DailyTech - Anonymous Hacker Threatens System Security Breach at U.S. Wind Facility

Submit News

IT Anonymous Hacker Threatens System Security Breach at U.S. Wind Facility
Tiffany Kaiser - April 19, 2011 8:36 AM

14 comment(s) - last by Integral9.. on May 11 at 4:01 PM

(Source: blog.cafefoundation.org)

NextEra Energy Resources reports that there is no evidence of a security breach, and that the hacker's obtained information is not enough for a successful attempt

An anonymous hacker posted a threat to the Full Disclosure security mailing list on Saturday, claiming that he/she planned to break into wind turbine systems as revenge for an "illegitimate firing" from Florida Power & Light.

The hacker's name attached to the post was "Bgr R," and the person is a former employee at Florida Power & Light. According to an e-mail interview with Bgr R, he (or she) found a weak spot in the Cisco security management software used at Florida Power & Light. This vulnerability was used to hack into the supervisory control and data acquisition (SCADA) systems, which control the turbines.

Bgr R even posted screen shots of this access to the security management systems and control systems at the 136-turbine Fort Sumner wind farm, which is 170 miles northeast of Alberquerque, New Mexico. In particular, the screenshots showed the management interface of the Wind Turbines, which is Siemens software called WinCCC, and an FTP server along with a company project management system. Web server header information and configuration data can be seen from a Cisco router as well.

With this control, Bgr R could have shut down the 200-megawatt facility or damaged its hardware. Bgr R's intention was to embarrass Florida Power & Light, and to show people "how they really work on SCADA security."

"Here comes my revenge for illegitimate firing from Florida Power & Light Company...ain't nothing you can do with it, since your electricity is turned off!!!" said Bgr R in the post.

The debate was whether this was a hoax or a serious security breach, but according to Wesley McGrew from McGrew Security, the threat seemed viable.

"My best guess is that it's legit, and this guy will probably be picked up pretty quick if it's really a disgruntled employee," said McGrew. "The whole thing looks like just a grab bag of stuff he had access to."

But now, NextEra Energy Resources, which manages the Fort Sumner wind facility and is a subsidiary of NextEra Energy (the parent company of Florida Power & Light), has reported that there is no evidence of a hack in the security or controls system.

"We have investigated the claims of a potential computer hacking and found that the information provided as proof of hacking is largely publicly available information, which by itself would not be adequate to launch a successful attack against the named SCADA system or wind site," said Steve Stengel, a spokesman for NextEra Energy Resources. "We have not seen any evidence of a breach."

Now security experts are wondering if Bgr R was ever really an employee at all, or if the threat will ever come to fruition.

"It's just really difficult to establish what's going on either way," said McGrew.

Regardless of whether the post was a hoax or not, system security is the topic at hand, and some experts question the security measures used in these particular systems. For instance, the router information showed that one of the company passwords was "cisco."

According to John Cusimano, director at the Security Incidents Organization, 10 to 15 percent of all industrial security computer incidents occur due to insiders seeking revenge.