SCADA Security: Bridge the Gap (Updated)
In the same hours in which I was writing the original article concerning the growing attention of utilities and security vendors versus SCADA security holes; an anonymous hacker put in practice the lesson and broke into wind turbine systems. He was able to break a 200 megawat wind turbine system owned by NextEra Energy Resources, a subsidiary of Florida Power & Light, claiming revenge for an “illegitimate firing”. Having said that it is not yet known whether or not it is an hoax (Wind power company sees no evidence of reported hack), the data was posted to the Full Disclossure security mailing list Saturday anonymously, by someone using the name “Bgr R.” In the post, the author of the hack wrote:
Here comes my revenge for illegitimate firing from Florida Power & Light Company (FPL)
… ain’t nothing you can do with it, since your electricity is turned off !!!
Secure you SCADA better! Leaked files are attached …
In an e-mail interview, Bgr R said he’s a former employee who discovered a vulnerability in the company’s Cisco security management software. He used that vulnerability to hack into the SCADA (supervisory control and data acquisition) systems used to control the turbines.
Even if the screenshots of the Wind Turbine management interface look legitimate, there are some big question marks. In his interview Bigr R didn’t say much about how he broke into the SCADA systems themselves and he didn’t demonstrate much insider knowledge of Florida Power & Light (FPL) systems.
Hoax or not, this event renews the attention on SCADA Security Issues… For my part I promise I will no longer write down Security Predictions :-)