Not all reports of cyber incidents are real. Sometimes they turn out to be a hoax.
That is what happened this past Saturday around 11 a.m. EDT when the Repository for Industrial Security Incidents (RISI) received the following email:
Subject: Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED
Message: Here comes my revenge for illegitimate firing from Florida Power & Light Company (FPL) … ain’t nothing you can do with it, since NM electricity is turned off !!! In some days this people will know about FLP SCADA security, here is it for you …. Secure SCADA better! Leaked files are attached
With that email message the person attached eight image files of various HMI screens, a Windows Explorer view of computer files and what appear to be views of a maintenance management/work order system. Also attached was a dump of the configuration from a Cisco router with addresses that are part of the Florida Power and Light assigned address space.
The same email was also sent to the seclists.org/fulldisclosure list, so you can view the files.
Since it appeared that the writer was referring to FPL’s New Mexico Wind Energy Center, John Cusimano, the Director of RISI, immediately contacted the ICS-CERT and the New Mexico CERT with the information. The CISO of FPL subsequently contacted Cusimano Sunday morning, informing him the whole event was a hoax.
In investigating this further, most, if not all of the incident was a hoax and an attempt to embarrass FPL, said Eric Byres, chief technology officer at Byres Security. You can tell it was a hoax because the HMI screen shots clearly appear to be samples from a vendor or a student experiment, not real HMI screens from a system the size of the PNM Wind Energy facility.
They also show a SINAMIC 120, which is a drive controller from Siemens and not something one would associate with a wind farm. One final clue is the idea the alarm text in the HMI shots are in German, not the usual language for a facility in New Mexico.
As for the maintenance management/work order system screen shots, these all appear to be from September 2009 from an unrelated FPL facility located in Seabrook Station in New Hampshire.
The router ACLs and the Windows Explorer view of the computer files are the only potentially convincing items in the collection. They did confirm the IP addresses were FPL’s in New Mexico.
For a more complete report, click here for Byres’ report.