SCADA Security Hack at FPL Wind Turbine - Hoax or Real?
At approximately 11:00 a.m. EDT last Saturday morning (April 16, 2011), The Repository for Industrial Security Incidents (RISI) received the following email:
Subject: Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED
Message: Here comes my revenge for illegitimate firing from Florida Power & Light Company (FPL) ... ain't nothing you can do with it, since NM electricity is turned off !!! In some days this people will know about FLP SCADA security, here is it for you .... Secure SCADA better! Leaked files are attached
Disgruntled Ex-Employee sends Proof of Hack to Authorities
Attached to the email were eight image files of various HMI screens, a Windows Explorer view of computer files and what appear to be views of a maintenance management/work order system. Also attached was a dump of the configuration from a Cisco router with addresses that are part of the Florida Power and Light assigned address space.
Unknown to us, the same email was also sent to the seclists.org/fulldisclosure list and so the files can be viewed at http://seclists.org/fulldisclosure/2011/Apr/260.
Since it appeared that the writer was referring to FPL’s New Mexico Wind Energy Center, John Cusimano, the Director of RISI, immediately contacted the ICS-CERT and the New Mexico CERT with the information. The CISO of FPL subsequently contacted John on Sunday morning, informing him that this is a hoax.
Investigating the Hack
In investigating this further, we now believe most, if not all, of this is a hoax and an attempt to embarrass FPL. First of all, the HMI screen shots clearly appear to be samples from a vendor or a student experiment, not real HMI screens from a system the size of the PNM Wind Energy facility.
They also show a SINAMIC 120, which is a drive controller from Siemens and not something one would associate with a wind farm. The final nail in the coffin is the fact that the alarm text in HMI shots are in German, not the usual language for a facility in New Mexico.
As for the maintenance management/work order system screen shots, these all appear to be from September 2009 from an unrelated FPL facility, namely Seabrook Station which is located in New Hampshire.
The router ACLs and the Windows Explorer view of the computer files are the only potentially convincing items in the collection. We did confirm that the IP addresses were assigned to FPL in New Mexico. Had we only received those we would have been a lot more concerned. Note: as tempting as it was, we did not scan the addresses with Nmap, Shodan or any other scanning tool – we figured FPL’s routers would be getting enough probing without us adding to the noise.
The Hack is most likely a Hoax
The bottom line: The images supplied clearly appear to be unrelated to the claimed hack of FPL’s New Mexico Wind Energy Center. This has made us very suspect of the whole message. At this point we are agreeing with FPL that this is a hoax. We will keep you posted as more information becomes available.
Related Links
- ISSSource.com - FPL Wind Turbine Hack a Hoax
- Networkworld.com - Experts agree: Wind turbine 'hacker' is a fake
- Networkworld.com - Wind power company sees no evidence of reported hack
Comments
i think it is not fake ...
try cisco:cisco
on interface Vlan1578 ip address 65.14.117.30 255.255.255.252 load-interval 30 no clns route-cache
https://65.14.117.30
https://161.154.232.2
it is really FPL router ... wtf
Agreed - more like some real FPL issues plus a lot of rubish
You were right - there was a FPL router hanging out there and it had default credentials. Heard from ICS CERT that it is fixed now.
On the other hand, all the screen shots are definitely not a hack of any real credibility - point your browser to ftp://goxftp01.fpl.com/pub/oasis/ and you can see most of the screen shots reportedly stolen by the hacker from FPL. (FYI Oasis is a work order management system - so is Maximo, which is another folder on that FTP site.) Even the screen shot of the file system reported hacked into by the hacker is simply a view of the files on this FTP server. Check out the FTP server and then check out the hackers screens at http://img228.imageshack.us/i/85258364.png/. See anything similar?
Of course this begs the question of why FPL has these types of maintenance records exposed to the Internet. Maybe these documents aren't important to FPL or maybe they just missed this. A question for FPL to answer.
Add new comment