In the last decade, travelers along American highways have become more accustomed to seeing wind turbines organized into neat, electricity-generating farms. It’s a win for renewable energy, but Dr. Jason Staggs, a security researcher at the University of Tulsa, finds that wind farms might not stand up to an attacker intent on hijacking these massive, whirling machines.
Prepare to Be Blown Away
At Black Hat 2017 here, Staggs outlined the numerous security issues he and his team discovered while evaluating (and yes, scaling) 300-foot wind turbines.
His team found that these massive devices run a variety of operating systems, some wildly out of date and susceptible to known vulnerabilities. This includes “everything from embedded Windows CE, Windows 95, various flavors of Linux, and some real-time OSes.”
Staggs also found that many of the computers that control wind turbines frequently operate with much higher access than is necessary (as admin or root), have no mechanism to confirm the validity of software via code signing, and use default credentials across several machines and turbines.
“If you can own one of them you can own them all,” said Staggs.
Even the structure of wind farms offer attackers a tempting proposition. Each turbine in a wind farm is part of a hierarchical structure that includes the other turbines in the farm, power substations, controller substations, and command-and-control infrastructure with oversight of multiple wind farms. This means a successful attack could quickly propagate between turbines and higher-level controls.
“Wind turbines aren’t segmented between each other, which is a huge problem,” said Staggs. “All that stands between a wind farm and an attacker is a padlock.”
Sharknado
Notably, Staggs uncovered the commands that could be issued once he had access to a turbine. The most critical was the ability to stop a turbine and place it into an idle state or—more disturbingly—execute an emergency shutdown, which is designed to halt a turbine as quickly as possible to avoid damage from inclement weather or some other dangerous situation.
But this emergency stop function is also ripe for abuse. “We can induce excessive wear and tear on critical mechanical components: gearbox, rotor, and even the [foundation] of the turbine,” explained Staggs.
This particular discovery led Staggs to a more social discovery. “If you try to force the turbine to hard stop more than zero times, [wind farm managers] tend to get very grumpy with you.”
The culmination of Staggs’s research was the creation of several tools for attacking wind farms. Windshark allows for attackers to send commands to infected turbines, including the “Hard Stop of Death Attack Mode.” Another tool is WindPoison, which is stored in a Raspberry Pi device. If an attacker place one of these devices on the network, it hides the attacks carried out by Windshark from wind farm managers. Last but not least is WindWorm, a proof-of-concept that uses FTP to propagate between turbines and eventually infect an entire wind farm.
Staggs outlined not just a method for attack, but a monetization plan as well. Taking inspiration from ransomware attacks, he imagined a scenario whereby attackers shut down a wind farm and demand payment in order to return it to normal operation. At the current price of electricity, a wind farm loses $10,000 to $30,000 for every hour it’s not in operation, he said.
Lost income is a strong incentive to pay up. But if that’s not enough, Staggs had a nefarious suggestion: malware could be designed to begin running the damaging Hard Stop of Death attack repeatedly if the ransom is not delivered in a timely fashion.
He’s a Huge Fan
This research comes amidst stories of hospitals and public transit systems being crippled by ransomware. In most cases, critical data and functions aren’t affected by the malware, but it’s an escalation over attacks against individuals or corporations.
There’s also the issue of infrastructure. Researchers have long warned that not enough attention is being given to the specialized hardware running in factories, power plants, and other large, complex endeavors. The Shodan search engine demonstrates the sheer number of devices connected to the internet, with everything from industrial controls to home baby monitors.
The issue is especially prescient after two cyberattacks in the Ukraine successfully undercut the country’s power grid. These attacks took theoretical discussions into the real world, demonstrating how much impact attackers can have over an entire nation.
Don’t Hold Your Breath
Although Staggs found numerous flaws in the structure of wind farm networks, and in basic physical security for these installations, there are some obvious limitations. First, none of these attacks can be carried out remotely and require physical access to at least one of the wind turbines in a farm. Physical access always means more impact, and it’s a problem that’s easily solved with better padlocks, at least.
Second, simple security measures would completely mitigate the attacks. “If you have something in place where you could VPN traffic between turbine and the substations, it prevents everything I just outlined,” said Staggs.
In some ways, this is a Black Hat best case scenario: lengthy fieldwork yields potential dangers, with easy fixes available. Hopefully wind farm managers and turbine designers get the message.