Feeds

Wind turbine farm hack exposed as hoax

Tilting at windmills

Internet Security Threat Report 2014

Updated Claims of a supposed hack against the computers controlling wind turbines run by NextEra Energy Resources, a subsidiary of Florida Power & Light, are increasingly looking like a hoax.

"Bgr R" posted the information to a full disclosure mailing list over the weekend in what the poster said was an act of revenge after Florida Power gave him the sack. In an email interview with Computerworld, Bgr R said that he had used a vulnerability in the firm's installation of Cisco security management software to hack into SCADA systems used to control turbines. He claimed that he carried out the supposed attack in order to embarrass the firm.

Even at this early point of reporting the story Computerworld was careful to include caveats, for example noting that Bgr R had got FPL's name wrong at on point of the exchange, a mistake an ex-worker would be unlikely to make. This caution turns out to be well founded.

NextEra Energy Resources said it found no evidence of any breach of its systems. In addition, some of the supposed evidence posted by Bgr R came from other sources.

We have investigated the claim of a potential computer hacking and found that the information provided as proof of "hacking" is largely publicly available information, which by itself would not be adequate to launch a successful attack against the named SCADA system or wind site. We have not seen any evidence of a breach, and we are continuing our monitoring and detection to protect against possible attacks.

Reports of the supposed hack made quite a splash over the weekend. Although the material posted by Bgr R initially looked plausible closer inspection revealed that buttons were in German, wind speed were quoted in km/hr not mph, and the control system depicted was for a much small facility than the 200MW/136 turbine farm ran by NextEra Energy Resources. In addition, the circuit diagram was all wrong, as explained in a compressive debunking of the whole business by Spanish reverse engineer and expert on SCADA control systems Ruben Santamarta here.

The screenshots are designed to suggest Bgr R had access to management systems controlling the 136-turbine Fort Sumner wind farm, New Mexico. If the hack was legitimate (which increasingly looks highly unlikely), the access might be enough to shut down the facility or (at worst) set up operational parameters that were likely to lead to equipment failure. Wind turbines are shut down for any number of reasons anyway, ironically including situations where it get too windy for them to operate safely. @reg;

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.