Home Business IT Security The critical infrastructure hack that never was


JUser: :_load: Unable to load user with ID: 3018

The critical infrastructure hack that never was

  • 19 April 2011
  • Written by 
  • Published in Security

Yesterday the Internet was a-buzz with tales of a hacker shutting down a US-based wind farm.  Pity it never happened.

On Saturday 16th April, claiming to be a disgruntled ex-employee, someone calling themselves Bigr R announced on the Full Disclosure mailing list "Here comes my revenge for illegitimate firing from Florida Power & Light Company (FPL) ... ain't nothing you can do with it, since your electricity is turned off !!!"

Attached to the submission was a sequence of 8 images - supposed screen shots from the hacked system and what appeared to be a Cicso router configuration file seemingly from the hacked company - Florida Power and Light - the owners and operators of the wind farm in question.

The news sites were all over the story.

Even at the time of writing these stories, the doubts were creeping in. 

Computerworld themselves reported that the consumers of the facility's output, New Mexico Utility company PNM "is not aware of any incidents affecting the company's Fort Sumner facility."  Surely with the media paranoia regarding critical infrastructure (Stuxnet, anyone?) news of a hacker-caused outage would have spread like wildfire.

A casual view of the provided images suggests that the site runs WinCC - a very common Supervisory Control and Data Acquisition (SCADA) software system.  Oddly (and unconnectedly) this is the same system targeted by Stuxnet.

However, there are also some immediate difficulties with the screens.

This writer has reasonable experience with the control systems for a wind farm and these screens look nothing like such a system. iTWire chose to not run the story.

Contrary to lay expectations, wind farm operators have little interest in fancy images of turbine blades whirling around and photos of turbines standing on their tall towers.  Instead, they are likely to focus of what are normally referred to as "single line diagrams" (something like slide 13 here) which are electrical diagrams used to assess, manage and control the electrical flow within the plant. 

There is little in the offered information to see that such screens are present; in fact the fourth image seems more like a listing of a private FTP site containing the images than having anything to do with a control system.

There are other clues.  On the first image, we see the word "Energie" and on the second & third, most of the language also seems to be in German (the native language of Siemens, developers of the WinCC environment).  The remainder of the images appear to be work schedules associated with the commissioning of some kind of electrical installation.

By Monday, everyone was back-peddling.  Computerworld had a change of heart, as did Networkworld

Well-known SCADA security expert Eric Byres also concluded this to be a hoax based on an analysis of the screen shots and also via access to a private SCADA security reporting network.

This whole incident exposes one of the primary problems of security reporting (and probably why Bigr R chose to announce the 'hack' on a Saturday) - that it is difficult to recognise real intrusions from hoaxes and everyone seems to want to see the worst in any situation.



Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?