SCADA 'hacker' puts the wind up former bosses

A major US energy supplier has found no evidence of a breach despite claims by a former employee that he hacked into the company's New Mexico wind turbine facility as revenge for being fired.

On Saturday, the intruder, using the alias “Bgr R,” posted an entry to the Full Disclosure mailing list claiming to have broken into the Fort Sumner wind turbine facility, which is owned and operated by NextEra Energy Resources, the primary provider of wind and solar power in North America with 115 facilities in North America.

The hacker said he was a disgruntled former employee of Florida Power and Light, a sister subsidiary of NextEra Energy Resources. Both were owned by NextEra Energy.

In an email interview with Computerworld, Bgr R said he exploited a vulnerability in the company's Cisco security management software to gain access to the supervisory control and data acquisition (SCADA) systems used to control the wind turbines.

The hacker did not respond to SC Magazine's calls.

“Here comes my revenge for illegitimate firing from Florida Power & Light Company,” the hacker wrote in the post. “Secure you [sic] SCADA better! Leaked files are attached.”

The hacker included apparent screen shots of the facility's wind turbine management interface, FTP server, and a project management system.

NextEra Energy disputed the hacker's statement. 

“We have investigated the claim and found that the information provided as proof of ‘hacking' is largely publicly available information, which, by itself, would not be adequate to launch a successful attack against the named SCADA system or wind site,” said Mark Bubriski, a spokesman for NextEra Energy.

NextEra Energy was monitoring its systems against possible attacks, Bubriski said.

Some commenters to the Full Disclosure post questioned whether the hack was legitimate, and others said Bgr R may actually have abused legitimate access rights to penetrate the SCADA system.

“The person who did this was an ex-employee who already had access to their systems,” a respondent wrote. 

“Nothing illegal has happened then. The dude is just highlighting his access hadn't been taken away and has decided to pretend he hacked the system as some sort of prank.”

Only the hacker and NextEra Energy know whether Bgr R's claims were true, said Bradley Anstis, vice president of technical strategy at security firm M86 Security.

But it reminded security professionals to follow best practices when terminating employees, he said.

“Companies need to ensure that employee access rights are fully known and controlled,” Anstis said.

“If an employee is let go, then immediate revocation of their rights is essential, especially IT staff. Constant vigilance for backdoor accounts and rogue access points is a must.”

Despite recent headlines, such as Stuxnet, SCADA security still may not be receiving enough attention within critical infrastructure providers, according to a recent report from Q1 Labs and the Ponemon Institute. It found three-quarters of global energy organisations polled sustained a breach over the past year, and another 69 percent said they were "very likely or likely" to succumb to one in the next 12 months.

The top source of breaches, the survey found, were negligent or malicious insiders.

McAfee and the Centre for Strategic and International Studies willi issue a study on the threat later today or early tomorrow Australian time.

This article originally appeared at scmagazineus.com