hacker posted a threat to the Full Disclosure security mailing list on
Saturday, claiming that he/she planned to break into wind turbine systems as
revenge for an "illegitimate firing" from Florida Power &
name attached to the post was "Bgr R," and the person is a former
employee at Florida Power & Light. According to an e-mail
interview with Bgr R, he (or she) found a weak spot in the Cisco security
management software used at Florida Power & Light. This vulnerability was
used to hack into the supervisory control and data acquisition (SCADA) systems,
which control the turbines.
Bgr R even
posted screen shots of this access to the security management systems and
control systems at the 136-turbine Fort Sumner wind farm, which is 170 miles
northeast of Alberquerque, New Mexico. In particular, the screenshots showed
the management interface of the Wind Turbines, which is Siemens software called
WinCCC, and an FTP server along with a company project management system. Web
server header information and configuration data can be seen from a Cisco
router as well.
control, Bgr R could have shut down the 200-megawatt facility or damaged its
hardware. Bgr R's intention was to embarrass Florida Power & Light, and to
show people "how they really work on SCADA security."
revenge for illegitimate firing from Florida Power & Light
Company...ain't nothing you can do with it, since your electricity is turned
off!!!" said Bgr R in the post.
The debate was
whether this was a hoax or a serious security breach, but according to Wesley
McGrew from McGrew Security, the threat seemed viable.
guess is that it's legit, and this guy will probably be picked up pretty quick
if it's really a disgruntled employee," said McGrew. "The whole thing
looks like just a grab bag of stuff he had access to."
NextEra Energy Resources, which manages the Fort Sumner wind facility and is a
subsidiary of NextEra Energy (the parent company of Florida Power &
Light), has reported that there is no
evidence of a hack in the security or controls system.
investigated the claims of a potential computer hacking and found that the
information provided as proof of hacking is largely publicly available
information, which by itself would not be adequate to launch a
successful attack against the named SCADA system or wind site,"
said Steve Stengel, a spokesman for NextEra Energy Resources. "We have not
seen any evidence of a breach."
experts are wondering if Bgr R was ever really an employee at all, or if the
threat will ever come to fruition.
just really difficult to establish what's going on either way," said
whether the post was a hoax or not, system security is the topic at hand, and
some experts question the security measures used in these particular systems.
For instance, the router information showed that one of the company passwords
John Cusimano, director at the Security Incidents Organization, 10 to 15
percent of all industrial security computer incidents occur due to insiders