Breach, Data Security, Incident Response, Network Security, TDR, Vulnerability Management

Wind power company disputes alleged SCADA hack

A major U.S. energy supplier has found no evidence of breach despite claims by a former employee that he hacked into the company's New Mexico wind turbine facility as revenge for being fired.

On Saturday, the intruder, using the alias “Bgr R,” posted an entry to the Full Disclosure mailing list claiming to have successfully broken into the Fort Sumner wind turbine facility, which is owned and operated by NextEra Energy Resources, the primary provider of wind and solar power in North America with 115 facilities in the United States and Canada.

The hacker said he was a disgruntled former employee of Florida Power & Light Co., a sister subsidiary of NextEra Energy Resources. Both are owned by NextEra Energy.

In an email interview with Computerworld, Bgr R said he exploited a vulnerability in the company's Cisco security management software to gain access to the supervisory control and data acquisition (SCADA) systems used to control the wind turbines.

The hacker did not respond when contacted by SCMagazineUS.com on Monday.

“Here comes my revenge for illegitimate firing from Florida Power & Light Company,” the hacker wrote in the post. “Secure you [sic] SCADA better! Leaked files are attached.”

The hacker included apparent screen shots of the facility's wind turbine management interface, an FTP server, and a project management system.

NextEra Energy disputed the hacker's statement. 

“We have investigated the claim and found that the information provided as proof of ‘hacking' is largely publicly available information, which, by itself, would not be adequate to launch a successful attack against the named SCADA system or wind site,” Mark Bubriski, a spokesman for NextEra Energy, said in an email statement sent to SCMagazineUS.com on Monday.

NextEra Energy is monitoring its systems against possible attacks, Bubriski added.

Some commenters to the Full Disclosure post questioned whether the hack was legitimate, and others said Bgr R may actually have abused legitimate access rights to penetrate the SCADA system.

“The person who did this was an ex-employee who already had access to their systems,” one respondent wrote.  “Nothing illegal has happened then. The dude is just highlighting his access hadn't been taken away and has decided to pretend he hacked the system as some sort of prank.”

Only the hacker and NextEra Energy know whether Bgr R's claims are true, Bradley Anstis, vice president of technical strategy at security firm M86 Security, told SCMagazineUS.com in an email Monday.

Regardless, the incident provides an opportunity to remind security professionals to follow best practices when terminating employees, he said.

“Companies need to ensure that employee access rights are fully known and controlled,” Anstis said. “If an employee is let go, then immediate revocation of their rights is essential, especially IT staff. Constant vigilance for backdoor accounts and rogue access points is a must.”

Despite recent headlines, such as Stuxnet, SCADA security still may not be receiving enough attention within critical infrastructure providers, according to a recent report from Q1 Labs and the Ponemon Institute. The study found that 75 percent of global energy organizations polled sustained at least one breach over the last year, and another 69 percent believe they are "very likely or likely" to succumb to one in the next 12 months.

The No. 1 source of breaches, the survey found, were negligent or malicious insiders.

McAfee and the Center for Strategic and International Studies are due to release a separate study on the threat Tuesday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.