Incident: Wind Turbine Hacking: Vulnerabilities Exploited in Wind Farms

Published Date: 2017-06-28

Postmortem Analysis
Timeline 1. The software failure incident of hacking wind farms by researchers from the University of Tulsa happened in the past two years as per the article [60316]. 2. Published on 2017-06-28 07:00:00+00:00. Estimation: The incident occurred around mid-2015 to mid-2017 based on the information provided in the article.
System 1. Wind farm control systems lacked authentication and segmentation, allowing for unauthorized access and control of the turbines [Article 60316].
Responsible Organization 1. The researchers from the University of Tulsa were responsible for causing the software failure incident by hacking into wind farms to demonstrate vulnerabilities [60316].
Impacted Organization 1. Wind farms across the United States were impacted by the software failure incident [60316].
Software Causes 1. Lack of authentication and segmentation in the wind farms' control systems, allowing a computer within the same network to send valid commands [60316]. 2. Vulnerabilities in the wind farms' control systems that allowed for physical access to the internals of the turbines, leading to attacks such as disabling turbines, triggering brakes, and relaying false feedback [60316]. 3. Exploitation of security issues in the wind farms, including easily picked locks and lack of protection for the turbines [60316]. 4. Development of malicious software tools like Windshark, Windworm, and Windpoison to exploit the vulnerabilities in the wind farms [60316].
Non-software Causes 1. Lack of physical security measures such as easily picked standard locks and padlocks on the turbines [60316]. 2. Limited or no authentication or segmentation within the network of the wind farms, allowing unauthorized access to the control systems [60316]. 3. Vulnerabilities in the internal communications of the control systems of the turbines, lacking authentication and isolation from the internet [60316].
Impacts 1. The software failure incident allowed researchers to physically access the internals of wind turbines, plant computing equipment, and carry out attacks on the turbines, potentially causing damage and wear [60316]. 2. The researchers were able to paralyze turbines, trigger their brakes, and relay false feedback to operators, demonstrating the vulnerabilities of wind farms [60316]. 3. The incident highlighted the lack of authentication and segmentation in wind farm control systems, making it easy for hackers to send valid commands to the entire network of turbines [60316]. 4. The researchers developed proof-of-concept attacks like Windshark, Windworm, and Windpoison to exploit the vulnerable wind farms, potentially leading to the paralysis of entire wind farms and cutting off significant amounts of power [60316]. 5. The software failure incident raised concerns about the potential for costly downtime for wind farm owners, leaving them open to extortion or profit-seeking sabotage, which could have a more significant impact on the wind farm operators than on the overall grid [60316].
Preventions 1. Implementing strong authentication and segmentation in the wind farm control systems to prevent unauthorized access and commands [60316]. 2. Encrypting connections from operators' computers to wind turbines to make communications harder to spoof [60316]. 3. Enhancing physical security measures such as stronger locks, fences, and security cameras on the doors of turbines to prevent physical attacks [60316].
Fixes 1. Implement strong authentication and segmentation measures within the wind farm control systems to prevent unauthorized access and commands [1]. 2. Enhance physical security measures such as stronger locks, fences, and security cameras on the doors of the turbines to prevent physical attacks [1]. 3. Develop and deploy intrusion detection and alert systems at turbine, plant, and substation levels to notify operators of any physical intrusion [1]. 4. Utilize mitigation and control systems that can quarantine and limit any malicious impact to the plant level, preventing further impact to the grid or other wind plants [1].
References 1. Researchers from the University of Tulsa [60316]

Software Taxonomy of Faults

Category Option Rationale
Recurring unknown (a) The software failure incident related to hacking wind farms has not been reported to have happened again at the same organization or with its products and services. The incident described in the article involved researchers from the University of Tulsa systematically hacking wind farms across the United States to demonstrate vulnerabilities in the control systems of the turbines [60316]. (b) The software failure incident related to hacking wind farms has not been reported to have happened again at other organizations or with their products and services. The article mentions that the researchers did not name the wind farms' owners, the locations they tested, or the companies that built the turbines and other hardware they attacked. Additionally, the article reached out to major wind farm suppliers like GE, Siemens Gamesa, and Vestas for comment on the findings, but only Vestas responded with a statement on cybersecurity measures [60316].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the article where researchers from the University of Tulsa systematically hacked wind farms to demonstrate digital vulnerabilities in the control systems of the turbines. They were able to exploit the lack of authentication and segmentation in the wind farms' networks, allowing them to send commands to the entire network of turbines by planting a radio-controlled Raspberry Pi in the server closet of just one machine. This design flaw in the wind farms' control systems made them susceptible to attacks that could paralyze turbines, trigger brakes, and relay false feedback to operators [60316]. (b) The software failure incident related to the operation phase is highlighted by the fact that the turbines in the wind farms were virtually unprotected in open fields, making them easily accessible to physical attacks. The researchers were able to physically access the internals of the turbines by picking simple locks and planting inexpensive computing equipment to carry out attacks on the control systems. This lack of physical security measures in the operation of the wind farms made them vulnerable to being compromised and controlled by external entities [60316].
Boundary (Internal/External) within_system, outside_system (a) The software failure incident described in the articles is primarily within_system. The failure occurred due to vulnerabilities within the wind farm control systems and turbines themselves, which were exploited by the researchers from the University of Tulsa. They were able to physically access the internals of the turbines, plant a Raspberry Pi minicomputer, and send commands to disable or damage the turbines [60316]. The lack of authentication or segmentation within the network of the wind farms allowed the researchers to easily send commands to the entire network of turbines by compromising just one machine [60316]. (b) Additionally, the software failure incident can also be attributed to outside_system factors. The researchers highlighted the lack of security measures in place in the wind farms they tested, such as easily picked locks and limited protection for the control systems [60316]. This external factor of inadequate physical security made it easier for the researchers to infiltrate the wind farms and carry out their attacks.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: The software failure incident in the articles was primarily due to vulnerabilities in the wind farm control systems and turbines themselves. The researchers were able to exploit these vulnerabilities by physically accessing the internals of the turbines and planting a Raspberry Pi minicomputer to send commands to the entire network of turbines, causing them to malfunction [60316]. (b) The software failure incident occurring due to human actions: The software failure incident also had a significant human element as the researchers from the University of Tulsa intentionally hacked into wind farms to demonstrate the digital vulnerabilities present in the control systems. They physically accessed the turbines, planted malicious software, and executed attacks to show the potential risks associated with the lack of proper security measures in place [60316].
Dimension (Hardware/Software) hardware, software (a) The software failure incident occurring due to hardware: - The incident involved researchers hacking into wind farms by physically accessing the internals of the turbines, which were often virtually unprotected in open fields [60316]. - The researchers exploited the lack of authentication or segmentation in the wind farms' control systems, which allowed them to send valid commands from a computer within the same network [60316]. - The turbines were protected only by easily picked standard locks or padlocks that could be removed quickly with bolt cutters, indicating a lack of physical security measures [60316]. (b) The software failure incident occurring due to software: - The researchers developed proof-of-concept attacks like Windshark, Windworm, and Windpoison to exploit vulnerabilities in the wind farms' software systems [60316]. - They were able to send commands to disable turbines, spread malicious software across the network, and manipulate communications between operators and turbines [60316]. - The lack of authentication and segmentation in the control systems allowed the researchers to carry out these software-based attacks successfully [60316].
Objective (Malicious/Non-malicious) malicious (a) The objective of the software failure incident was malicious, as the researchers from the University of Tulsa intentionally hacked into wind farms to demonstrate the digital vulnerabilities of the energy production systems. They physically accessed the turbines, planted computing equipment, and carried out attacks to paralyze turbines, trigger brakes, and relay false feedback to operators [60316]. The attacks were aimed at showing the potential vulnerabilities that could be exploited by malicious actors to cause damage or disruption to wind farms. (b) The software failure incident was non-malicious in the sense that the vulnerabilities exploited by the researchers were not introduced with the intent to harm the system. The lack of proper authentication and segmentation in the wind farms' control systems allowed for the attacks to be carried out, highlighting the importance of addressing these security weaknesses to prevent potential malicious exploitation in the future [60316].
Intent (Poor/Accidental Decisions) unknown (a) The intent of the software failure incident was not due to poor decisions. The incident was a result of intentional actions taken by researchers from the University of Tulsa to systematically hack wind farms in the United States to demonstrate the digital vulnerabilities in the wind energy production systems. The researchers physically accessed the internals of the turbines and planted computing equipment to carry out attacks on the wind turbines, highlighting the lack of security measures in place [60316]. (b) The intent of the software failure incident was not accidental. The researchers intentionally exploited the security vulnerabilities in the wind farms by physically accessing the turbines and planting malicious software to demonstrate how hackers could potentially disrupt the operations of the wind farms. The attacks were carefully planned and executed to showcase the vulnerabilities in the control systems of the wind turbines [60316].
Capability (Incompetence/Accidental) development_incompetence, unknown (a) The software failure incident related to development incompetence is evident in the article where researchers from the University of Tulsa systematically hacked into wind farms to demonstrate the digital vulnerabilities in the control systems of the turbines. They were able to exploit the lack of authentication and segmentation in the wind farms' networks, allowing them to send commands to the entire network of turbines by planting a Raspberry Pi in the server closet of just one machine. This lack of proper security measures, such as encryption and authentication, highlights the development incompetence in securing these critical systems [60316]. (b) The software failure incident related to accidental factors is not explicitly mentioned in the articles provided.
Duration temporary The software failure incident described in the articles can be categorized as a temporary failure. The incident involved researchers from the University of Tulsa systematically hacking into wind farms to demonstrate vulnerabilities in the control systems of the turbines. The researchers were able to physically access the internals of the turbines, plant malicious software, and send commands to disable or damage the turbines. They were able to exploit the lack of authentication and segmentation in the wind farms' networks, allowing them to send commands to the entire network of turbines by planting a device in just one machine [60316]. This incident was temporary in nature as it was caused by specific vulnerabilities in the wind farm control systems that were exploited by the researchers, rather than being a permanent failure inherent to the software itself.
Behaviour value, other (a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and stops performing its intended functions. Instead, the incident involves deliberate actions by researchers to exploit vulnerabilities in wind farm control systems [60316]. (b) omission: The incident does not involve the system omitting to perform its intended functions at an instance(s). Instead, the researchers were able to send commands to the wind turbines, causing them to stop or potentially damage them, demonstrating the vulnerabilities in the system [60316]. (c) timing: The incident does not involve the system performing its intended functions correctly but too late or too early. The researchers were able to manipulate the wind turbines' behavior by sending commands to them, indicating that the system responded to commands in real-time [60316]. (d) value: The software failure incident does involve the system performing its intended functions incorrectly. The researchers were able to exploit security vulnerabilities in the wind farm control systems, allowing them to paralyze turbines, trigger brakes, and relay false feedback to operators [60316]. (e) byzantine: The incident does not involve the system behaving erroneously with inconsistent responses and interactions. The researchers' actions were deliberate and targeted at demonstrating the vulnerabilities in the wind farm control systems, rather than causing erratic or inconsistent behavior [60316]. (f) other: The behavior of the software failure incident can be categorized as a security breach or vulnerability exploitation. The researchers were able to physically access the wind turbines, plant computing equipment, and send commands to manipulate the turbines, highlighting the lack of authentication and segmentation in the control systems [60316].

IoT System Layer

Layer Option Rationale
Perception sensor, actuator, processing_unit, network_communication, embedded_software (a) The failure was related to the perception layer of the cyber physical system that failed due to contributing factors introduced by sensor error. The researchers from the University of Tulsa were able to hack into wind farms by physically accessing the internals of the turbines themselves and planting a Raspberry Pi minicomputer, which acted as a sensor, to send commands to disable or damage the turbines [60316]. (b) The failure was related to the perception layer of the cyber physical system that failed due to contributing factors introduced by actuator error. The researchers developed malicious software tools like Windshark and Windworm that sent commands to the actuators of the turbines, disabling them or repeatedly slamming on their brakes to cause wear and damage [60316]. (c) The failure was related to the processing unit of the cyber physical system that failed due to contributing factors introduced by processing error. The researchers exploited security vulnerabilities in the wind farms' control systems, allowing them to send valid commands to the turbines without proper authentication or segmentation, indicating a processing error in handling commands [60316]. (d) The failure was related to the network communication of the cyber physical system that failed due to contributing factors introduced by network communication error. The researchers were able to send commands to the entire network of turbines by planting a Raspberry Pi in the server closet of just one machine, highlighting a lack of secure network communication protocols within the wind farms [60316]. (e) The failure was related to the embedded software of the cyber physical system that failed due to contributing factors introduced by embedded software error. The researchers developed proof-of-concept attacks like Windpoison, which exploited ARP cache poisoning to insert itself as a man-in-the-middle in the operators' communications with the turbines, indicating vulnerabilities in the embedded software of the control systems [60316].
Communication connectivity_level The software failure incident described in the articles is related to the communication layer of the cyber-physical system that failed at the connectivity level. The incident involved vulnerabilities in the network or transport layer that allowed the researchers to exploit the wind farms' control systems and send commands to the entire network of turbines by planting a radio-controlled Raspberry Pi in the server closet of just one machine in the field [60316]. The researchers were able to disable turbines, trigger their brakes, and even relay false feedback to operators by exploiting the lack of authentication or segmentation within the network, allowing for unauthorized commands to be sent across the turbines' network [60316].
Application FALSE The software failure incident described in the articles related to the hacking of wind farms by researchers from the University of Tulsa was not specifically related to the application layer of the cyber-physical system. Instead, the failure was more focused on the vulnerabilities in the control systems and lack of authentication and segmentation within the wind farms' networks, allowing the researchers to send valid commands to the turbines by exploiting physical access and planting malicious hardware [Article 60316]. Therefore, the failure was not directly attributed to bugs, operating system errors, unhandled exceptions, or incorrect usage at the application layer.

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence (a) death: The articles do not mention any incidents of people losing their lives due to the software failure. (b) harm: The articles do not mention any incidents of people being physically harmed due to the software failure. (c) basic: The articles do not mention any incidents of people's access to food or shelter being impacted because of the software failure. (d) property: The software failure incident described in the articles impacted the wind turbines in the wind farms, potentially causing damage to the equipment. The vulnerability exploited by the researchers could lead to costly downtime for wind farms, leaving their owners open to extortion or profit-seeking sabotage [60316]. (e) delay: The articles do not mention any incidents of people having to postpone an activity due to the software failure. (f) non-human: The software failure incident directly impacted the wind turbines in the wind farms, causing them to be paralyzed, potentially damaged, or manipulated by the researchers' attacks [60316]. (g) no_consequence: The software failure incident had real observed consequences, as described in the articles. (h) theoretical_consequence: The articles discuss potential consequences of the software failure, such as the ability to paralyze an entire wind farm, cutting off significant amounts of power, and the potential for profit-seeking sabotage or extortion due to costly downtime for wind farm owners [60316]. (i) other: The articles do not mention any other specific consequences of the software failure beyond those related to the wind turbines and potential financial impacts on wind farm owners.
Domain utilities The software failure incident reported in the articles is related to the utilities industry. The incident involved the hacking of wind farms in the United States to demonstrate the vulnerabilities in the control systems of wind turbines [60316]. The researchers were able to access the internal systems of the turbines and carry out attacks that could potentially paralyze entire wind farms, leading to significant power disruptions [60316]. The vulnerabilities exposed in the wind farms highlighted the lack of authentication and segmentation in the control systems, making them susceptible to cyber attacks [60316]. The potential consequences of such attacks on wind farms were described as potentially devastating for the owners due to the high costs of downtime and the fragile nature of the equipment [60316]. The incident underscores the importance of enhancing cybersecurity measures in the utilities sector to protect critical infrastructure from malicious activities.

Sources

Back to List