 So good morning DEF CON. Good to see everyone made it through the festivities last night. All right so if you're here to learn how to break some winds you're in the right spot this morning so welcome. So my name is Jason Staggs. I am a security researcher from the University of Tulsa in Tulsa, Oklahoma and this morning I'm going to be sharing some of the findings of a research study that we've been conducting over the past couple of years into an investigation to see just how resilient wind farm control networks are to attack. All right so a little bit about me again I'm a security researcher. I love my job and am interested in all things security. I gave a talk at DEF CON here a couple of years ago called How to Hack your Mini Cooper. So I really enjoy trying to break things. In fact most of the time I try to provide people with solutions or ideas on how to fix the things that I broke. Sometimes people are willing to listen to these ideas with open arms but in other cases sometimes people just don't want to listen and when people just don't want to listen guess what bad things tend to happen. All right so out of all the awesome things on this planet we could possibly hack why in the world would anybody want to hack a wind farm? Great question let me explain. So whether we realize this or not as a country, as a world, as a society, as a whole we are becoming more and more dependent upon renewable energy sources. In fact one of more predominant forms of renewable energy right now is wind-based energy. This is true for North America, Asia and in parts of Europe. All right and in the United States alone in 2015 nearly five percent of all the electricity produced in this country came from wind-based power sources. Now that may not sound like a whole lot but according to the Department of Energy they expect that number to climb just north of 20 percent by 2030. So this increased reliance on wind energy will draw the increased attention by attackers of all shapes and sizes for a number of reasons. Okay and so naturally this raises the question just how resilient are these control systems to attack? And I think it's very interesting that neither the hacker or academic community is really really considering this just yet. Now I know what you're probably thinking you're probably thinking well Jason isn't this just yet another insecure vulnerable ICS system that's easy to attack? And while the answer to that question is most definitely yes the bigger questions asked to what are some of the more uh what are some of the bigger implications and some of the more sinister things that an attacker can now do with this level of access those types of questions have not been properly answered or even thoroughly considered yet in my opinion. And so we'll talk about that in this presentation. So modern day wind farms are operated by a series of interconnected SCADA systems so we have computers and networks in play of various sorts okay. What's the worst that could happen? Well in a lot of ways a wind turbine is similar to a car so just like a car a wind turbine has to have its oil change and and braking system and gears and rotors serviced periodically because there is a failure rate associated with those systems and they have to be serviced because if they don't if they aren't serviced properly guess what bad things will happen in fact don't take my word for it. Check out this awesome Tim in a YouTube video whenever you guys get a chance it basically shows what I'm calling a wind farm engineer's worst nightmare. So in the video it shows wind turbines failing due to a series of mechanical failures because they weren't properly serviced and maintained okay. So in the video it literally shows wind turbines catching on fire or disintegrating into a billion pieces it's actually quite entertaining to watch I recommend watching it. So I argue that some of these same types of mechanical failures could also be caused or truly triggered or influenced by targeting insecure control systems. I'll talk about that but most importantly why hack a wind farm? Well at the end of the day we want to be able to prevent attackers from turning these peaceful systems and to either targets of ransomware or worse and to massive burning wastelands. So what exactly is a wind farm? Well fundamentally all a wind farm is is a power plant that converts wind based energy into electricity all right. Now remember wind is a variable power source it's not always guaranteed to be there so we have the wind turbines that are used to harvest this energy that gets converted into electricity fed into substations and then the voltage is stepped up and fed into the power grid okay that's a 10 000th of view of how the the process works. IEC 61400 this is a set of international specifications that define how wind farms are to be designed operated maintained and sort of the the abstract communications requirements between wind farm operators and turbines in the field and so like I said over the past couple of years me and my research team back home in Tulsa we've been going all across America doing holistic security assessments on a variety of wind farms from different vendors different manufacturers different makes and models and we've looked at everything from the physical security mechanisms of wind turbines to the actual hardware software and firmware that runs on the automation control systems and yes at times we did have to climb to the very top of these turbines to gain a better understanding of how the controllers and field bus protocols worked and then also to get a better understanding of how the different mechanical systems and processes in play worked on the turbine as well so if you were a security researcher or a pentester with any fear of heights this may not have been the pentester for you to be on all right so real quick just want to talk about the anatomy of a wind turbine so at the very top of the tower there that housing is called a nacelle inside that nacelle is all of our interesting mechanical components that makes a wind turbine a wind turbine okay so things like your rotor system pitching on motor braking system low and high speed shafts gearbox generators all that fun stuff these are the systems that service technicians will service and maintain on a periodic basis so sometimes these things will fail and they have to be replaced all right there's a failure rate associated with them if you are an attacker whose goal is to damage a wind turbine these are the types of systems that you're going to be interested in targeting all right this is sort of a 10 000 foot view of the topology of a of a wind farm generically speaking okay so we have a commanding control center that's used to manage multiple wind farms then we have substations at the different field sites substations split into two different systems we have the transmission control system that's used to harvest electricity produced by the turbines then they feed that into the power grid on the opposite side is the operations control network this is what the operators use to to monitor and control turbines in the field once we get to the turbines in the field all these turbines are sort of interconnected via fiber optic links in most cases everything's ip addressable and everything's on one big flat network so there's real no notion of network segmentation between turbines or at least the automation control systems in a turbine so being able to talk from one automation controller to our other module automation controller and different turbines is a thing that can happen although there's not any operational requirement for this specifically all right here's a great perspective of the different network protocols in play between the operator and the automation control systems inside of a turbine in the field so the operator can use any number of commanding control protocols to pull or send commands to a turbine to get it to do different things usually this is a flavor of opc or some ic based protocol sometimes is proprietary to the vendor and then these operators will talk to the automation controllers these programmable automation controllers are set in the base of the tower usually and you can think of these as being a blend between a traditional pc and a plc all right so operating systems wise that these guys can run anything from windows embedded windows ce we've seen these guys run windows 95 in some cases various flavors of linux and like real-time operating systems like vx works okay hardware wise these boards can be custom designed by the manufacturers of the wind turbine other times they'll use off the shelf automation control systems and then the vendor will just roll their own software onto them they also have a field bus peripheral on them that's used to talk via can bus or mod bus or some some kind of field bus protocol to other controllers on the top of the turbine that's used to interface with motors actuators sensors and all that fun stuff all right ic 61 400-25 this is the part of the specification that defines how operators are to interface with turbines in the field so it defines what types of information the operator should be able to pull from a turbine control system and then what types of commands the operator should be able to send to a turbine in the field to get to get to put the turbine into different contexts or states and then what the spec does is it actually maps this functionality back to a handful of protocols listed here all right it's important to note that most these protocols by themselves are inherently insecure all right so one of the more prevalent protocols that we saw during our research and assessments was a protocol called opacy xml da stands for data access and so the hmi software that's used by the operator will use this protocol to probe the automation control system the opacy server running on the automation control system to check on the current status of the the turbine incident commands and so this protocol is nothing more than a soap based messaging protocol so we have xml objects going over http and then if you look at the spec the spec defines different types of messaging services so in the event that the hmi software wishes to pull a turbine it will send stuff like read message requests and then in the event that the software the hmi software wants to send like a command to write to a control variable on the opacy server it will send a right right message request all right so here is the general rundown of the vulnerabilities that we were seeing across the board now this wasn't true for every turbine every wind farm that we looked at but these were sort of the common themes of the day if you will um so automation controller wise you know these guys are running legacy operating systems we've seen in most cases everything's running as roots um we've got remote network management services so like telnet ftp snp all that fun stuff um trying to get access to these guys is fairly trivial in most cases we've seen you know these guys are just running vendor um they're just using vendor provided default creds or easy to guess creds and oh by the way if you know the creds so well these automation controllers they're the same across all the automation controllers and the rest of the wind farm so being able to pivot for more automation control system and move laterally is relatively trivial if you know what those are um like I said before uh network segmentation between wind turbines is not really a thing that's happening all the stuff right here is sort of what we would expect from an ics system though there's really no surprises here right but what are some of the interesting physical effects that can be achieved if we start to chain some of these vulnerabilities together all right so if you take a closer look at the opc xml da specification it clearly recognizes the fact that it is an insecure protocol it's not using encryption or anything like that however it assumes that that the implementer is smart enough to tunnel uh this protocol over over ssl or tls okay and it says if you don't you know um that things could potentially happen and here exactly is the part of this network calls us out additionally the spec says that you probably want to um have some form of authentication or um being able to disallow people to just arbitrarily send a right message request to the opc server to control control variables all right and apparently the people that have been implementing these particular command and control protocols and wind farms didn't read this portion of the specification neither so here is a rundown of some of the items that are pulled for by the operator and returned to the operator um and displayed in their hmi screen so things like current wind speed power production um ambient temperatures controller status is things like that here's where things get a little more interesting so this so the types of commands that an operator can send to turbines in the field um this will vary from vendor to vendor but generally speaking there are commands that they can issue to change the maximum power generation of a particular turbine or there are commands that they can send to put the turbine into a certain operating state or context so being able to do things like turn the turbine off or turn it on or put it into an idle state one of the more interesting states that a wind turbine can be in is something called emergency shutdown mode or state okay and what emergency shutdown is is in the event that's a um automation control system or operator uh detects that there are external factors or conditions that could be damaging to a wind turbine such as high gusts of wind or maybe a tornadoes imminent in the area um it decides that it's more advantageous to the turbine to shut itself off as soon as possible rather than continue to operate due to the fact that it might be damaged and so the act of invoking a emergency shutdown is what we call a hard stop and so when a hard stop is initiated on a turbine what happens is the the um the blades on the rotor will flare out and then the mechanical break of the turbine will actually lock up to bring the turbine to a holding stop as soon as possible and this is not a graceful shutdown at all believe me so when this happens we actually notice that it will put excessive wear and tear on critical mechanical components inside the nacelle so things like the gears and the rotors and the braking system and all that all right um also the physical integrity of the structure the tower and the rotor system is also affected by this and there's been plenty of research has been done over the years that back up those clamps um one side note if you're ever doing testing or an assessment on a wind farm and um you're working with a group of wind farm engineers and you attempt to put a wind turbine and to uh invoke a wind turbine a hard stop more than zero times they tend to get very very grumpy with you all right let's talk about some of the uh network attack tools that we developed for this stuff so wind shark is a um uh network based attack tool designed to target uh automation controllers and on the on the wind farm network so the way it works is wind shark is designed to hijack control of wind turbines or to damage them and and how it works is wind shark will actually go out and scan for the ip addresses of automation control systems running certain versions of o pc or control services that we care about then it will return a list of those ip addresses to the attacker the attacker can then select which ip's that he wishes to spoof command or send commands to to put the turbine um into a funky state or or do something with it and so by doing this we can actually hijack control of some turbines now this isn't true for every turbine that's going to vary this process will vary from vendor to vendor and make a model um so when we do this though the operator can still poll those turbines and see that hey something funky is happening somebody's messing with our turbines so we still have that problem to deal with another interesting mode that wind shark has is something what I'm calling the hard stop of death attack mode and the way this works is the uh wind shark tool will put the turbine will force the turbine to hard stop and then it will wait for the turbines to recover and then force it to hard stop again and then it will do this process over and over and over again until either the attacker is removed from the network or execution of our program is halted um so when we're doing this we are um introducing wear and tear premature wear and tear on critical uh mechanical components meaning we are damaging turbines all right the next step up from this is a tool that we wrote called wind poison so wind poison is a man-of-mill tool that runs on a raspberry pi and basically all we do is we do the old arp cache poisoning trick to uh poison the arp cache tables of the automation control systems in the turbine and the operator's workstation and so when we do this we can now be selected as to which commands the operator can send to the turbines um if any at all so we can do things like dropping those requests um and then we can do stuff like fabricating the uh the pulling responses back to uh the operator um so we can do stuff like you know turning off all the turbines in the wind farm or invoking the hard stop of death attack against all the wind turbines in the wind farm and then lying about the current status of those turbines to the operator so these particular tools were designed to to target the IEC 61 400 uh dash 25 based uh uh protocol stacks and network services we had to do some light command and control protocol reverse engineering to figure out what the particular values were of the of the protocols that put a wind turbine in a certain context uh we put everything on a raspberry pi tied it all together with python used some bash scripts we used um the escapee and in-app python libraries for packet fabrication and port scanning and then we did some ip table stew for dropping and forwarding packets across interfaces as needed let's take this to a step a step further though so wind worm is a proof of concept that we developed in the lab designed to go after automation controllers that are configured in an insecure fashion so what we do is we leverage the fact that all these automation controllers use the same creds and that we know what those creds are so like like I said before most of the time these are vendor provided creds or easy to guess creds so we assume we know what those are we also take advantage of the fact that these guys are running things like ftp and telnet and what we do is we will actually copy ourselves via ftp and invoke execution via telnet and we repeat this process over and over again so we're actually executing on all the automation controllers in the wind farm once we have execution on the automation controller we will interface with the field bus peripheral on the automation control system to talk to other controllers and the wind turbine that are more interesting to us so things like the power controller or the motor controller all right and what we can do then is we can inject our own field bus commands to do interesting things so one of the more interesting one of the more common protocols that we saw during our assessments was a protocol called can open and so the way can open works is every controller has something called object dictionary which is very similar to like registers and mod bus so it contains like controller configuration or process control information and these controllers will use this interface to sort of exchange information with each other or update process control variables and so the trick here is figuring out what the mapping of this can open an object dictionary is for a particular controller and so if you know what this is you can actually you know do things like overriding critical process control variables to do put the controller into an interesting state to affect the hardware that it controls and so lucky for us the can opens specification to find something called electronic data sheets that define how these controllers are laid out and mapped out so it defines like the literal variable name for an item in the object dictionary what its index is sub index what type of what data type it is whether you can just read or write to it so that sort of thing and these are usually stored on the file systems of these programmable automation controllers and a clear text file so we could just read these and know what those mappings are and basically you just repeat this process over and over again until you do the bad things that you want to do to the turbine let's take this to another level so what if we wanted to ransomware a wind farm how exactly would this work so i'm not talking about encrypting anything here i'm talking about being able to paralyze wind farm operations in such a way that the electric utility is no longer able to produce electricity at least until a ransom is paid and something like maybe bitcoin but how exactly would this work this is exactly how an attacker would go about ransomware in a wind farm for bitcoin and so the idea here is the attacker would only need single physical access to a single turbine in a wind farm okay at that point the attacker would introduce his propagating malware very similar to the wind worm that we just described that malware once it was executing it would place the turbine into a paralyzing state meaning that it would just shell the turbine down it would then disable all remote network management services okay so goodbye till now goodbye ftp then it will start up its own tcp network service that would just wait there for the ransomware key to be delivered to it at this point you the attacker have gained control over the wind farm and what you would do is you would send a ransom note to the electric utility saying hey congratulations i now have complete control over your wind turbine assets if you'd like to have them back in a timely fashion please send me 10 000 dollars in bitcoin uh to this address if the uh the company decides to play ball it says okay fine whatever we want our wind farm back uh that's fine the attacker would then provide the key and then they would use that key to unlock the uh the wind farm and everybody's happy however in the event that the company does decides not to pay the ransom that malware could have some logic built into it in such a way that says okay if i have not received my ransom uh key within uh you know an hour i'm going to go ahead and invoke the hard stop of death attack against myself um every hour until i've received this ransom key so now we have the problem of not only is electric utility losing out on money because they're not able to produce electricity but now we have this interesting paradigm where the attacker is able to introduce damage to the turbines with this ransomware very interesting what would be the uh the financial uh impact due to a wind farm downtime though so if we take for instance a 250 megawatt wind farm that's been affected with this ransomware okay and we assume that electricity is 12 cents per kilowatt hour on national average and we assume worst case a capacity factor of 35 percent and then a best case of 100 percent for the wind farm the company is going to lose out on anywhere from 10 to 30 000 dollars per hour of downtime that's a lot of money folks so what would you even do about this how would you even be going to recover from something like this i think there's different perspectives on this depending on who you are but um you know what one thing you could do is you could reimage the automation controller file system so sometimes this resides on a multimedia card like a compact flash or sd card you can just reimage it that way in other cases it's not so trivial because that file system resides on a flash chip that is soldered onto the board physically all right so good luck trying to do that in a timely manner um and in the meantime while you're trying to find trying to figure out what to do you the operator losing out on your ability to produce electricity which means you're losing money all right so in conclusion um wind farm control networks are extremely susceptible to attack again this is just the tip of the iceberg based on some of the research that we've done my advice to anybody with wind farm assets is to be proactive don't wait on vendors to provide security verify vendors claims on security so if they're promising you encrypted command and control between operators and and the turbines verify those claims and lastly retrofit security is needed one thing that people could do to prevent all the attacks I just described is to introduce some sort of network segmentation between turbines um and the substation so one thing you could do is like encrypt all your traffic between turbines the substation so in the event that one turbine was compromised that one compromise automation control system wouldn't be able to take down the rest of the turbines in the wind farm and with that I now have time so if you have any questions comments or crazy ideas I'll be around combine me if not thank you all very much