On a sunny day last summer, in the middle of a vast cornfield somewhere in the large, windy middle of America, two researchers from the University of Tulsa stepped into an oven-hot, elevator-sized chamber within the base of a 300-foot-tall wind turbine. They’d picked the simple pin-and-tumbler lock on the turbine’s metal door in less than a minute and opened the unsecured server closet inside.
Jason Staggs, a tall 28-year-old Oklahoman, quickly unplugged a network cable and inserted it into a Raspberry Pi minicomputer, the size of a deck of cards, that had been fitted with a Wi-Fi antenna. He switched on the Pi and attached another Ethernet cable from the minicomputer into an open port on a programmable automation controller, a microwave-sized computer that controlled the turbine. The two men then closed the door behind them and walked back to the white van they’d driven down a gravel path that ran through the field.
Staggs sat in the front seat and opened a MacBook Pro while the researchers looked up at the towering machine. Like the dozens of other turbines in the field, its white blades—each longer than a wing of a Boeing 747—turned hypnotically. Staggs typed into his laptop’s command line and soon saw a list of IP addresses representing every networked turbine in the field. A few minutes later he typed another command, and the hackers watched as the single turbine above them emitted a muted screech like the brakes of an aging 18-wheel truck, slowed, and came to a stop.
‘We Were Shocked’
For the past two years, Staggs and his fellow researchers at the University of Tulsa have been systematically hacking wind farms around the United States to demonstrate the little-known digital vulnerabilities of an increasingly popular form of American energy production. With the permission of wind energy companies, they’ve performed penetration tests on five different wind farms across the central US and West Coast that use the hardware of five wind power equipment manufacturers.
As part of the agreement that legally allowed them to access those facilities, the researchers say they can’t name the wind farms’ owners, the locations they tested, or the companies that built the turbines and other hardware they attacked. But in interviews with WIRED and a presentation they plan to give at the Black Hat security conference next month, they’re detailing the security vulnerabilities they uncovered. By physically accessing the internals of the turbines themselves—which often stood virtually unprotected in the middle of open fields—and planting $45 in commodity computing equipment, the researchers carried out an extended menu of attacks on not only the individual wind turbine they’d broken into but all of the others connected to it on the same wind farm’s network. The results included paralyzing turbines, suddenly triggering their brakes to potentially damage them, and even relaying false feedback to their operators to prevent the sabotage from being detected.
“When we started poking around, we were shocked. A simple tumbler lock was all that stood between us and the wind farm control network,” says Staggs. “Once you have access to one of the turbines, it’s game over.”
In their attacks, the Tulsa researchers exploited an overarching security issue in the wind farms they infiltrated: While the turbines and control systems had limited or no connections to the internet, they also lacked almost any authentication or segmentation that would prevent a computer within the same network from sending valid commands. Two of the five facilities encrypted the connections from the operators’ computers to the wind turbines, making those communications far harder to spoof. But in every case the researchers could nonetheless send commands to the entire network of turbines by planting their radio-controlled Raspberry Pi in the server closet of just one of the machines in the field.
“They don’t take into consideration that someone can just pick a lock and plug in a Raspberry Pi,” Staggs says. The turbines they broke into were protected only by easily picked standard five-pin locks, or by padlocks that took seconds to remove with a pair of bolt cutters. And while the Tulsa researchers tested connecting to their minicomputers via Wi-Fi from as far as fifty feet away, they note they could have just as easily used another radio protocol, like GSM, to launch attacks from hundreds or thousands of miles away.
The researchers developed three proof-of-concept attacks to demonstrate how hackers could exploit the vulnerable wind farms they infiltrated. One tool they built, called Windshark, simply sent commands to other turbines on the network, disabling them or repeatedly slamming on their brakes to cause wear and damage. Windworm, another piece of malicious software, went further: It used telnet and FTP to spread from one programmable automation controller to another, until it infected all of a wind farm’s computers. A third attack tool, called Windpoison, used a trick called ARP cache poisoning, which exploits how control systems locate and identify components on a network. Windpoison spoofed those addresses to insert itself as a man-in-the-middle in the operators’ communications with the turbines. That would allow hackers to falsify the signals being sent back from the turbines, hiding disruptive attacks from the operators’ systems.
While the Tulsa researchers shut off only a single turbine at a time in their tests, they point out that their methods could easily paralyze an entire wind farm, cutting off as much as hundreds of megawatts of power.
Wind farms produce a relatively smaller amount of energy than their coal or nuclear equivalents, and grid operators expect them to be less reliable, given their dependence on the real-time ebb and flow of wind currents. That means even taking out a full farm may not dramatically impact the grid overall, says Ben Miller, a researcher at the critical-infrastructure security startup Dragos Inc. and a former engineer at the North American Electric Reliability Council.
More concerning than attacks to stop turbines, Miller says, are those intended to damage them. The equipment is designed for lightness and efficiency, and is often fragile as a result. That, along with the high costs of going even temporarily offline, make the vulnerabilities potentially devastating for a wind farm owner. “It would all probably be far more impactful to the operator of the wind farm than it would be to the grid,” Miller says.
Staggs argues that this potential to cause costly downtime for wind farms leaves their owners open to extortion or other kinds of profit-seeking sabotage. “This is just the tip of the iceberg,” he says. “Imagine a ransomware scenario.”
A Growing Target
While the Tulsa researchers were careful not to name any of the manufacturers of the equipment used in the wind farms they tested, WIRED reached out to three major wind farm suppliers for comment on their findings: GE, Siemens Gamesa, and Vestas. GE and Siemens Gamesa didn’t respond. But Vestas spokesperson Anders Riis wrote in an email that “Vestas takes cyber security very seriously and continues to work with customers and grid operators to build products and offerings to improve security levels in response to the shifting cyber security landscape and evolving threats.” He added that it offers security measures that include “physical breach and intrusion detection and alert; alarm solutions at turbine, plant, and substation level to notify operators of a physical intrusion; and mitigation and control systems that quarantine and limit any malicious impact to the plant level, preventing further impact to the grid or other wind plants.”1
Researchers have demonstrated the vulnerabilities of wind turbines before, albeit on a far smaller scale. In 2015, the US Industrial Control System Computer Emergency Response Team issued a warning about hundreds of wind turbines, known as the XZERES 442SR, whose controls were openly accessible via the internet. But that was a far smaller turbine aimed at residential and small business users, with blades roughly 12 feet in length—not the massive, multimillion-dollar versions the Tulsa researchers tested.
The Tulsa team also didn’t attempt to hack its targets over the internet. But Staggs speculates it might be possible to remotely compromise them too—perhaps by infecting the operators’ network, or the laptop of one of the technicians who services the turbines. But other hypothetical vulnerabilities pale next to the very real distributed, unprotected nature of turbines themselves, says David Ferlemann, another member of the Tulsa team. “A nuclear power plant is hard to break into,” he points out. “Turbines are more distributed. It’s much easier to access one node and compromise the entire fleet.”
The researchers suggest that, ultimately, wind farm operators need to build authentication into the internal communications of their control systems—not just isolate them from the internet. And in the meantime, a few stronger locks, fences, and security cameras on the doors of the turbines themselves would make physical attacks far more difficult.
For now, wind farms produce less than 5 percent of America’s energy, Staggs says. But as wind power grows as a fraction of US electric generation, he hopes their work can help secure that power source before a large fraction of Americans comes depend on it.
“If you’re an attacker bent on trying to influence whether the lights are on or not,” says Staggs, “that becomes a more and more attractive target for you to go after.”
1 Updated 6/28/2017 9:20am EST with a response from Vestas.
|Wind Watch relies entirely
on User Funding