Hacking wind turbines— Explained.
In Europe we see a tremendous rise of wind farms. Which is good, because it’s a sustainable source of energy. What worries me, is how well it is secured. Or let me rephrase that, what worries me is that we use ancient and outdated technology and software in the systems that provide our daily energy.
In april 2022 it hit the news that a large wind turbine manufacturer was hacked and they switched off their IT systems in multiple locations. Ransomware hit the manufacturer and brought it to a stand still. In November 2021 another manufacturer was compromised by a ransomware attack. They were able to recover within 3 weeks from the hack. As far as we know, those hacks only hit the IT systems of the manufacturer, not the actual wind farms itself.
In March 2022 an operator of wind farms was hacked, they lost contact to 5800 wind turbines which were connected via a satellite link. In mid April they restored contact with 95% of the turbines. This was a real hack on actual wind turbines, and it caused some issues. The following was stated on their website:
Since no SCADA monitoring is taking place for the wind energy converters which are offline due to the disruption, operators and owners should report irregularities and faults directly to their Service points of contact and other involved stakeholders or via their operating control.
How secure are wind turbines and/or farms?
I won’t disclose which manufacturers/vendors I’m talking about, but I’ll give details about the operating system and software running. All information is freely available on the internet. My sole goal here is show that we need to have proper cyber security in place, and we need to update the software and really question the need ‘to be connected’ to the (public) internet. I never controlled or harmed any device in my research. What I disclose is nothing new, it’s just another reminder in these times of geopolitical difficulties that we need to secure our grid.
The turbine is connected to the internet
What surprised me the most is that those wind turbines (or complete farms) are connected to the open internet. You can access them directly via an IP and it shows a website/interface. You do however need a username and password to actually control them, so it looks secure.
When I was searching for more information about a specific vendor using Google, I accidentally already found a few wind farms that I can connect to. Using a more sophisticated search on Shodan (a search engine for Internet-connected devices), I was able to find even more connected turbines and farms.
The largest farm I found was a farm with 22 turbines connected to one controller that was accessible via the internet.
Another one, a single turbine of 20MW, has produced over 517.000 MWh of energy in 10 years. That’s 4300 MWh per month, or roughly 140MWh per day. That’s quite substantial, taking into account all factors.
I was able to find 135 controllers from one vendor, which can be 1 turbine or 22 turbines like mentioned before, that are connected directly to the internet and can be accessed.
The software that runs on the turbine controller
What frightened me is that those controllers run on Windows 2000, yes you read that correct. 22 year old software. Support and security updates on Windows 2000 ended on 13 july 2010.
On July 13th, 2010, these products will no longer be eligible for regular support and free access to security updates
That means that if there are vulnerabilities, they won’t be patched. And there surely are!
Besides that it runs on software to serve the website and interfaces that dates back from 1999–2002. That’s 20 years old! A quick search for CVEs (Common Vulnerabilities and Exposures) reveals that there are multiple vulnerabilities since then. Directory traversal, cross-site scripting, information disclosure, injection and a denial of service vulnerability.
The ports that are open and services that are running
A quick service scan on the IP address reveals that it runs multiples services, and has multiple open ports.
Discovered open port 443/tcp
Discovered open port 80/tcp
Discovered open port 110/tcp
Discovered open port 143/tcp
Discovered open port 5900/tcp
Discovered open port 1433/tcp
Discovered open port 8443/tcp
Discovered open port 1031/tcp
Discovered open port 5800/tcp
Discovered open port 1026/tcp
The running services are:
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open ssl/http
1026/tcp open msrpc Microsoft Windows RPC
1031/tcp open java-rmi Java RMI
1433/tcp open ms-sql-s Microsoft SQL Server 2000
5800/tcp open vnc-http RealVNC 4.0
5900/tcp open vnc VNC (protocol 3.8)
8443/tcp open ssl/https-alt
Where do I start pointing out the vulnerabilities? Most software is from 2002 or 2004. It has tons of vulnerabilities, but let me pick one that really blew my mind.
RealVNC is a tool to remotely control and take over a computer. You basically control the mouse and keyboard, but remotely. It comes in handy when you have to control the system from time to time, but going to the actual computer, physically, is a hassle.
RealVNC version 4.0 was released in 2004. That’s 18 years ago! Eighteen. A quick scan on the CVE database shows that in 2009 a bug was reported for this specific version. A CVE has a score, a number, that shows how serious the bug or vulnerability is. It a number between 0 and 10.
The issue found with RealVNC 4.0 has a score of 10. This basically means it’s as bad as it can be. It can’t be worse.
The CMsgReader::readRect function in the VNC Viewer component in RealVNC VNC Free Edition 4.0 through 4.1.2, Enterprise Edition E4.0 through E4.4.2, and Personal Edition P4.0 through P4.4.2 allows remote VNC servers to execute arbitrary code via crafted RFB protocol data, related to “encoding type.”
What can be controlled via the interface of the controller of the turbine?
According to the documents/manual that can be found on the internet, you can do a lot of things via the interface. Obviously you can read out data, but you can also control the device. You can control the yaw motor, which means you can put it in a direction where there will be no wind hitting the turbine and thus no production. You can control the turbine to start, stop or reset. It just gives you full control over the device.
The impact of a hack of a large windfarm
A hack of a turbine of complete farm can have impact both economically and technically.
Obviously if a turbine doesn’t run, it doesn’t produce energy and doesn’t make money. So for the owner the impact will be economically.
Technically it can do more harm. Since if you stop a turbine, or multiple, it’ll mean a lot of electricity production will be switched off. This, depending on the amount of megawatts, might impact the frequency and thereby the grid stability. Let’s do a quick calculation.
For Continental Europe the EU states in the establishing a guideline on electricity transmission system operation:
The reserve capacity for FCR required for the synchronous area shall cover at least the reference incident and, for the CE and Nordic synchronous areas, the results of the probabilistic dimensioning approach for FCR carried out pursuant to point;
(b) the size of the reference incident shall be determined in accordance with the following conditions:
(i) for the CE synchronous area, the reference incident shall be 3 000 MW in positive direction and 3 000 MW in negative direction;
This means for continental Europe a disruptive 3000 MW(3 GW) change, can be dealt with. If it’s more than 3 GW, it could destabilize the grid.
According to WindEurope Europe now has 236 GW of wind capacity, this means that if only 1.27% of the total current power of wind production can abusively be controlled you already have the 3GW which could potentially destabilize the European grid. WindEurope expects Europe to install another 116 GW of new wind farms over the period from 2022–2026.
The cyber security of those turbines and farms is of utmost importance for the European electricity grid. Bad security in multiple (larger) farms, can lead to serious issues with the grid when they are compromised.
What can we learn from this?
Updates — How long should a controller of a wind turbine be updated?
The life expectancy of wind turbines is around 25 years. This means that the software running on those devices should also be maintained for at least 25 years.
This includes patches, software updates and upgrades and also potentially hardware upgrades to support the latest software and cryptographic algorithms and protocols. This will come with extra costs, but will make a more secure and reliable system.
Having a process in place to monitor vulnerabilities and updates is of key importance here.
Connectivity — and the need for it
The main question when looking at the wind turbines and farms that are accessible via the internet right now is: Why on earth are they connected to the internet in that way?
I can see that connectivity can and will be necessary for gathering information about production, controlling the turbine and curtailment. However, they should not have a public IP address and should not be reachable from the internet. They should use a VPN or alike to be controlled, and not connected to the open internet.
Other vendors and turbines
In this specific case we focused on one single vendor, and tried to get as much information about the device as possible. So this doesn’t necessarily mean that other vendors are also vulnerable, not at all. About some controllers and vendors I wasn’t able to find a single device connected to the internet, it seems that they have their security at a higher level.
Command and control centers
New turbines and farms are probably controlled from a command and control center, where they safely connect to using a VPN. That’s of course way better than this, but it also add another attack vector and a possible single point of failure. The command and control center itself. If that can be reached via the internet, you have direct access to the full system. This means that the cyber security is as strong as the weakest link. The full chain, from turbine to control center, should be secured, monitored, updated and pentested.
Cyber security isn’t something you can add later, it should be part of the design and production process, of the whole life cycle of the device. It’s not a feature you can add later, and it’s not a nice to have. The full chain should be secured, and it should be by default.