At this year’s Black Hat, a leading information security conference held in Las Vegas, cyber security researchers exposed new vulnerabilities in industrial control systems and warned that malware (including ransomware) could force companies to have to choose between expensive downtime and the potentially less expensive option of paying a cyber attacker’s ransom.Against this background, a researcher from Tulsa University was granted permission to penetrate and test the security of five different wind farms across the US. He found the same vulnerabilities across multiple wind farms, which included easy-to-guess or default passwords, weak and insecure remote management interfaces and no authentication or encryption of control messages. The researcher also found that if an individual gained physical control of one turbine he could control the entire wind farm and this proved surprisingly easy as he gained physical control of a turbine by picking a simple lock and plugging a Raspberry Pi minicomputer into the network. Once into the system cyber attackers can immobilise turbines, suddenly triggering their brakes to potentially damage them, and even relay false feedback to their operators to prevent the attack from being detected.
The team built three examples of how wind farms could be attacked. This includes malware that could, send commands to other turbines on the network which can then disable those turbines, spread from one automation controller to another across the entire farm and permit man-in-the-middle attacks in respect of the operators' communications with the turbines.
Although the researchers only switched off one wind turbine at the time, a malicious user could have the ability to switch off an entire wind farm. The ease with which the researchers were able to do this highlights an important (and potentially devastating) cyber security issue that wind companies will need to consider. In particular, as wind power grows as an important source of electricity, wind farms may well become a more attractive target for those looking to disrupt and garner attention.
Indeed the Annual Incidents report 2016, issued by the European Union Agency for Network and Information Security (“ENISA”), found that that malware causes the longest lasting incidents. This report reiterates, yet again, the disruptive and sector agnostic effect of cyber-attacks and the need to implement appropriate security protocols.
Andrew Moir
Partner, Intellectual Property and Global Head of Cyber & Data Security, London
Key contacts
Andrew Moir
Partner, Intellectual Property and Global Head of Cyber & Data Security, London
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.