Security Market Segment LS
Tuesday, 19 April 2011 23:04

The critical infrastructure hack that never was


Yesterday the Internet was a-buzz with tales of a hacker shutting down a US-based wind farm.  Pity it never happened.

On Saturday 16th April, claiming to be a disgruntled ex-employee, someone calling themselves Bigr R announced on the Full Disclosure mailing list "Here comes my revenge for illegitimate firing from Florida Power & Light Company (FPL) ... ain't nothing you can do with it, since your electricity is turned off !!!"

Attached to the submission was a sequence of 8 images - supposed screen shots from the hacked system and what appeared to be a Cicso router configuration file seemingly from the hacked company - Florida Power and Light - the owners and operators of the wind farm in question.

The news sites were all over the story.

Even at the time of writing these stories, the doubts were creeping in. 

Computerworld themselves reported that the consumers of the facility's output, New Mexico Utility company PNM "is not aware of any incidents affecting the company's Fort Sumner facility."  Surely with the media paranoia regarding critical infrastructure (Stuxnet, anyone?) news of a hacker-caused outage would have spread like wildfire.

A casual view of the provided images suggests that the site runs WinCC - a very common Supervisory Control and Data Acquisition (SCADA) software system.  Oddly (and unconnectedly) this is the same system targeted by Stuxnet.

However, there are also some immediate difficulties with the screens.

This writer has reasonable experience with the control systems for a wind farm and these screens look nothing like such a system. iTWire chose to not run the story.

Contrary to lay expectations, wind farm operators have little interest in fancy images of turbine blades whirling around and photos of turbines standing on their tall towers.  Instead, they are likely to focus of what are normally referred to as "single line diagrams" (something like slide 13 here) which are electrical diagrams used to assess, manage and control the electrical flow within the plant. 

There is little in the offered information to see that such screens are present; in fact the fourth image seems more like a listing of a private FTP site containing the images than having anything to do with a control system.

There are other clues.  On the first image, we see the word "Energie" and on the second & third, most of the language also seems to be in German (the native language of Siemens, developers of the WinCC environment).  The remainder of the images appear to be work schedules associated with the commissioning of some kind of electrical installation.

By Monday, everyone was back-peddling.  Computerworld had a change of heart, as did Networkworld

Well-known SCADA security expert Eric Byres also concluded this to be a hoax based on an analysis of the screen shots and also via access to a private SCADA security reporting network.

This whole incident exposes one of the primary problems of security reporting (and probably why Bigr R chose to announce the 'hack' on a Saturday) - that it is difficult to recognise real intrusions from hoaxes and everyone seems to want to see the worst in any situation.


WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.



Recent Comments