Print 14 comment(s) - last by Integral9.. on May 11 at 4:01 PM

NextEra Energy Resources reports that there is no evidence of a security breach, and that the hacker's obtained information is not enough for a successful attempt

An anonymous hacker posted a threat to the Full Disclosure security mailing list on Saturday, claiming that he/she planned to break into wind turbine systems as revenge for an "illegitimate firing" from Florida Power & Light. 

The hacker's name attached to the post was "Bgr R," and the person is a former employee at Florida Power & Light. According to an e-mail interview with Bgr R, he (or she) found a weak spot in the Cisco security management software used at Florida Power & Light. This vulnerability was used to hack into the supervisory control and data acquisition (SCADA) systems, which control the turbines.

Bgr R even posted screen shots of this access to the security management systems and control systems at the 136-turbine Fort Sumner wind farm, which is 170 miles northeast of Alberquerque, New Mexico. In particular, the screenshots showed the management interface of the Wind Turbines, which is Siemens software called WinCCC, and an FTP server along with a company project management system. Web server header information and configuration data can be seen from a Cisco router as well.

With this control, Bgr R could have shut down the 200-megawatt facility or damaged its hardware. Bgr R's intention was to embarrass Florida Power & Light, and to show people "how they really work on SCADA security."

"Here comes my revenge for illegitimate firing from Florida Power & Light Company...ain't nothing you can do with it, since your electricity is turned off!!!" said Bgr R in the post. 

The debate was whether this was a hoax or a serious security breach, but according to Wesley McGrew from McGrew Security, the threat seemed viable.  

"My best guess is that it's legit, and this guy will probably be picked up pretty quick if it's really a disgruntled employee," said McGrew. "The whole thing looks like just a grab bag of stuff he had access to." 

But now, NextEra Energy Resources, which manages the Fort Sumner wind facility and is a subsidiary of NextEra Energy (the parent company of Florida Power & Light), has reported that there is no evidence of a hack in the security or controls system. 

"We have investigated the claims of a potential computer hacking and found that the information provided as proof of hacking is largely publicly available information, which by itself would not be adequate to launch a successful attack against the named SCADA system or wind site," said Steve Stengel, a spokesman for NextEra Energy Resources. "We have not seen any evidence of a breach."  

Now security experts are wondering if Bgr R was ever really an employee at all, or if the threat will ever come to fruition.  

"It's just really difficult to establish what's going on either way," said McGrew. 

Regardless of whether the post was a hoax or not, system security is the topic at hand, and some experts question the security measures used in these particular systems. For instance, the router information showed that one of the company passwords was "cisco."  

According to John Cusimano, director at the Security Incidents Organization, 10 to 15 percent of all industrial security computer incidents occur due to insiders seeking revenge.


Comments     Threshold

This article is over a month old, voting and posting comments is disabled

HOAX, already debunked
By kitonne on 4/18/2011 3:05:02 PM , Rating: 5
RE: HOAX, already debunked
By Natfly on 4/18/2011 4:35:02 PM , Rating: 2

RE: HOAX, already debunked
By EricMartello on 4/19/2011 1:47:10 PM , Rating: 2
A hoax!? Aww... that blows.

RE: HOAX, already debunked
By Mitch101 on 4/19/2011 10:47:48 PM , Rating: 2
Nice job Breaking Wind. :)

The only good hacker is dead
By Beenthere on 4/19/2011 9:11:00 AM , Rating: 1
The only good hacker is very dead. Prison is too good for these animals.

RE: The only good hacker is dead
By Integral9 on 4/19/11, Rating: 0
RE: The only good hacker is dead
By rcc on 4/19/2011 1:29:10 PM , Rating: 2
Curious, they missed one of the originals

Someone that "hacks" lines of code from existing software rather than writing their own.

RE: The only good hacker is dead
By Integral9 on 5/11/2011 4:01:25 PM , Rating: 2
Probably took it out as it's basically the same thing as the 2nd definition.

RE: The only good hacker is dead
By drycrust3 on 4/19/2011 2:35:11 PM , Rating: 2
Prison is too good for these animals.

My understanding is there are other "government departments" where they could be "interned" ... and paid handsomely for their skills as well.

RE: The only good hacker is dead
By xplice on 4/20/2011 5:36:29 AM , Rating: 2

In today's digital age hackers are on the forefront of maintaining the freedom of information that the internet has given us.

Without them the internet would quickly (well more quickly) turn into another controlled propaganda tool used by the powers that be.

Although true that some hackers are just out to cause damage....

Well, Maybe...
By mmatis on 4/19/2011 9:51:38 AM , Rating: 2
he'll Stuxnet this farce and put an end to the hot air associated with it.

By Ben on 4/19/2011 12:06:58 PM , Rating: 2
It's WinCC, not WinCCC.

second internet
By Uncle on 4/19/2011 2:54:19 PM , Rating: 2
US better get that second internet built fast before something like this can happen.

Wow Biased Much
By toyotabedzrock on 4/20/2011 8:52:47 AM , Rating: 2
What a joke, the guy identified himself so he isn't really Anonymous now is he.

"When an individual makes a copy of a song for himself, I suppose we can say he stole a song." -- Sony BMG attorney Jennifer Pariser

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki