Hundreds of wind turbines and solar systems vulnerable to attack 

German security researcher Maxim Rupp has discovered numerous security flaws with solar lighting systems and wind turbines which, if maliciously exploited by an attacker, could result in disrupting energy supplies.

Rupp recently reported numerous flaws in the web controls for the following systems, the XZERES 442SR Wind Turbine, the Sinapsi eSolar Light and the RLE Nova-Wind Turbine, with the ICS-CERT subsequently issuing public warnings on all three of these.

One of these flaws, a cross-site scripting (XSS) request forgery vulnerability affecting the XZERES turbine, could potentially be used by an attacker to change the administrator password for the web management interface, and then gain complete control of the turbine.

Assuming the mind-set of a black hat hacker, the researcher said he could then “change the wind vane correction, or change the network settings to access the web interface that would make it inaccessible. This can certainly be critical for the implementation of a successful attack.” The ICS-CERT has ranked this security issue as 10 of 10 on the standard Common Vulnerability Scoring System (CVSS), the organisation considers the flaw dangerous due to the ease of remote exploitation.

One of the other flaws could result in hackers viewing saved, plaintext passwords going through a linked mail system. However this flaw, which resides in the Sinapsi monitoring and management system of small size photovoltaic plants, cannot be remotely exploited.

The vendors for the first two security issues have already provided a fix for their products. The US government urges users to patch their systems as soon as possible.

The third flaw discovered by Rupp was the RLE Nova-Wind Turbine, which is manufactured by German vendor RLE International. The ICS-CERT has tried to contact the company but says that it has been “unresponsive in validating or addressing the alleged vulnerability.”

“ICS-CERT has attempted on multiple occasions to contact the vendor regarding this serious flaw and have according to our vulnerability disclosure policy now produced this advisory,” the advisory reads.

Forbes said that it is easy to locate and target SCADA systems worldwide, thanks to the Shodan search engine. The website found 31 Sinapsi-related systems, 18 XZERES 442SR servers and one Nova-Wind Turbine. Most of the Sinapsi lights were in use at an Italian university, the Universita di Napoli Federico II.

Robert Malmgren, a Sweden-based computer and network consultant, and organiser of the SCADA-focused 4SICS International Summit, told SCMagazineUK.com that he was not surprised by this.

“I would say that there are several reasons for this, including a lack of experience with designing secure IT solutions, a lack of experience of shipping and installing utility components that is critical or part of critical infrastructure, and new ways of managing these assets.

“Traditional utility companies run in-house control centres from where they control power plants, distribution facilities, etc. Wind turbines often come in a smaller scale and also are not integrated into existing internal networks and internal control rooms. Often, they are placed on the internet and are monitored and supervised by someone else, for example the company that delivered the solution.”

Malmgren added that such a solution will get ‘little attention’ from a CISO or CSO, and continued that one of the things not focused on enough is that these solutions are often “unnamed and remotely managed”.

He continued: “Quite often micro-generation systems, such as a wind power plant, have a substandard firewall, but cheap SOHO equipment is connected to an external Internet connection (via a 3G or 4G connection).Often behind the firewall, which in some cases can be bypassed by built-in vulnerabilities, are web-based management interfaces for the power plant. And…these often carry standard passwords.

“Besides the actual operations and control of a wind power plant or similar asset, quite often the same network connection that connects the power plant to the outside word is used for other services, such as network video cameras installed to visually supervise the power plant. Another example is the use of the shared network connection for the physical security, eg access control systems, CCTV, burglar alarms, fire alarms.”

“I do believe we will see a rise in the problems associated with these types of micro-generation plants and facilities. Too many of them are delivered with little or no security built-in.”

Read more about ICS/SCADA security in the next edition of SC Magazine