
Researchers Found They Could Hack Wind Farms - jonbaer
https://www.wired.com/story/wind-turbine-hack
======
ocschwar
I'm close enough to the industry that I can see the root cause.

There's a huge cultural difference between Telecom and Power.

When AT&T started out, they hired telegraph boys to operate the switches, and
then after getting tired of their antics, fired them en masse and replaced
them with young women. That sparked the first wave of people tampering with
telecom wires to pull pranks, and the telecom sector has been familiar with
that issue ever since. Phone phreaking, as in tampering with crossbar switches
remotely, is at least as old as the Arab Israeli war of 1948.

Power utilities, meanwhile, have had some protection from the simple fact that
even sociopaths don't like to risk their own lights going out. Even during
civil wars, militias will spare the other side's power because they want to
use it when they conquer the other side's territory. Power utilities have to
worry about copper thieves, squirrels, and tree branches. Getting bits diddled
remotely by bad actors is not something they've had to think about as long.

~~~
rsync
"Getting bits diddled remotely by bad actors is not something they've had to
think about as long."

They should never have to worry about this.

Power plant equipment, etc., should not have networking capability. Not just
no Internet, but no _networking_.

~~~
thom_nic
You might be surprised to learn that all power plants have some sort of
primitive "networking" capability, albeit something that looks more like a
direct point-to-point phone line between plants and the grid operator (see
DNP3.) As you can imagine these are relatively expensive to install, but part
of the bring-up of a new power plant.

All of these plants also have some sort of SCADA system internally and turbine
fields need the same (the turbines need to be connected to each other, and the
operator needs to be able to control the turbines in some way: e.g. turning
them off when there is an excess of power, reading power output, faults, etc.)
So one way or another, communication needs to occur whether it's over an IP
network or a dedicated PTP line.

If someone gets physical access it's mostly game-over unless you've got
builtin hardware-level encryption between all of the internal components of
the facility. If there wasn't an ethernet port in the server cabinet the
hacker could just connect an RS-485 line and start sending MODBUS commands or
whatever protocol the SCADA system is using.

But the article does a good job pointing out that the assumption that "the
facility/network is secure" does not hold as well in distributed generation as
it did for traditional power generation.

Edit: see also
[https://en.wikipedia.org/wiki/DNP3](https://en.wikipedia.org/wiki/DNP3)

------
scblock
The article isn't _wrong_ wrong, as the core of this security issue is right,
but it's also not really right either. Wind Farm SCADA is generally well
protected from internet attacks by design, but it is based on a fiber ring
ethernet network that does indeed tend to treat internal nodes on the network
as trusted. The article's notes on physical security make sense. And operators
generally expect to be able to control the system from any machine, not just
the central server. But it seems like much of the solution is better locks.

And I don't know who the author got this idea from: "The equipment is designed
for lightness and efficiency, and is often fragile as a result.", but it's not
accurate. It's designed for a balance of performance, robustness, and cost.
Just because the machines are not designed for repeated emergency braking or
doesn't make them fragile.

Bigger picture though, next time you're out and about take a good look at your
surroundings. The U.S. is huge, and much of our grid infrastructure is remote.
Forget the nuclear power plant example in the article. It wouldn't be
stupendously difficult to take down a major transmission line or switchyard if
you were determined. Much of the world operates because people generally leave
well enough alone, for better or worse.

~~~
drcross
It's a bit like the people raving that the sky will fall when cars are all
internet connected because they will vulnerable to hacking but completely
ignoring that you could cause far more damage with a pallet of bricks being
thrown off a motorway bridge, which generally doesn't ever happen.

~~~
GavinMcG
To be fair, throwing a pallet of bricks off a bridge _wouldn 't_ cause as much
damage as causing 1% of an area's cars to crash, and it's a crime you actually
have to be on site for.

People are quite reasonably more afraid of attack vectors that can affect huge
numbers of people all at once, especially when the attacker could be anywhere
in the world.

One obvious example of why that's reasonable is the recent ransomware – sure,
you've always been able to easily extort $300 from someone, but now you can
take money from a lot of people, and not get caught.

~~~
digi_owl
Hacking, witchcraft, radioactivity. They all have in common that they are
something you can't see, hear, or smell coming at you. Thus they are anxiety
inducing...

~~~
mannykannot
In two of those cases, some level of anxiety is justifiable.

~~~
optimuspaul
Witchcraft and Radioactivity right?

~~~
marcosdumay
Well, probably. Unless you are stupid enough to plug your car to the internet.

------
horsawlarway
This whole article seems to basically boil down to this:

>And in the meantime, a few stronger locks, fences, and security cameras on
the doors of the turbines themselves would make physical attacks far more
difficult.

I mean, any time someone has physical access to your machines, you're going to
lose the security fight. Full stop.

At that point, if the goal is damage or extortion, and you've walked into an
unguarded and poorly secured building (or turbine), a little bit of dynamite
is a WAY better bet than a network compromise.

~~~
brianwawok
Maybe?

I mean if I wanted to blow up 1000 turbines with dynamite, I would need:

* Physically drive to 1000 turbines

* Purchases 1000 sticks of dynamite

* Physically walk up to 1000 turbines

* Set up some kind of ransom remote detonator that I could set off

* Somehow monitor all 1000 turbines to see no one could defuse my bomb

* Not blow up myself while setting up the bombs

Vs if you could send 1 packet from Russia that told the turbine to go "full
speed reverse" that could shred the device?

You are going to argue that those two things are the same level of effort, and
we shouldn't guard against the second due to how easy the first is?

~~~
cr1895
>Vs if you could send 1 packet from Russia that told the turbine to go "full
speed reverse" that could shred the device?

Just want to point out that there's no such thing as turning on a wind turbine
at full speed reverse. It's not a fan.

Potential mechanisms for damaging one include mucking with the brakes (as in
the article), changing blade pitch, disabling some kind of cooling system,
etc.

~~~
jacquesm
> Just want to point out that there's no such thing as turning on a wind
> turbine at full speed reverse. It's not a fan.

Big AC windmills actually are started up as fans with their blades set to
'coarse' for maximum torque. What happens is that the grid is used to get them
up to speed, they become sync-locked to the grid (same frequency) and then any
excess power the wind imparts to the machine will be passed off to the grid.

If the machine would drop slightly below the 0 line of power produced the
power company would still operate it as a fan until this situation persists
for too long and the losses accumulate, then the mill is set to 'coarse' if
the pitch is variable and allowed to coast to a stop or some low RPM waiting
for the wind to pick up again.

All kinds of trickery (variable pitch, DC systems, maximum-power-point-
tracking) and so on is used to expand the useful envelope.

So yes, they're also fans. But mechanical safety is a big thing in windmill
design and most likely some FPGA or other hardware lock-out would stop you
from being able to command a typical windmill from becoming an 8 MW desk fan.

Hurricane on demand, the evil part of me now wants to know what would happen.
At a guess it wouldn't do much because the mechanism is rated to produce an X
amount of power so it likely can handle sourcing it as well as long as enough
air flows over the coils of the generator. As soon as those get too hot the
failsafe will kick in again and the mill goes flat (totally neutral blade
setting, the machine won't be moved by the wind like that) and stops.

~~~
cr1895
Oh interesting...thanks for the info!

------
djaychela
I'm constantly (and serially) amazed at the lack of lessons learned in other
fields of security in new areas. It's as if every new area where computers are
used erases the minds of the people who make the systems, and then researchers
find the issues and expose them; only then will something be done about it -
if, indeed, something is done. I'm not a security expert by any stretch of the
imagination, but I'm staggered at how easy it seems to be to gain access and
control to these kinds of systems, as if them being air gapped (if indeed,
they are) is enough to ensure they can't be compromised. I appreciate that no
system is truly secure, but the example given here seemed trivially easy in
terms of both physical and electronic access.

I do wonder if the lack of security is because of budget constraints (i.e. it
was proposed by engineers but rejected by management as a needless cost), or
if everyone didn't even think that there would be the potential of a breach
and the possibility of exploitation?

~~~
Quarrelsome
getting it working > having it secure

then its taken out of the hands of those that want to secure it. If you take
two companies one developing a secure and working product and the other just
developing a working product capitalism will weed out the secure product and
pass the insecure one. This is because it is cheaper to create, will get to
market more quickly and be easier to configure.

As these sorts of attacks are rare and there is no established and straight
forward legal framework to economically punish those without security; the
company with least security almost always wins. Then when someone does show
the security holes the tendency is just to arrest them in order to keep this
awful system going. :D

I'm not entirely sure how we start to fix this.

~~~
TeMPOraL
> _I 'm not entirely sure how we start to fix this._

This needs to be solved at regulatory level. High computer security standards
need to become part of whatever work and product safety rules companies
already have to follow. But that doesn't look like is going to happen soon, so
as an alternative...

Did Maersk recover from that ransomware attack two days ago?

I sincerely hope they didn't. We need an economically meaningful clusterfuck
to get people to pay attention.

Related: I think the only way for security to get taken seriously, by both
companies and governments alike, is to have someone do some high-profile,
damaging hacks "pro bono". Now I would hope such actors stay away from power
systems due to risk of loss of life (don't want to disrupt traffic, or
hospitals). But this was yesterday on Morning Paper:

[https://blog.acolyer.org/2017/06/28/an-experimental-
security...](https://blog.acolyer.org/2017/06/28/an-experimental-security-
analysis-of-an-industrial-robot-controller/)

I'd say industrial robots could be a good target. If someone started shutting
down the plants of some prominent manufacturers of non-life-critical products,
maybe enough people would lose money for someone to start treating it
seriously...

~~~
pbhjpbhj
Isn't the problem in part that some people see "we done been hacked in our car
making doohickey" (/cletus) and respond "backdoor all the things" thinking
that allowing tougher security just let's the crackers hide whilst backdoors
let the "feds" catch them.

I'm not even sure they're wrong _per se_. In theory (!!) a benevolent watchful
government can promote liberty and protect its citizens (or in my case The
Queen's subjects).

~~~
bllguo
that is definitely a problem. But wouldn't backdoors only allow feds to catch
cybercriminals after the act? Better security would prevent disasters in the
first place. This seems to me a much better way of thinking about the issue

------
cannonpr
All of Amsterdam's power charging station network for cars is accessible via a
very similar method. Unauthenticated Telnet just a serial connection away,
allowing you city wide access from any charging point. It's frightening
especially combined with the amount of data access charging points have to
cars plugged into them.

------
arm85
So the significance here is that if you had remote access to a single wind
turbine, you can control the others? Implying, if there were a vulnerability
in the control system of one turbine, the rest of them are exposed? Rather
than showing that you can stop wind turbines from spinning, if you had
physical access to the turbines.

Their "hack", which requires physical access, is about as practical as
throwing a physical spanner in the mechanics.

EDIT: I'd like to point out, there are reasons why you might want to be able
to access the SCADA system of other wind turbines, from the network access of
one wind turbine, which would be to allow wind-yaw optimising wind lidar
systems to optimise the yaw of other, local, turbines.

~~~
horsawlarway
I agree, the issue here is physical security. That's it.

Now, there are some great arguments to be made that software security in those
buildings should also be improved, but that literally doesn't matter if
someone has physical access. At best you're delaying.

Physical access trumps everything. There is no software on the planet that can
prevent a determined attacker with physical access.

~~~
brianwawok
And as mentioned above, this is silly to ignore software security.

Software attacks are often far far amplified and harder to trace than their in
person counterpart.

~~~
horsawlarway
No one is ignoring it...

The whole freaking article is about companies paying specialists to see how
secure their farms are.

My issue is that the article glides past the "physical access" part to focus
on the "scary cyber weapons" part.

That's bullshit. If it was a remote exploit from an internet connected
machine, sure: that's scary.

This wasn't that.

~~~
haltingthoughts
The point is that things are connected. By physically accessing one machine
you bring down not just one machine but the entire network. The importance of
physical security just went up by a factor of the number of machines on the
network.

At some point you are going to have to focus on the network part of security.
Getting physical access to one Google server shouldn't allow you to bring down
all of Google.

------
campuscodi
This is a hype article. Wind farms and their equipment could be hacked for
years. Just subscribe to the ISC-CERT RSS feed and you'll see they were
hackable going back years. Nobody discovered anything new.

~~~
forgottenpass
_Nobody discovered anything new._

They seem to have discovered a conference that will give them a platform to
promote themselves by banging on about known security problems while providing
zero actionable advice towards finding more weaknesses or preventing future
weaknesses.

Nah, I guess you're right. Those aren't a novel discovery either.

------
CptMauli
there is actually a funny way to shut down windfarms near forests (although
that would probably only work at night/dusk/dawn).

Just blast with full power a recording of ultrasonic bat noises to the
turbines.

But as others pointed out, if you have physical access, of course you'll be
able to do something nefarious.

Then, wind farms are offline all the time, for all different reasons, so this
would actually not that big a deal (apart from the owner of course). And that
you are able to hack into the protocols, it is not really surprising, since
most of the stuff has no authentication at all. You could of course filter for
the MAC addresses of the devices, but this is so much hassle for any
maintenance personnel that I doubt that it is in place in that many places.

Additionally, at least in Europe, most of the wind farms are rather small, so
we are talking about a few turbines at once. The large ones have actually
often enough dedicated staff which will look after them.

~~~
iancarroll
> You could of course filter for the MAC addresses of the devices

That would not help security wise.

~~~
noir_lord
I'm not in the security field but it still surprises me how many people don't
realize how easy MAC address spoofing actually is.

I generally describe it as the digital equivalent of swapping the plates on
your car.

------
digi_owl
Wonder if the article author had bothered highlighting the model of laptop if
it was anything other than a Macbook. Hell, going by the image used it was
wrapped in a non-descriptive case (not even a window for the logo).

------
Damogran6
"Windworm, another piece of malicious software, went further: It used telnet
and FTP to spread from one programmable automation controller to another,
until it infected all of a wind farm's computers."

What year is this?

------
pcunite
make it work, make it secure, make it cheap.

Pick two.

~~~
SuperGent
Secure and cheap please!

What you should be saying is that secure software isn't cheap, and management
doesn't see a point in spending extra money

~~~
noir_lord
Secure and cheap means it doesn't work, if not working is the criteria I can
paint a brick black and call it the control computer if you'd like.

