Wind turbine blown away by control system vulnerability It had to happen, we suppose: since even a utility-grade wind turbine might ship with a handy Webby control interface, someone was bound to do it badly. That's what's emerged in a new ICS-CERT advisory: CVE-2015-0985 details how turbines from US manufacturer XZERES allow the user name and password to be retrieved from the …
How many times has this got to happen before it gets taken seriously?
Either don't connect it to the Internet, or do it properly. Laziness of this sort is a stain on the entire industry. What is it about a major piece of generating equipment that suggested to the idiot who's fault this is that security didn't matter? It's a major piece of equipment that has to be properly controlled otherwise someone somewhere could get hurt. This is dereliction of duty, leaving it as wide open as that.
The muppet developer who wrote this should be found and made to program in gwbasic for 10 years as punishment for giving the rest of us a bad reputation, with another 10 added on top for not caring about the consequences of their laziness. Just because they managed to fool their boss into thinking that they'd done a good job doesn't mean that they won't get found out later.
Safety interlocks
It would be fascinating to know what safety interlocks there are on these turbines to allow a maintenance engineering team to work on them and be sure that it won't start up whilst some poor engineer is, says working on a blade. That blade moves, that engineer could easily be killed.
If the only thing stopping it moving is a setting in that Web interface, then that's a truly safety critical piece of software.
If this is indeed the case, having a flaw as feeble as that is really, really appalling. And in this day and age developers could go to jail if there was a death.
Well, in this case I'd expect a malicious hacker would be content to override the governor limits, thus letting the windmill thrash itself to pieces in the next windstorm. Just for kicks.
Just for kicks indeed, and still dangerous. I would like to be confident that important things like governors and interlocks weren't alterable through a Web interface, but who knows.
Exposing critical control features to abuse in this sort of way (if they've actually gone and been and done it) is inviting corporate extinction. One script kiddie does as you suggested for the laugh and the entire lot gets wiped out. It's pretty hard for a company to survive a total loss, and that's bad for pension, stock holdings, salary, etc.
I would like to think that the manufacturer was cognisant of that enormous risk to its profitability, and has not exposed critical controls through a feeble Web interface. However, I'm not 100% confident. From what I've seen companies are generally pretty bad at assessing or even acknowledging their exposure to "that would never happen" risks that would wipe them out. It's a kind of blind spot. Ask TEPCO at Fukushima...
"Just for kicks indeed, and still dangerous. I would like to be confident that important things like governors and interlocks weren't alterable through a Web interface, but who knows."
On the ones I've seen, they're wide open - and the network stack on these kinds of things is so abysmal that they can be locked up fairly easily after doing the deed.
Anon in this instance because I have a pair of 1MW backup generators with the same kinds of flaws. The installers insisted on giving them public internet addresses but we have those ACLed to hell and back. "Just Because..."
Funnily enough the local distributors wouldn't sign indemnity agreements when they started insisting we removed the firewall blocks and their ultimate threat was to put in a 3G router stick to control them that way.
Yes, that's the kind of mentality you're up against. Network security isn't even an afterthought.
"Either don't connect it to the Internet, or do it properly."
I suspect that's exactly what the programmer was thinking - why would anyone connect these to the internet? They are small turbines to use on site rather than national infrastructure size so surely will just go on the local network behind the firewall and therefore don't need excellent security. If you're putting power cables to your garden then popping an ethernet link in as well is no bother. This announcement is probably because some "hacker" worked it out and contacted them, forcing an announcement. I would imagine whoever coded it already knew about the "exploit" and just didn't care enough (or had too few resources) to do anything about it.
It would be fascinating to know what safety interlocks there are on these turbines...
I don't know about these particular machines, but typically you'd use mechanical isolation (physical switches etc) for maintenance; safety critical software is used put things in a safe state if something exceeds safe operating limits - you wouldn't (shouldn't) solely rely on it to keep things in a safe state for maintenance etc.
Seriously? …… Do the commentards here really believe that an industry as mature as industrial electrical and control would not have processes in place which circumvented any possibility of remote access to a piece of kit presenting a hazard to the operators or maintenance guys ?
Even more so, designs which could somehow via remote manipulation deliberately endanger members of the public? Overspeed protection is either mechanical and failsafe or electrical/electronic,isolated, redundant and failsafe. This is then backed up by remote siting and restricted access.
Windmills have been around for centuries, they haven’t suddenly become these terrifying monsters just one step away from slicing and dicing the nearest unwary citizen.
Come on, drop the FUD…..
"Do the commentards here really believe that an industry as mature as industrial electrical and control would not have processes in place which circumvented any possibility of remote access to a piece of kit presenting a hazard to the operators or maintenance guys ?"
Not only believe it, but have observed it in action.
Oil change on my Honda - 20mins at Jiffy Lube, cost: $19
Oil change on my neighborhood wind turbine - 20 mins lube job, 20 mins helicopter ride, 5 min. rappel in and out of nacelle, helicopter rental, rappel insurance, workmans' comp claim, helicopter crash, cost: $17,787,295.23.
Quote: They are not proper big turbines.
Indeed. Web interface instead of SCADA. The problem is that the "big ones" are not any better:
1. Software is written by the same people with the same level of knowledge of software security
2. There are idiots installing them in a similar unprotected manner.
@Anonymous Coward - "Software is written by the same people with the same level of knowledge of software security"
I follow control engineering forums where this sort of question comes up. It's usually phrased as "the customer has just told us that he wants to check his wind turbine over the Internet. Is there some sort of web box thingy that I can add to the PLC to do this?" They then buy an eye-wateringly expensive "module" from the PLC vendor that lets you load a web page using MS Frontpage and associates a selection of ActiveX or Java "web controls" directly with PLC memory addresses. They're all designed to be installed by people who have never created a web page before and wouldn't know an HTML tag if it bit them. Difficult problems like oh, let's say security, are dealt with by not having any.
For 99.9% of people doing control engineering work, their knowledge of things Internet or web is limited to knowing where the good porn sites are. The control hardware they use is sold by companies whose knowledge of things webby is little better.
So - a greenie bedwetter's little toy can be got at via the 'interwebs as easily as a bitch in heat over a 3 foot fence.
Colour me shocked. Really.
What's the betting that some of the really big toys are almost as easy to crack?
Now, <evil grin> if only it were possible to connect 'em in reverse to the grid as motors....
Go on, El Reg - April 1st article about whole new infrastructure threat - you know - whole bits of Blighty taking off and crash landing in the next county, danger of earthquakes etc etc.
A few good boffinistic references to add plausibility, including cross referenced wikipeedia of course...
Then watch as BBC, the Graun and the Tmes pick up the story and run with it.
Gold.
“if only it were possible to connect 'em in reverse to the grid as motors....”
You don’t need to connect them in reverse. Synch to the grid at a lower voltage or frequency and the grid will drive the generator as opposed to the generator trying to drive power into the grid.
However, the totally isolated, independent, probably redundant generator protection ‘relay’ would open the breaker on the first indication (a few milliseconds) of reverse power.
Just because these remote interfaces to largely view only monitoring systems have vulnerabilities, doesn’t mean the whole system can be compromised. There are multiple independent systems overseeing power generation kit, and long may it continue. It keeps the amateurs out!
Should probably have used the joke alert icon. Either that or we have a couple readers from the 3 organs mentioned today trolling for stories.
Re putting 'em in reverse <joke alert> / syncing them to the grid. Aren't these beasts dc with some fancy electronics interfacing to 50 Hz? After all they go from usually not turning / just moving to crawling at just below supersonic rotor tip speed or "shut down because the wind is actually useful today".
It was just my (occasionally) evil mind thinking I'd LOVE to see a field of these beasts revving up towards 1500 rpm. From a very safe distance of course.
"Re putting 'em in reverse <joke alert> / syncing them to the grid. Aren't these beasts dc with some fancy electronics interfacing to 50 Hz?"
Yep, got the point that you weren't being serious but if you are exporting to an AC grid no matter how you get there you have to interface at an AC voltage (fancy power electronics or not) and independent protection is in place. Rotor speed depends on gearing and No of generator poles in place. If no gearbox,2 pole and synchronous generator, max revs = 3000 (50hz). 4 poles= 1500, 8 poles = 750 and so on. Once you are synced, the revs will not increase as the grid frequency will resist any acceleration of the generator. A single few MW generator is no match for the multi GW of the grid. High wind speed v the grid will produce the huge torques which knacker this kit.
Not a particular proponent of this form of generation, just making the point that adequate systems are in place to provide protection over and above some deficiency in what essentially is a remote monitoring system.
"It was just my (occasionally) evil mind thinking I'd LOVE to see a field of these beasts revving up towards 1500 rpm. From a very safe distance of course."
"Now, <evil grin> if only it were possible to connect 'em in reverse to the grid as motors...."
More realistically... if these (or a similarly controlled big boy) are on the grid; Could they be used as a back door to the power company's computers?
"Yeah, this windmill's saved me a fortune in power bills, since I used its interface to 'vanish' from the power company's billing dept!"
I have a friend who remotely manages a rather large number of commercial Wind Farms.
He once showed me how secure they were, by 'dialing one up' analogue modem.This was maybe 5 years ago. Recently they have all had thier phone lines disconnected and it's all managed with a web interface. The scary part was him logging in and the u/n & p/w were the defaults with admin rights, and he said he wasn't allowed to change them, even if he could.
Put it this way, at least my router had a password even if it rubbish when I got it.
Login can be done from ANY internet access point, even a 3G dongle works no problem. The controller has no URL, just an IP Address, and that was in the UK range, a different IP Address for each site, that were stored in his favorites list.
As PV or Solar Farms as the f**king tree huggers call them are spreading across Cornwall, I wonder how long it will be before someone hacks these for "fun". The sites look like concentration camps with their fences and CCTV. The only benefit is that they are wildlife havens although I expect they do manage to generate a couple of megawatts . . . which cannot be stored. Why not divert some of the millions wasted on AGW research towards energy storage. I will get my coat as it's still quite chilly here.
AFAIK homeland (heimat) security types have been bitching about ubiquitous system wide vulnerabilities present in every industrial systems for years. To no effect. I believe that this "expose" is simply propaganda designed specifically to denigrate the possibility of renewable energy. No further correspondence will be entered into. Have a good day y'all.
While they won't hit the 100 000 RPM+ of an enrichment centrifuge they can still store a fair bit of kinetic energy.
Back in the day the IBM test team were reputed to have found a pattern of start/stops that got a mainframe tape drive (reel to reel) hopping about the floor.
You wouldn't want it to start raining turbine blades (even small ones), would you.
I installed a 442SR from Xzeres 4 years ago. The wind generator came with a 5 year warranty. Living in a remote area of Colorado, it was/is important to me to have a reliable/dependable source of alternative energy. We chose the 442 in the belief that the product was reliable and that the Company, Xzeres, would stand behind the 442. Both of our beliefs were gravely misplaced. The four years since installation have been an absolute nightmare. The last time our 442 worked was early spring of 2014. We finally got a technician from Xzeres to come out to the field in October, 2014. He determined that internal parts in the generator needed to be replaced and that he would be “back in two weeks” to repair. He finally came out the week of May 11, 2015, a full 7 months later. After reviewing the installation, he determined that he did not have the right parts and would be “back in 2 weeks.” Guess what, 2 weeks have come and gone and he still hasn't come out. Now he is saying another technician will come but can't give us a date.
Please understand, we have documented a four year history of dealings with Xzeres. My installation contractor, who has been a life-saver, estimates that during the last 4 years, the generator has only been operational for 12 of the last 48 months. I personally believe it is somewhat less than that. I want to warn others against dealing with Xzeres. I would hate for others to spend as much as I have and receive a defective product and deal with an unprofessional, uncooperative company.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
