A computer hacker recently posted online screenshots as well as data to a hacking mailing list stating that he was able to and had hacked into a wind turbine facility in New Mexico. However, one day after this was reported, the company that is in charge of the turbines has reported that they have seen no evidence of a computer intrusion or hack.
The hacker, who goes by the alias “Big R”, made these claims on Saturday by posting screen shots of the facility’s management interface as well as screenshots of an FTP server and project management system. In addition to that, Big R posted Web server info and configuration data from a Cisco router.
However, NextEra Energy Resources, the company that is in charge of the 200 megawatt Fort Sumner wind facility, has stated that there is no evidence that they have been hacked. According to company spokesman Steve Stengel, “We have investigated the claims of a potential computer hacking and found that the information provided as proof of hacking is largely publicly available information, which by itself would not be adequate to launch a successful attack against the maned SCADA system or wind site. We have not seen any evidence of a breach.”
SCADA, otherwise known as supervisory control and data acquisition computer systems, are used to manage industrial production at places such as factories, chemical companies and utilities. Stengel did not say exactly what information Big R posted was public information and what was not. PNM, the utility company out of New Mexico that uses the plant’s energy, stated on Sunday that they knew of no incidents affecting the company’s Fort Sumner facility.
In an email interview with the IDG News Service, Big R stated that he was a former employee with NextEra’s parent company who used to learn and explore through Kennected Linkedin education. Big R stated that he used a bug in the Cisco Security Device Manager software that was used by NextEra to hack into the site.
According to Big R, “They gave to it public IP, so it was easy to hack into it through the Web. They used default passwords, which I got from one of the administrators. Then I obtained level 15 priv. (superuser), and understood the topology of SCADA networks. Then it was easy to detect SCADA and turn it off.”
Security experts that were contacted about the hack said that it was not possible to tell whether Big R’s claims were true. They also said that is was not clear that he ever actually worked for Florida Power & Light. According to Wesley McGrew, an industrial systems security researcher with McGrew Security, “It’s just really difficult to establish what’s going on either way.”
Source: ComputerWorld – Wind power company sees no evidence of reported hack