Hack Threat: America's Wind Power Vulnerable

For two years, researchers from the University of Tulsa have been exposing vulnerabilities in one of America’s fastest growing power sources, wind turbines. Mostly unsecured, these wind turbines have become an increasingly larger part of America’s energy supply, and with little effort, the researchers were able to penetrate and commandeer their operations. Andy Greenberg writes at WIRED:

The researchers developed three proof-of-concept attacks to demonstrate how hackers could exploit the vulnerable wind farms they infiltrated. One tool they built, called Windshark, simply sent commands to other turbines on the network, disabling them or repeatedly slamming on their brakes to cause wear and damage. Windworm, another piece of malicious software, went further: It used telnet and FTP to spread from one programmable automation controller to another, until it infected all of a wind farm’s computers. A third attack tool, called Windpoison, used a trick called ARP cache poisoning, which exploits how control systems locate and identify components on a network. Windpoison spoofed those addresses to insert itself as a man-in-the-middle in the operators’ communications with the turbines. That would allow hackers to falsify the signals being sent back from the turbines, hiding disruptive attacks from the operators’ systems.

While the Tulsa researchers shut off only a single turbine at a time in their tests, they point out that their methods could easily paralyze an entire wind farm, cutting off as much as hundreds of megawatts of power.

Wind farms produce a relatively smaller amount of energy than their coal or nuclear equivalents, and grid operators expect them to be less reliable, given their dependence on the real-time ebb and flow of wind currents. That means even taking out a full farm may not dramatically impact the grid overall, says Ben Miller, a researcher at the critical-infrastructure security startup Dragos Inc. and a former engineer at the North American Electric Reliability Council.

More concerning than attacks to stop turbines, Miller says, are those intended to damage them. The equipment is designed for lightness and efficiency, and is often fragile as a result. That, along with the high costs of going even temporarily offline, make the vulnerabilities potentially devastating for a wind farm owner. “It would all probably be far more impactful to the operator of the wind farm than it would be to the grid,” Miller says.

Staggs argues that this potential to cause costly downtime for wind farms leaves their owners open to extortion or other kinds of profit-seeking sabotage. “This is just the tip of the iceberg,” he says. “Imagine a ransomware scenario.”

E.J. Smith - Your Survival Guy

E.J. Smith is Founder of YourSurvivalGuy.com, Managing Director at Richard C. Young & Co., Ltd., a Managing Editor of Richardcyoung.com, and Editor-in-Chief of Youngresearch.com. His focus at all times is on preparing clients and readers for “Times Like These.” E.J. graduated from Babson College in Wellesley, Massachusetts, with a B.S. in finance and investments. In 1995, E.J. began his investment career at Fidelity Investments in Boston before joining Richard C. Young & Co., Ltd. in 1998. E.J. has trained at Sig Sauer Academy in Epping, NH. His first drum set was a 5-piece Slingerland with Zildjians. He grew-up worshiping Neil Peart (RIP) of the band Rush, and loves the song Tom Sawyer—the name of his family’s boat, a Grady-White Canyon 306. He grew up in Mattapoisett, MA, an idyllic small town on the water near Cape Cod. He spends time in Newport, RI and Bartlett, NH—both as far away from Wall Street as one could mentally get. The Newport office is on a quiet, tree lined street not far from the harbor and the log cabin in Bartlett, NH, the “Live Free or Die” state, sits on the edge of the White Mountain National Forest. He enjoys spending time in Key West (RIP JB) and Paris. Please get in touch with E.J. at ejsmith@yoursurvivalguy.com To sign up for my free monthly Survive & Thrive letter, click here.