Wind Power Firm Sees No Evidence of Hack

← Back to Stories (view on slashdot.org)

Wind Power Firm Sees No Evidence of Hack

Posted by CmdrTaco on Monday April 18, 2011 @12:57AM from the why-can't-we-all-get-along dept.

alphadogg writes "One day after a hacker posted screen shots and data to a hacking mailing list, saying he had broken into a New Mexico wind turbine facility, the company that runs the turbines says it has seen no evidence of a computer intrusion. The hacker, who calls himself Bigr R, made the claims Saturday, posting screenshots of the facility's management interface, screenshots of an FTP server and project management system, as well as Web server info and configuration data from a Cisco router."

65 of 99 comments (clear)

Min score:

Reason:

Sort:

Language by bezking · 2011-04-18 01:02 · Score: 3, Interesting

If you look at the screenshots he posted (example) you'll see that some of the screens were in the German language or a derivative thereof. Why would a New Mexican power plant have its systems in German!?
1. Re:Language by TaoPhoenix · 2011-04-18 01:07 · Score: 1
  
  Quoting The Previous F Article
  "If this is a hoax, it's really well done".
  Is *Faking* break-ins the new L33T?
  
  --
  My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
2. Re:Language by 0100010001010011 · 2011-04-18 01:16 · Score: 4, Interesting
  
  Germans Make Good Stuff.
  Seriously, if you start getting into high level automation of PLC and other industrial systems, there are only a few key players in the game. Siemens is one of those companies. Sure enough, if you search for SINAMICS S120, the Siemens page is the first hit.
  How often do you dump your error codes into 5-10 languages? If you go to Europe and use a piece of GE technology you'll probably get errors in English.
3. Re:Language by clang_jangle · 2011-04-18 01:36 · Score: 1
  
  I think the recent escapades of "Anonymous" has fired up the imaginations of a lot of wannabes. So yes, faking it is the new 1337 -- for some people.
  
  --
  Caveat Utilitor
4. Re:Language by shish · 2011-04-18 01:38 · Score: 2
  
  Looking at that example, a more confusing thing comes to mind: why would their systems be built with MS-Paint o_O?
  
  --
  I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
5. Re:Language by kelemvor4 · 2011-04-18 01:53 · Score: 1
  
  Code kiddies and wannabees always have been and always will be.
6. Re:Language by __aaqvdr516 · 2011-04-18 02:26 · Score: 1
  
  Sinamic is a Siemens product. Siemens is one of the larger producers of controls for industry. I use a number of their products at my job. It's not uncommon for these types of controls to offer multi-language support. I wonder if that wasn't part of this guys hack.
  I don't know much about the Siemens "front end" though, as the plant I work for uses a different control interface.
7. Re:Language by Lumpy · 2011-04-18 02:27 · Score: 1
  
  Among the script kiddies? yes, yes it is.
  
  --
  Do not look at laser with remaining good eye.
8. Re:Language by Lumpy · 2011-04-18 02:29 · Score: 1
  
  Allen Bradley is out there quite heavy. in fact I saw far more of it than siemens stuff.
  
  --
  Do not look at laser with remaining good eye.
9. Re:Language by Anrego · 2011-04-18 02:30 · Score: 1
  
  Is *Faking* break-ins the new L33T?
  Oh it always has been. From the kids who copy+pastes stuff from their windows system file into msn messanger so his/her friends think they are being "hacked", to people using hostnames to determine where someone lives on IRC and try to scare them with the information...
10. Re:Language by mooboy · 2011-04-18 02:35 · Score: 1
  
  Allen Bradley is out there quite heavy. in fact I saw far more of it than siemens stuff.
  AB is big in the US only. Siemens is by far the largest controls systems provider internationally.
  
  --
  There's no place like 127.0.0.1
11. Re:Language by somersault · 2011-04-18 02:54 · Score: 1
  
  Hahahahah.. I didn't consider the screenshots worth looking at until you said that.. that's some extremely unprofessional interface design.. geez.
  
  --
  which is totally what she said
12. Re:Language by DoofusOfDeath · 2011-04-18 02:55 · Score: 1
  
  If you look at the screenshots he posted (example) you'll see that some of the screens were in the German language or a derivative thereof.
  English?
13. Re:Language by frozentier · 2011-04-18 02:55 · Score: 1
  
  Germans Make Good Stuff.
  No shit, look at the ShamWow! Vince wasn't kidding.
14. Re:Language by Bobfrankly1 · 2011-04-18 03:13 · Score: 1
  
  If you look at the screenshots he posted (example) you'll see that some of the screens were in the German language or a derivative thereof.
  English?
  Yes.
15. Re:Language by Anonymous Coward · 2011-04-18 03:23 · Score: 1
  
  that's some extremely unprofessional interface design
  Actually that's highly professional. Industrial/professional UIs are never pretty because it's not a requirement. Why waste time and money on making things pretty? These aren't consumer products where the buyer first and foremost looks at how it looks instead of what it does.
16. Re:Language by Themer · 2011-04-18 03:23 · Score: 2
  
  All of the Siemens PLC error codes come out in English for English interfaces. I have used them extensively.
17. Re:Language by Bobfrankly1 · 2011-04-18 03:32 · Score: 1
  
  If you look at the screenshots he posted (example) you'll see that some of the screens were in the German language or a derivative thereof. Why would a New Mexican power plant have its systems in German!?
  Because if the hacker got into anything, it was the honeypot that he/she was meant to get into.
18. Re:Language by Anonymous Coward · 2011-04-18 03:58 · Score: 1
  
  Wait, I seem to recall something in the news recently about some security problems with Siemens controllers in some industrial equipment. Something about a virus or worm getting into software on the computers that ran the facility, and from there into the controller software itself, where it proceeded to mess up the industrial gear. I'm having a little trouble remembering the details, though. Hmmm... it was all in the news a while ago. I think maybe the problems were in Iran?
19. Re:Language by somersault · 2011-04-18 04:07 · Score: 1
  
  There's a difference between "not pretty" and "shitty". Right angled lines would have been better than freehand in MS paint. It would have taken all of 3 seconds more, and look infinitely better.
  
  --
  which is totally what she said
20. Re:Language by tlhIngan · 2011-04-18 04:18 · Score: 1
  
  that's some extremely unprofessional interface design
  Actually that's highly professional. Industrial/professional UIs are never pretty because it's not a requirement. Why waste time and money on making things pretty? These aren't consumer products where the buyer first and foremost looks at how it looks instead of what it does.
  I've grown to think that the more expensive and/or specialized the program, the worse the UI is. And it's not about making the UI "pretty" but more "usable".
  Sure the program is designed by an engineer who cares little about UI design and slaps every button on the main screen, or puts UI controls where they're easiest for their QA testing, but that doesn't mean it's usable or even conducive to a sensible workflow. (Imagine your daily job is to use those things and it involves clicking in 100 different places to get two pieces of information that really ought to be shown together, etc).
  Bad UI design has also contributed to many an accident, as well. And who know what sort of software engineering practices went into its production? Having seen one package be a horrendous mix of C, Visual Basic (of varying versions), Lisp and probably a half dozen other languages...
  Of course, the professionals in the field tolerate such crap because well, it's probably the only software package out there. And new versions bring about old and new bugs again, so everyone ends up using some ancient version because it works and they know the workarounds for its bugs and its UI quirks.
  And yes, those workarounds may involve all sorts of other crap thrown together - including taking the results of the program, feeding it into some Excel spreadsheet, taking the results of that and feeding it back into the program because it somehow doesn't (or won't easily) calculate something.
  There's probably some chewing gum and duct tape in the whole process as well. It can be ... scary.
21. Re:Language by superdave80 · 2011-04-18 04:24 · Score: 1
  
  Not unheard of. Here in California, I actually have a injection molding press at my factory that has its control screens set for English, but it still spits out some German words from time to time.
22. Re:Language by Asic+Eng · 2011-04-18 08:38 · Score: 1
  
  Doesn't really matter, SINAMICS S120 is clearly Siemens gear.
23. Re:Language by Asic+Eng · 2011-04-18 09:31 · Score: 1
  
  That looks more like a page from a manual rather than a screenshot, though. Wold have expected the screenshot to look more like this.
24. Re:Language by Internetuser1248 · 2011-04-18 19:56 · Score: 1
  
  Germany manufacture a lot of mechanical parts and also have a strong industrial relationship with mexico. It is not unlikely that the hacker was employed in some part of the process of building the plant.
  
  It should also be noted how major the difference is between a hack at a wind farm and a hack at a nuclear power facility, even a fake hack. Whats the worst you could do if you hacked a wind turbine? Well you could probably break it given the right wind conditions.
None of this means it didn't happen by royallthefourth · 2011-04-18 01:04 · Score: 5, Insightful

It's possible that the IT staff who failed to secure the networks and websites also lack the expertise to detect an intruder. It's certainly not easy, and if they were able to cleanly socially engineer (or perhaps guess) passwords to get it done, there may be no way to detect it at all.
1. Re:None of this means it didn't happen by Anrego · 2011-04-18 01:10 · Score: 1
  
  One day seems a bit quick to do an investigation.
  That said, I do think this was probably a hoax.
2. Re:None of this means it didn't happen by Anonymous Coward · 2011-04-18 01:22 · Score: 3, Funny
  
  I would argue that the burden of proof is on the hacker, and not on the power company.
3. Re:None of this means it didn't happen by afidel · 2011-04-18 01:29 · Score: 2
  
  Not really, with a good IDS system you should have no trouble. We log everything that happens on our server and DMZ vlan's to a Network General box and could easily pull up all conversations between the firewall and any server box, or any workstation and any DMZ box. I would hope critical infrastructure such as a SCADA system is at least as well monitored.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
4. Re:None of this means it didn't happen by Charliemopps · 2011-04-18 02:04 · Score: 1
  
  The problem is that most oversights in security will be continue to be missed when the site is reviewed. The same people who didn't think using postit notes on monitors to keep track of passwords wouldn't think that was a problem even after 90% of their workforce are carrying in cellphones with cameras built in every day.
5. Re:None of this means it didn't happen by Anonymous Coward · 2011-04-18 02:06 · Score: 2, Insightful
  
  I am sorry to disappoint you, having worked at a company developing SCADA systems... these systems are developed a bit like this:
  Assumption 1: SCADA systems... should be on a completely separate infrastructure.
  Assumption 2: If the system is on a separate, secure infrastructure... we have no need for additional security measures.
  Reality-check 1: 'I want to see what they h*ck is going on at the site when I'm at home!!!'
  Reality-check 2: Nobody listens to the security-conscious-guy when they want to have fancy graphics./
6. Re:None of this means it didn't happen by Lumpy · 2011-04-18 02:30 · Score: 2
  
  They checked the windows 98 gateway machine and their virus scanner did not find anything. There is no way he got in, the AV software said so!
  
  --
  Do not look at laser with remaining good eye.
7. Re:None of this means it didn't happen by Lumpy · 2011-04-18 02:31 · Score: 1
  
  No it's not. Most do not have any IDS let alone any decent networking. Most SCADA systems are lowest bidder and competent IT and networking staff are not in the equation at those price levels.
  
  --
  Do not look at laser with remaining good eye.
8. Re:None of this means it didn't happen by afidel · 2011-04-18 02:49 · Score: 1
  
  Sweet, well then when they get hacked and cause widespread outages I hope they get fined megabucks for every minute of downtime and are sued by their critical contract customers for gross negligence. Someone needs to force these guys to do things in a competent manner and apparently a decade of being warned about cybercrime hasn't been sufficient so I guess the only way they will listen is if it hits their bottom line.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
9. Re:None of this means it didn't happen by starfishsystems · 2011-04-18 04:55 · Score: 1
  
  It's possible the guy got in. The evidence he presents is far from conclusive. It's possible he didn't. The operator says there's no evidence for it. Without conclusive evidence, all we can do is idly speculate, which makes this topic perfect for Slashdot.
  
  The way in, apparently, was through a Cisco border router. It only takes a moment to check the router logs. Both successful and failed logins are recorded. Resetting the log leaves evidence. If the site is competently managed, the log events are also sent to a separate syslog host. If I were the site operator and I saw no evidence of incompetent configuration, and nothing amiss in these logs or elsewhere, then I would be comfortable saying, "we have not found evidence of a breach". That, in fact, is what the operator says.
  
  --
  Parity: What to do when the weekend comes.
10. Re:None of this means it didn't happen by Anrego · 2011-04-18 10:55 · Score: 1
  
  so I guess the only way they will listen is if it hits their bottom line
  Even then, probably not. The cost of even a major incident is going to be less than doing it properly in the first place.. and the government is gonna be bailing them out, not fining them!
  It's a shitty system and it's all gonna fail one day ... but no point deluding ourselves to the reality of the current situation.
  Did you not see die hard 4!
Nothing to see here. by jshackney · 2011-04-18 01:06 · Score: 1

This whole thing smelled funny from the beginning.
1. Re:Nothing to see here. by catmistake · 2011-04-18 01:38 · Score: 1
  
  I'm not so sure. Couldn't this be Iranian retaliation for Stuxnet?
  
  --
  The Admin and the Engineer
2. Re:Nothing to see here. by necro81 · 2011-04-18 02:08 · Score: 1
  
  Probably the Iranians have bigger targets than the SCADA network for a privately-owned wind farm in New Mexico. Stuxnet was targeted at a key facility of the Iranian nuclear infrastructure: a non-overt attack on the Iranian military and government. I would expect if the Iranians were pissed at us over that they would attempt to retaliate in kind.
Not Really by Anonymous Coward · 2011-04-18 01:10 · Score: 1, Interesting

They're trying to goad an emotionally immature hacker into providing even more evidence.
Making the criminals do the investigative legwork .. now that's smart policing.
Next story on slashdot in an hour... by pasv · 2011-04-18 01:10 · Score: 2

Wind Turbine Firm hack confirmed: "Oh wait, never mind. We found his rootkit on port 31337 going out from our webserver! D'oh!"
1. Re:Next story on slashdot in an hour... by jamesh · 2011-04-18 01:16 · Score: 2, Funny
  
  I'm more concerned that Slashdot itself has been hacked, and some unscrupulous bad guys is posting the news as it happens, instead of weeks, months, or years later.
2. Re:Next story on slashdot in an hour... by jamesh · 2011-04-18 01:24 · Score: 3, Funny
  
  and some unscrupulous bad guys is posting the news as it happens
  ... and the same bad guys is inserting bad grammar in my posts.
3. Re:Next story on slashdot in an hour... by Abstrackt · 2011-04-18 02:32 · Score: 1
  
  and some unscrupulous bad guys is posting the news as it happens
  ... and the same bad guys is inserting bad grammar in my posts.
  Actually, I've just been drugging your coffee. The net effect is the same though.
  
  --
  They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
4. Re:Next story on slashdot in an hour... by jamesh · 2011-04-18 11:17 · Score: 1
  
  Or maybe we're just loosing our minds!
Simple Message by scubamage · 2011-04-18 01:12 · Score: 1, Insightful

Absence of evidence is not evidence of absence.
1. Re:Simple Message by Anonymous Coward · 2011-04-18 01:15 · Score: 1
  
  You could be a lawyer for the RIAA!
2. Re:Simple Message by LordLimecat · 2011-04-18 01:18 · Score: 3, Informative
  
  And if youll note, it doesnt say "there was no hack", but that "they see no evidence".
3. Re:Simple Message by mooboy · 2011-04-18 02:43 · Score: 1
  
  Absence of evidence is not evidence of absence.
  Perhaps, but crappy evidence is evidence of crap, IMHO. Take a look at the dude's screen shots. Any power company using such poorly put together screens, with no interesting status info, no proper overview screen with worthwhile data, isn't really a power company, but some kiddies dream.
  
  --
  There's no place like 127.0.0.1
They better be right by vadim_t · 2011-04-18 01:22 · Score: 1

Otherwise I imagine the hacker will try to put up a demonstration.
i wonder what can be done with access to that system.
1. Re:They better be right by kubernet3s · 2011-04-18 02:23 · Score: 1
  
  -send turbines spinning under power -starting changing earth's rotational axis -Neptunian winters -God help us
Re:maybe a stupid question, but.. by jasen666 · 2011-04-18 01:32 · Score: 2

Any SCADA/HMI system should be physically isolated from the business LAN regardless of whether it's internet accessible or not. Sounds like a few inherently bad choices were made here if this is true.
So what I am reading by RigrmRtis · 2011-04-18 01:37 · Score: 1

Is that the most likely scenario is that this guy is for real. And isn't that, as a former employee, he has old configs stored somewhere that he still has access to (like a personal laptop). As well as screen shots related to training material. Nah this guy that was just fired and has offered up no real-time evidence is probably telling the truth. Just because that would make it more interesting.
No evidence of hack by wezelboy · 2011-04-18 01:48 · Score: 1

Cause Norton Anti-Virus sez so!
Re:Here is a question. by leuk_he · 2011-04-18 01:49 · Score: 1

Almost everything is hooked to the internet. Most of the critical stuff is behind a good vpn and a good firewall that most engineers do not imagine to be hacked.
And who says it was hacked from the internet?
Re:time conceals, then reveals non-physical wounds by plover · 2011-04-18 01:58 · Score: 1

Dammit, Timecube, you've crossposted back into the sane world again. Stop that!

--
John
It Didn't Not Happen by alphatel · 2011-04-18 02:59 · Score: 1

It's a non-denial denial!

--
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
Cr4ck3r by SlashV · 2011-04-18 03:08 · Score: 1

It's "cracker", not "hacker". Come on /. You should know better.
He was just that good by JTsyo · 2011-04-18 03:08 · Score: 2

You can't backtrace him.
1. Re:He was just that good by mpoulton · 2011-04-18 04:14 · Score: 1
  
  You can't backtrace him.
  Maybe they can't, but just wait until they get the CyberPolice on his trail! They can backtrace anyone.
  
  --
  I am a geek attorney, but not your geek attorney unless you've already retained me. This is not legal advice.
2. Re:He was just that good by fl_litig8r · 2011-04-18 05:14 · Score: 1
  
  Maybe they can't, but just wait until they get the CyberPolice on his trail! They can backtrace anyone.
  True enough, and the consequences will never be the same. He done goofed.
ABB is Swiss by tacokill · 2011-04-18 03:15 · Score: 1

ABB also makes DCS systems and they are a swiss company (ie: speak German).

Another poster already pointed out Siemens as well.
some info is too detailed by funnyguy · 2011-04-18 03:56 · Score: 1

I'm not sure if NextEra is saying it didn't happen, they can't tell, or they are refuting that the screenshots were taken due to a 'hack'. Either way, some of the information looks too credible. For example, NextEra provides output data from wind farms and this data goes into various OASIS systems. One screenshot shows what are presumably OASIS files from as recent as last week. All NextEra would need to do is double check those files, make sure that timestamps and sizes match what exists and that is proof. That should then lead back to the FTP session that gathered that directory listing.
http://en.wikipedia.org/wiki/Open_Access_Same-Time_Information_System
The only thing I know is saying we "found no evidence" one day after the release of information is a stupid PR move. It makes you look incompetent or incapable of detecting / protecting your information, exactly what the 'hacker' was attempting to do. NextEra just reinforced that notion.
Stupid... by WaffleMonster · 2011-04-18 04:43 · Score: 2

If BigR is really a former disgruntled employee he might as well have just posted his full name and address along with the dumps.
The response by Benji on the seclist mailing list sums it up: "so how long do you give yourself before you're in prison?"
big deal by shadowrat · 2011-04-18 05:51 · Score: 1

I hacked slashdot. As evidence, i found this in the slashdot servers:

0x38a7fe1a