SCADA Security Hack at FPL Wind Turbine - Hoax or Real?


At approximately 11:00 a.m. EDT last Saturday morning (April 16, 2011), The Repository for Industrial Security Incidents (RISI) received the following email:

 

Subject: Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED

 

Message: Here comes my revenge for illegitimate firing from Florida Power & Light Company (FPL) ... ain't nothing you can do with it, since NM electricity is turned off !!! In some days this people will know about FLP SCADA security, here is it for you .... Secure SCADA better! Leaked files are attached

 

Disgruntled Ex-Employee sends Proof of Hack to Authorities

 

Attached to the email were eight image files of various HMI screens, a Windows Explorer view of computer files and what appear to be views of a maintenance management/work order system. Also attached was a dump of the configuration from a Cisco router with addresses that are part of the Florida Power and Light assigned address space.

 

Unknown to us, the same email was also sent to the seclists.org/fulldisclosure list and so the files can be viewed at http://seclists.org/fulldisclosure/2011/Apr/260.

 

Since it appeared that the writer was referring to FPL’s New Mexico Wind Energy Center, John Cusimano, the Director of RISI, immediately contacted the ICS-CERT and the New Mexico CERT with the information. The CISO of FPL subsequently contacted John on Sunday morning, informing him that this is a hoax.

 

Investigating the Hack

 

In investigating this further, we now believe most, if not all, of this is a hoax and an attempt to embarrass FPL. First of all, the HMI screen shots clearly appear to be samples from a vendor or a student experiment, not real HMI screens from a system the size of the PNM Wind Energy facility.

 

They also show a SINAMIC 120, which is a drive controller from Siemens and not something one would associate with a wind farm. The final nail in the coffin is the fact that the alarm text in HMI shots are in German, not the usual language for a facility in New Mexico.

 

As for the maintenance management/work order system screen shots, these all appear to be from September 2009 from an unrelated FPL facility, namely Seabrook Station which is located in New Hampshire.

 

The router ACLs and the Windows Explorer view of the computer files are the only potentially convincing items in the collection. We did confirm that the IP addresses were assigned to FPL in New Mexico. Had we only received those we would have been a lot more concerned. Note: as tempting as it was, we did not scan the addresses with Nmap, Shodan or any other scanning tool – we figured FPL’s routers would be getting enough probing without us adding to the noise.

 

The Hack is most likely a Hoax

 

The bottom line: The images supplied clearly appear to be unrelated to the claimed hack of FPL’s New Mexico Wind Energy Center. This has made us very suspect of the whole message. At this point we are agreeing with FPL that this is a hoax. We will keep you posted as more information becomes available.

Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

 


© Tofino Security 2013 | All Rights Reserved | Tofino Security is a Belden Brand



i think it is not fake ...

try cisco:cisco

on interface Vlan1578 ip address 65.14.117.30 255.255.255.252 load-interval 30 no clns route-cache

https://65.14.117.30
https://161.154.232.2

it is really FPL router ... wtf

Agreed - more like some real FPL issues plus a lot of rubish

You were right - there was a FPL router hanging out there and it had default credentials. Heard from ICS CERT that it is fixed now.

On the other hand, all the screen shots are definitely not a hack of any real credibility - point your browser to ftp://goxftp01.fpl.com/pub/oasis/ and you can see most of the screen shots reportedly stolen by the hacker from FPL. (FYI Oasis is a work order management system - so is Maximo, which is another folder on that FTP site.) Even the screen shot of the file system reported hacked into by the hacker is simply a view of the files on this FTP server. Check out the FTP server and then check out the hackers screens at http://img228.imageshack.us/i/85258364.png/. See anything similar?

Of course this begs the question of why FPL has these types of maintenance records exposed to the Internet. Maybe these documents aren't important to FPL or maybe they just missed this. A question for FPL to answer.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is to prevent automated spam submissions. Data entry is case insensitive.
Image CAPTCHA
Enter the characters shown in the image.