>>Good morning Def Con. Alright, so if you’re here to learn how to break some winds, you're in the right spot this morning, so welcome.
Um, so my name is Jason Staggs, I’m a security researcher from the University of Oklahoma in Tulsa, Oklahoma.
And, this morning I'm going to be sharing some of the findings of that research study that we've been conducting over the past couple of years.
And to an investigation in to see just how resilient windfarm controls networks are uh to attack.
Alright, so a little about me again, I'm a security researcher, I love my job and am interested in all things security .
Um, gave a talk here at Def Con here a couple of years ago on How to Hack your Mini Cooper.
Uh, so I really enjoy trying to break things. In fact, most of the time I try provide people with solutions or ideas on how to fix the things I broke.
Um, Sometimes people are willing to listen to these ideas with open arms.
Um, but in other cases sometimes people just donít want to listen. 
And, when people just donít want to listen, guess what, bad things tend to happen.
Alright, so out of all the awesome things in this planet we could possibly hack, why  in the world would anyone want to hack a windfarm?
Great question, let me explain.
So, whether we realize this or not, as a country as a world as a society as a whole we are becoming more and more dependent upon renewable energy sources.
In fact, one of the more predominant forms of renewable energy right now is wind based energy.
This is true for North America, Asia and in parts of Europe.
Alright.
Um, and in the United States alone in 2015, nearly 5 percent of all the electricity produced in this country came from wind based power sources.
Now, that may not sound like a whole lot but according to the department of energy they expect that number to climb just north of 20 percent uh by 2030.
So, this increased reliance on wind energy will draw the increased attention by attackers of all shapes and sizes for a number of reasons, ok?
And so naturally this raises the question just how resilient are these control systems to attack?
I think it's very interesting that neither the hacker or academic communities are really considering this just yet.
Now, I know what you're probably thinking, you're probably thinking, well, Jason, isnít this just another insecure, vulnerable, uh, ICS system that's easy to attack?
And, while the answer to that question is most definitely yes, the bigger questions as to what are some of the more, uh, what are some of the bigger implications and some of the more sinister things that an attacker can now do, with this level of access.
Those types of questions have not been properly answered and not yet thoroughly considered, in my option. 
And so, weíll talk about that in this presentation.
Uh, so modern day wind farms are operated by a series of interconnected scada systems so, we have computers and networks in play of various sorts, ok.
What’s the worst that could happen?
Well, in a lot of ways a wind turbine is similar to a car.
So, just like a car, a wind turbine has to have its oil changed and breaking system and gears and rotors uh, serviced periodically because there is a failure rate associated with those systems and they have to be serviced.
Uh, because if they arenít serviced properly, guess what, bad things will happen.
In fact, donít take my word for it.
Uh, check out this awesome ten minute youtube video whenever you guys get a chance.
It basically shows what I'm calling a wind farm engineerís worst nightmare.
So, in the video it shows wind turbines failing due to a serious of mechanical failures because they werenít properly serviced and maintained. k.
Um, so, in the video it literally shows wind turbines catching on fire or disintegrating into a billion pieces. 
it's actually quite entertaining to watch.
I recommend watching it.
So, I argue that some of these same types of mechanical failures can also be caused um, or at least triggered or influenced by targeting insecure control systems.
Weíll talk about that.
But, most importantly, why attack a wind farm?
Well, at the end of the day we want to be able to prevent attackers from turning these peaceful systems into either targets of ransomware or worse. 
And to massive burning wastelands.
So, what exactly is a wind farm?
Well, fundamentally speaking all a wind farm is is a power plant that converts wind based energy into electricity. Alright?
Now, remember, when is a variable power source it's not always guaranteed to be there? 
Um, so we have the wind turbines that are used to harvest this energy that gets converted into electricity fed into substations and then the voltages stepped up and fed into the power grid, Ok. 
that's a ten thousand foot view of how the process works.
Um, IC61400, this is the set of international specifications that define how wind farms are to be designed, operated and maintained and sort of the, the abstract communications requirements between wind farm operators and turbines in the field.
And, so it's like I said, over the last couple of years me and my research team back home in Tulsa, uh, we've been going all across American doing holistic security assessments on a variety of wind farms from uh, different vendors, different manufactures, different makes and models.
Um, and we've looked at everything from the physical security mechanisms of wind turbines to the actual hardware, software and firmware that runs on the automation control systems.
And, yes, at times we did have to uh climb to the very top of these turbines to gain a better understanding of how the controllers and  fill bus protocols worked.
And, also to get a better understanding of how the different mechanical systems and processes in play, uh, worked in the turbine as well.
So, if you are a security researcher or pen tester with any fear of heights this may not have been the pen test for you to be on.
Alright, so real quick I just want to talk about the anatomy of a wind turbine.
So, at the very top of the tower there, that housing is called a nacelle.
Inside that nacelle is all of her interesting uh, mechanical components that makes a wind turbine a wind turbine.
Ok, so things like your rotor system, pitch and yaw motor, braking system, low and high speed shafts, gear box, generators, all that fun stuff.
These are the systems that service technicians will service and maintain uh, on a periodic basis so sometimes these things will fail and have to be replaced.
Alright, there's a failure rate associated with them.
If you are an attacker whose goal is to damage a wind turbine, these are the types of systems that you're going to be interested in targeting.
Alright, this is sort of a ten thousand foot view of the topology of a wind farm generically speaking, ok.
So, we have a command and control center that's used to manage multiple wind farms.
Then we have sub stations of the different field sites .
Uh, sub stations split into two different systems.
We have the transmission control systems that's used to harvest electricity produced by the turbines then they feed that into the uh power grid.
On the opposite side is the operations control network.
This is what the operators use to uh, to monitor and control turbines, uh, in the field.
Once we get to the turbines in the field, all these turbines are sort of interconnected via fiber optic links, in most cases.
Uh, everything is IP addressable.
And everything is on one big, flat network.
 So there's real no notion of network segmentation between turbines or at least the automation control systems in a turbine.
Uh, so, being able to talk from one automation controller to the other automation controller and different turbines uh is a thing that can happen, although there's not any operational requirement for this specifically.
Alright, hereís a great perspective of the different network protocols in play between the operator and the automation control systems inside of a turbine in the field.
So, the operator can use any number of command and control protocols to pull or uh send commands through the turbine to get it to do different things.
Um, usually this is the flavor of OPC or some IEC based protocol.
Uh, sometimes it's proprietary to the vendor.
And then, uh, these op, these operator will talk to the uh, automation controllers, these programmable automation controllers are set in the base of the tower usually.


And you can think of these things as being a blend between a traditional PC and a PLC, alright?
So, operating systems wise these guys can run anything from uh Windows Embedded, Windows CE.
we've seen these guys run Windows 95 in some cases.
Uh, various flavors of Lenix, uh and like uh real time operating systems like VX Works. K?
Um, hardware wise, these boards can be custom designed by the manufacturers of the wind turbine.
Um, other times theyíll use off the shelf automation control systems and then the vendors will just roll their own software onto em.
Um, they also have a fuel bus peripheral on them that's used to talk via cam bus of MOD bus or  some kind of fuel bus protocol to other controllers in the top of the turbine that's used to interface with motors, actuaries, sensors and all that fun stuff.
Alright, IC61400-25, this is the part of the specification that defines how operators are to interface with uh, turbines in the field.
So, it defines what type of information the operator should be able to pull, uh, from a turbine control system.
And, then what types of commands, ah, the operator should be able to send to a turbine in the field to get ta, to get it to put the turbine into different context or states.
And, then what the spec does, is it actually maps this functionality back to a handful of protocols listed here, alright?
Uh, it's important to note that most of these protocols by themselves are inherently insecure.
Alright, so one of the more prevalent protocols that we solved during our research and assessments was the protocol called Opus CXMLDA stands for data access and so, the HMI software that's used by the operators will use this protocol to uh, probe the automation control system.
Uh, the OPC server running on the automation control system to check on the current status of the turbine and send it commands.
And, so, uh, this protocol is nothing more than a soap based messaging protocol so we have XML objects going over HTTP.
Um, and then if you look at the spec, the spec defines different types of messaging services so, in the event that the HMI software wishes to pull a turbine, it will send stuff like RAID message requests and then in the event that the uh software, the HMI software wants to send like a, a command to write to a control variable on the OPC server it will send a write, uh a write message request.
Alright, so here is the general rundown of the vulnerabilities that we were seeing across the board.
Now, this wasnít true for every turbine, every wind farm that we looked at but, these were sort of the common themes of the day, if you will.
Um, so automation controller wise, you know, these guys are running lazy operating systems.
we've seen in most cases, everything running as roots. 
Uh, we got remote network management services to like Telnet FTPS and P and all that fun stuff.
Uh, trying to get access to these guys is fairly trivial and in most cases we've seen, you know, these guys are just running vendor, uh, they're just using vendor provided default creds or easy to guess creds.
And, oh, by the way, if you know the creds to one of these automation controllers, they're the same across all the rest of the automation controllers in the rest of the wind farm.
So, being able to pivot from one automation control system and move laterally is relatively trivial, uh, if you know what those are.
Um, like I said before, uh, network segmentation between wind turbines is not really  a thing that's happening.
All this stuff right here is sort of what we would expect from an ICS system though.
there's really no surprises here, right?
But, what are some of the interesting, physical effects that can be achieved if we start to chain some of these vulnerabilities together?
Alright, so if you take a closer look at the OPCXMLDA specification, it clearly recognizes the fact that it is an insecure protocol.
it's not easy to encrypt or anything like that.
However, it assumes that the implementer is smart enough to tunnel this protocol over, over a SSL or TRS, ok?
And, it says if you donít, you know uh, bad things could potentially happen.
And, here exactly is the part of the spec work calls this out.
Initially the spec says that you probably want to um, have some form of authentication or um, being able to disallow people to just arbitrarily send or write message requests to the OPC server to control control variables. Alright?
And apparently the people that have been implementing these particular command and control  protocols and wind farms didn't read this portion of the specification either.
So, here is a rundown of some of the items that are pulled for by the operator and returned to the operator um and, displayed in the narration my screen, so things like current wind speed, power production, um, ambient temperatures, controllerís statuses, things like that.
Hereís where things get a little more interesting. 
So, this, so the types of commands that operators can send to the turbines in the field, uh, this will vary from vendor to vendor but, generally speaking there are commands they can issue to change the maximum power generation of a particular turbine.
Or, there are commands they can send to put the turbine into a certain operating state or context.
So, being able to do things like turn the turbine off or turn it on or put into an idle state.
One of the more interesting states that a wind turbine can be in is something called emergency shutdown mode or state. Ok?
And what emergency shutdown is, is in the event that a um, automation control system or operator uh, detects that there are external factors or conditions that could be damaging to a wind turbine such as high gusts of wind or maybe a tornado is imminent in the area.
Um, it decides that it's more advantageous to the turbine to shut itself off as soon as possible rather than continue to operate due to fact that it might be damaged.
And so, the act of invoking an emergency shutdown is what we call hard stop.
And, so, when a hard stop is initiated on a turbine, what happens is the, the um, the blades on the rotor will flare out and then the uh, mechanical break of the turbine will actually lock up to bring the turbine to a halting stop as soon as possible.
And this is not a graceful shutdown at all, believe me.
So, when this happens we actually notice that this will put excessive wear and tear on critical mechanical components inside the nacelle.
So, things like the gears and the rotors and the braking system and all that. Alright?
Um, also the, uh physical integrity of the structure of the tower and the rotor system is also affected by this.
And, there's been plenty of research that's been done over the years to back up those claims.
Um, one side note, if you're ever doing testing or an assessment on a wind farm, and, uh, you're working with a group of wind farm engineers, and you attempt to put a wind turbine into, uh, invoke a wind turbine into a hard stop, more than zero times, they tend to get very, very grumpy with you.
Alright, let's talk about some of the uh network attack tools that we developed for this stuff.
So, Windshark is a, um, uh, network based attack tool designed to target um automation controllers uh on the wind farm network.
So, the way it works is Windshark is designed to hijack control of wind turbines or to damage them.
And, how it works is Windshark will actually go out and scan for the IP addresses of automation control systems running certain versions of OPC or  control services that we care about.
Then they will return a list of those IP addresses to the attacker, the attacker can then select which IPs that he wishes to spoof command or send commands to, to put the turbine into a funky state or do something with it.
And, so by doing this we can actually hijack control of some turbines.
Now, this isnít true for every turbine as you know various processes will vary from vendor to vendor and, make and model.
Um, so when we do this though the operator can still pull those turbines and see that, hey, something funkyís happening; somebodyís messing with our turbines.
So, we still have that problem to deal with.
Another interesting mode that Windshark has is something  what I'm calling the hard stop of death attack mode.
And, the way this works is, the, uh Windshark tool will put the turbine, it will force the turbine to hard stop and then it will wa, wait for the turbine to recover and then force is to hard stop again.
And it will do this pro, process over and over and over again until either the attackers remove from the network or execution of our program is halted.
Um, so when weíre doing this we are, um, introducing wear and tear, premature wear and tear on critical uh, mechanical components, meaning we are damaging turbines.
Alright, the next step up from this is a tool that we wrote called Windpoison.
So, Windpoison is a man in the middle tool that runs on a raspberry pie and basically all we do is, is we do the old arc cache poisoning trick to poison the arc cache tables of the automation control systems of the turbine and the operator’s workstation.
And, so, when we do this, we can be now be selective as to which commands the operator can send to the turbines, um if any at all so we can do things like drop in those requests.
 Um, and then we can do stuff like fabricating the uh pulling responses back to uh the operator.
Um, so we can do stuff like, you know, turning off all the turbines in the wind farm or invoking the hard stop of death attack against all the wind turbines in the wind farm and then lying about the current status of those turbines to the operator.
So, these particular tools were designed to target the IEC61400-25 based, uh, protocol stacks and network services.
We had to do some light command and control protocol reverse engineering to figure out what the particular values were, of the uh, of the protocols that put a wind turbine in a certain context.
Uh, we put everything on a raspberry pie and tied it all together with python, used some bash grips.
We used um the scapy and nmap python libraries for packet fabrication and port scanning.
And then we did some IP tables too for um dropping and forwarding packets across interfaces as needed.
let's take this to a step, uh, a step further though.
So, Windworm is a proof of concept that we developed in the lab designed to go after automation controllers that are configured in an insecure fashion.
So, what we do is we leverage the fact that all these automation controllers used the same creds and that we know what those creds are.
So, like, like I said before, most of the time these are vendor provided creds or easy to guess creds.
So, we assume we know what those are.
We also take advantage of the fact these guys are running things like FTP Intelnet and what we do is we will actually copy ourselves via FTP and invoke execution via Telnet.
And, we repeat this process over and over again until weíre actually executing em all the automation controllers in the wind farm.
Once we have execution on the automation controllers we will interface with the fuel bus peripheral on the automation control system to talk to other controllers in the wind turbine that are more interesting to us.
So things like the power controller or the motor controller. Alright?
And, what we can do then is we can inject our own fuel bus commands uh, to do interesting things.
So, one of the more interesting pro, one of the more common protocols that we saw in our assessment was a protocols called Can Open.
As so the way Can Open works is every controller has something called an object dictionary which is very similar to like, registers and modbus. 
So, contains like controller, configuration or process uh control information.
And, these controllers will use this interface to sort of uh, uh, exchange information with each other or update process control variables.
And so, the trick here is figuring out what the mapping of this Can Open and object dictionary is for a particular controller.
And so, if you know what this is you can actually, um, um, you know, do things like overwriting critical process control variables to do put the control into an interesting state, uh, to affect the hardware that it controls.
Um, and so, lucky for us, uh, the Can Open uh, specification defines something called electronic data sheets that define how these controllers are laid out and mapped out.
So, it defines like the literal variable name for an item in the object dictionary, what its index is, sub index, uh, what type of, what data type it is, whether you can just read or write to it.
Um, so, that sort of thing.
And, uh, these are usually stored on a file systems of these programmed automation controllers in a clear text file so, we can just read these and know what those mappings are.
And basically you just repeat this process over and over again until you do the bad things you want to do to the turbine.
let's take this to another level.
So, what if we wanted to ransomware a wind farm?
How exactly would this work?
So, I'm not talking about encrypting anything here, I'm talking about being able to paralyze wind farm operations in such a way that the electric utility is no longer able to produce electricity, at least until a ransom is paid in something like maybe bitcoin. 
But, how exactly would this work?
This is exactly how an attacker would go about ransomwaring a wind farm for bitcoin.
And so, the idea here is the attacker only need single, uh, physical access to a single turbine in a wind farm. K?
At that point the attacker would introduce his propagating malware, very similar to the Windworm that we just described.
That malware, once it was executing would place the turbine into a paralyzing state, meaning that it would just um, chill the turbine down.
It would then disable all remote network management services. K?
So goodbye Telnet, goodbye FTP.
Then it will um, uh, start up its own TCP network service that would just wait there for the ransomware key to be delivered to it.
At this point you, the attacker, have gained control over the wind farm.
And what you would do is you would send a ransom note to the electric utilities saying, hey, congratulations, I now have complete control over your wind turbine assets.
If youíd like to have them back in a timely fashion, please send me $10,000 dollars in bitcoin to, uh, this address. 
If the, uh, the company decides to play ball it says OK fine, whatever, we want our wind farm back, uh, that's fine.
The attacker would then provide the key and then they would use that key to unlock the, uh, the wind farm.
And, everybodyís happy.
However, in the event that the company decides not to pay the ransom, that malware could have some logic built into it in such a way that says, ok, if I have not received my ransom, uh, key, within uh you know, an hour, I'm going to go ahead and invoke the hard stop of death attack against myself, um, every hour until I receive this ransom key.
So, now we have the problem of now not only is the electric utility losing a lot of money because they're not able to produce uh, electricity, but now we have this interesting paradigm where the attackerís able to introduce damage to the turbines with this ransomware. Very interesting.
What would be the uh, uh the financial uh, impact due to a wind farm downtime though?
So, if we take, for instance a 250 megawatt wind farm that's been infected with this ransomware, k?
And, we assume that electricity is 12 cents per kilowatt hour on the national average.
And, we assume worst case a capacity factor of 35%.
And, then a best case of 100% for the wind farm.
The companyís going to lose out on anywhere from 10 to $30,000 dollars per hour of downtime.
that's a lot of money folks.
So, what would you even do about this; how would you even begin to recover from something like this?
I think there's different perspectives on this depending upon who you are.
But, uh, um, you know, one thing you could do is you could reimage the automation controller file systems.
So sometimes this resides on uh, a multimedia card like a compact flash or SD card.
You could just reimage that way. 
In other cases, not so trivial because that file system resides on a flash chip that is soldered onto the board, physically. Alright?
So, good luck trying to do that in a timely manner.
Um, and in the meantime, while you're trying to figure out what to do, you the operator is losing out on your ability to uh produce electricity.
Which means you're losing money.
Alright, so, in conclusion, uh, wind farm control networks are extremely susceptible to attack.
Again, this is just the tip of the iceberg based on some of the research that we've done.
Un, my advice to anybody with wind farm assets is to be proactive.
Donít wait on vendors to, uh, provide security.
Verify vendors claims on security so if they're promising you encrypted command and control between operators and uh and uh the turbines, verify those claims.
And, lastly, retrofit security is needed.
One thing that people could do to prevent all the attacks I just described is to introduce some sort of network segmentation between turbines um and the substations.
The one thing you could do is encrypt all your traffic between turbines and the substations so that in the event that one turbine was compromised, that one compromised automation control system wouldnít be able to take down the rest of the turbines in the wind farm.
And with that I am out of time so if you have any questions, comments, or crazy ideas, Iíll be around, come find me, if not, thank you all very much.