at those price levels.

Re:

[afidel]

Sweet, well then when they get hacked and cause widespread outages I hope they get fined megabucks for every minute of downtime and are sued by their critical contract customers for gross negligence. Someone needs to force these guys to do things in a competent manner and apparently a decade of being warned about cybercrime hasn't been sufficient so I guess the only way they will listen is if it hits their bottom line.

Re:

[Anrego]

so I guess the only way they will listen is if it hits their bottom line

Even then, probably not. The cost of even a major incident is going to be less than doing it properly in the first place.. and the government is gonna be bailing them out, not fining them!

It's a shitty system and it's all gonna fail one day ... but no point deluding ourselves to the reality of the current situation.

Did you not see die hard 4!

Re:

[Anonymous Coward]

I would argue that the burden of proof is on the hacker, and not on the power company.

Re:

[Charliemopps]

The problem is that most oversights in security will be continue to be missed when the site is reviewed. The same people who didn't think using postit notes on monitors to keep track of passwords wouldn't think that was a problem even after 90% of their workforce are carrying in cellphones with cameras built in every day.

Re:

[Lumpy]

They checked the windows 98 gateway machine and their virus scanner did not find anything. There is no way he got in, the AV software said so!

Re:

[starfishsystems]

It's possible the guy got in. The evidence he presents is far from conclusive. It's possible he didn't. The operator says there's no evidence for it. Without conclusive evidence, all we can do is idly speculate, which makes this topic perfect for Slashdot.

The way in, apparently, was through a Cisco border router. It only takes a moment to check the router logs. Both successful and failed logins are recorded. Resetting the log leaves evidence. If the site is competently managed, the log events are

Nothing to see here.

[jshackney]

This whole thing smelled funny from the beginning.

Re:

[catmistake]

I'm not so sure. Couldn't this be Iranian retaliation for Stuxnet?

Re:

[necro81]

Probably the Iranians have bigger targets than the SCADA network for a privately-owned wind farm in New Mexico. Stuxnet was targeted at a key facility of the Iranian nuclear infrastructure: a non-overt attack on the Iranian military and government. I would expect if the Iranians were pissed at us over that they would attempt to retaliate in kind.

Not Really

[Anonymous Coward]

They're trying to goad an emotionally immature hacker into providing even more evidence.

Making the criminals do the investigative legwork .. now that's smart policing.

Next story on slashdot in an hour...

[pasv]

Wind Turbine Firm hack confirmed: "Oh wait, never mind. We found his rootkit on port 31337 going out from our webserver! D'oh!"

Re:

[jamesh]

I'm more concerned that Slashdot itself has been hacked, and some unscrupulous bad guys is posting the news as it happens, instead of weeks, months, or years later.

Re:Next story on slashdot in an hour...

[jamesh]

and some unscrupulous bad guys is posting the news as it happens

... and the same bad guys is inserting bad grammar in my posts.

Re:

[Abstrackt]

and some unscrupulous bad guys is posting the news as it happens

... and the same bad guys is inserting bad grammar in my posts.

Actually, I've just been drugging your coffee. The net effect is the same though.

Re:

[jamesh]

Or maybe we're just loosing our minds!

Simple Message

[scubamage]

Absence of evidence is not evidence of absence.

Re:

[Anonymous Coward]

You could be a lawyer for the RIAA!

Re:Simple Message

[LordLimecat]

And if youll note, it doesnt say "there was no hack", but that "they see no evidence".

Re:

[mooboy]

Absence of evidence is not evidence of absence.

Perhaps, but crappy evidence is evidence of crap, IMHO. Take a look at the dude's screen shots. Any power company using such poorly put together screens, with no interesting status info, no proper overview screen with worthwhile data, isn't really a power company, but some kiddies dream.

Re:

[plover]

Dammit, Timecube, you've crossposted back into the sane world again. Stop that!

Re:

[jasen666]

Any SCADA/HMI system should be physically isolated from the business LAN regardless of whether it's internet accessible or not. Sounds like a few inherently bad choices were made here if this is true.

They better be right

[vadim_t]

Otherwise I imagine the hacker will try to put up a demonstration.

i wonder what can be done with access to that system.

Re:

[kubernet3s]

-send turbines spinning under power -starting changing earth's rotational axis -Neptunian winters -God help us

Re:

[leuk_he]

Almost everything is hooked to the internet. Most of the critical stuff is behind a good vpn and a good firewall that most engineers do not imagine to be hacked.

And who says it was hacked from the internet?

So what I am reading

[RigrmRtis]

Is that the most likely scenario is that this guy is for real. And isn't that, as a former employee, he has old configs stored somewhere that he still has access to (like a personal laptop). As well as screen shots related to training material. Nah this guy that was just fired and has offered up no real-time evidence is probably telling the truth. Just because that would make it more interesting.

No evidence of hack

[wezelboy]

Cause Norton Anti-Virus sez so!

It Didn't Not Happen

[alphatel]

It's a non-denial denial!

Cr4ck3r

[SlashV]

It's "cracker [catb.org]", not "hacker". Come on /. You should know better.

He was just that good

[JTsyo]

You can't backtrace him.

Re:

[mpoulton]

You can't backtrace him.

Maybe they can't, but just wait until they get the CyberPolice on his trail! They can backtrace anyone.

Re:

[fl_litig8r]

Maybe they can't, but just wait until they get the CyberPolice on his trail! They can backtrace anyone.

True enough, and the consequences will never be the same. He done goofed.

some info is too detailed

[funnyguy]

I'm not sure if NextEra is saying it didn't happen, they can't tell, or they are refuting that the screenshots were taken due to a 'hack'. Either way, some of the information looks too credible. For example, NextEra provides output data from wind farms and this data goes into various OASIS systems. One screenshot shows what are presumably OASIS files from as recent as last week. All NextEra would need to do is double check those files, make sure that timestamps and sizes match what exists and that is proof.

Stupid...

[WaffleMonster]

If BigR is really a former disgruntled employee he might as well have just posted his full name and address along with the dumps.

The response by Benji on the seclist mailing list sums it up: "so how long do you give yourself before you're in prison?"

big deal

[shadowrat]

I hacked slashdot. As evidence, i found this in the slashdot servers:

0x38a7fe1a