University of Tulsa security researchers Jason Staggs and his colleagues will present Adventures in Attacking Wind Farm Control Networks at this year's Black Hat conference, detailing the work they did penetration-testing windfarms.
The work starts from the premise that the distributed nature of wind turbines makes them intrinsically hard to physically secure, a situation exacerbated by the low-quality locks (5-pin door locks and simple padlocks) used to keep intruders out of the turbines' control rooms.
Its a truism that once an attacker has physical, unsupervised access to a computer, all bets are off, but Staggs's work demonstrates that even by that standard, wind-turbines are very poorly secured, vulnerable to attacks that can be launched just by plugging a Raspberry Pi into the control-system's Ethernet port.
Worse: turbines are networked, so once one turbine is compromised, the rest of the turbines in the field can be poisoned, with attacks that include "paralyzing turbines, suddenly triggering their brakes to potentially damage them, and even relaying false feedback to their operators to prevent the sabotage from being detected."
In their attacks, the Tulsa researchers exploited an overarching security issue in the wind farms they infiltrated: While the turbines and control systems had limited or no connections to the internet, they also lacked almost any authentication or segmentation that would prevent a computer within the same network from sending valid commands. Two of the five facilities encrypted the connections from the operators' computers to the wind turbines, making those communications far harder to spoof. But in every case the researchers could nonetheless send commands to the entire network of turbines by planting their radio-controlled Raspberry Pi in the server closet of just one of the machines in the field.
"They don't take into consideration that someone can just pick a lock and plug in a Raspberry Pi," Staggs says. The turbines they broke into were protected only by easily picked standard five-pin locks, or by padlocks that took seconds to remove with a pair of bolt cutters. And while the Tulsa researchers tested connecting to their minicomputers via Wi-Fi from as far as fifty feet away, they note they could have just as easily used another radio protocol, like GSM, to launch attacks from hundreds or thousands of miles away.