SCADA Security Hack at FPL Wind Turbine - Hoax or Real?

At approximately 11:00 a.m. EDT last Saturday morning (April 16, 2011), The Repository for Industrial Security Incidents (RISI) received the following email:

Subject: Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED

Message: Here comes my revenge for illegitimate firing from Florida Power & Light Company (FPL) ... ain't nothing you can do with it, since NM electricity is turned off !!! In some days this people will know about FLP SCADA security, here is it for you .... Secure SCADA better! Leaked files are attached

Disgruntled Ex-Employee sends Proof of Hack to Authorities

Attached to the email were eight image files of various HMI screens, a Windows Explorer view of computer files and what appear to be views of a maintenance management/work order system. Also attached was a dump of the configuration from a Cisco router with addresses that are part of the Florida Power and Light assigned address space.

Unknown to us, the same email was also sent to the seclists.org/fulldisclosure list and so the files can be viewed at http://seclists.org/fulldisclosure/2011/Apr/260.

Since it appeared that the writer was referring to FPL’s New Mexico Wind Energy Center, John Cusimano, the Director of RISI, immediately contacted the ICS-CERT and the New Mexico CERT with the information. The CISO of FPL subsequently contacted John on Sunday morning, informing him that this is a hoax.

Investigating the Hack

In investigating this further, we now believe most, if not all, of this is a hoax and an attempt to embarrass FPL. First of all, the HMI screen shots clearly appear to be samples from a vendor or a student experiment, not real HMI screens from a system the size of the PNM Wind Energy facility.

They also show a SINAMIC 120, which is a drive controller from Siemens and not something one would associate with a wind farm. The final nail in the coffin is the fact that the alarm text in HMI shots are in German, not the usual language for a facility in New Mexico.

As for the maintenance management/work order system screen shots, these all appear to be from September 2009 from an unrelated FPL facility, namely Seabrook Station which is located in New Hampshire.

The router ACLs and the Windows Explorer view of the computer files are the only potentially convincing items in the collection. We did confirm that the IP addresses were assigned to FPL in New Mexico. Had we only received those we would have been a lot more concerned. Note: as tempting as it was, we did not scan the addresses with Nmap, Shodan or any other scanning tool – we figured FPL’s routers would be getting enough probing without us adding to the noise.

The Hack is most likely a Hoax

The bottom line: The images supplied clearly appear to be unrelated to the claimed hack of FPL’s New Mexico Wind Energy Center. This has made us very suspect of the whole message. At this point we are agreeing with FPL that this is a hoax. We will keep you posted as more information becomes available.

Related Links

• ISSSource.com - FPL Wind Turbine Hack a Hoax
• Networkworld.com - Experts agree: Wind turbine 'hacker' is a fake
• Networkworld.com - Wind power company sees no evidence of reported hack

Subscribe to the "Practical SCADA Security" news feed