Archive

Archive for April, 2011

Florida Power and Light (FPL): – Sharing SCADA Secrets

April 18, 2011 Leave a comment

***Update***

There has been some news that in this incident the alleged insider has faked some aspects / manipulated some screen shots to embarrass his former employers ” FPL”
Sources: Here

***End of Update***

On April 16th (15:43 GMT) I received the following email from (bgr_24423 AT Yahoo.com) :

Here comes my revenge for illegitimate firing from Florida Power & Light Company (FPL)
… ain’t nothing they can do with it, since NM electricity is turned off !!! In some days people will know about FLP SCADA security, you are one of the first …

The email was long and contained all the details that proves that this guy had hacked the system, he even posted the complete Configuration file from the central Cisco Router and Security Device Manager. along with the passwords.

To spice things up he included 8 URLs with screen shots to proof his point. (Image URLs below).

1) http://img838.imageshack.us/i/49986845.png/
2) http://img718.imageshack.us/i/24380855.png/
3) http://img24.imageshack.us/i/58868342.png/
4) http://img228.imageshack.us/i/85258364.png/
5) http://img163.imageshack.us/i/90736853.png/
6) http://img217.imageshack.us/i/55439027.png/
7) http://img40.imageshack.us/i/87526089.png/
8 ) http://img864.imageshack.us/i/94061747.png/

I immediately checked those image URLS but I found that they had (Zero Views) at the time….now its different.

Seeing that I am the first one to see the images, I had my doubts that it might be a fake email so i did some googling to make sure that its a real incident. to my surprise all my checks worked out.

Even the email header looked fine and it showed that the email was sent from outside the US…from Germany to be precise, which is only logical for an email of such nature. “go as far as possible from the crime scene is usually the international best practice”…or at least show that you are as far as possible.

The email header here :

FPL Email Header

FPL Email Header

At this point I decided to report everything to ICS-CERT. But now that the news is already everywhere I can publicly comment on the incident.

My Comments:

– I would assume that, he sent this email to some of the known and trusted SCADA security blogs out there, but the good thing is that none shared it publicly. “or at least thats my understanding”.
– He took the next step and shared it on the full disclosure mailing list – and then it was out of control.
– People tend to overlook the sensitivity of corporate or confidential information, once things turn personal.
– In few minutes Blogs and mailing lists around the globe had information about another country’s national Critical Infrastructure. It’s striking that what was once considered a secret that people or nations pay and recruit spies to get, is now free.
– Any lazy, couch potato spy can just sign up for a dozen of those mailing lists and he would do just fine.
– For how long would this information remain useful is FPL problem now.
– People will start discussing the configuration details this guy posted, and how insecure was their VLAN configurations…etc, but the question is how easy is it for an employee to have access to all this information.
– The router configuration file headers have the login banner of **Bellsouth** , Why ?
– Insider threat is the REAL deal, not anything else.

It’s worth mentioning that FPL made the headlines for the wrong reasons several times over the past 3 years, and they were fined by NERC more than once before, here is a quick account of the fines:

– March 31st 2009, A fine for 250,000 USD (NERC Notice of Penalty – HERE)
– March 5th 2010, A fine for 350,000 USD (FERC Penalty Notice)
– October 8th 2009, A fine for 25 Million USD (2008 Blackout settlement)
– April 2006, A fine for 130,000 USD for Sleeping guards (News)

Further more back in December 2009, Burns and McDonnel consultancy firm completed a cyber security assessment project where they handed recommendations to make FPL in compliance with NERC…This must be one useful report.

Burns & McDonnell has provided security assessments for Florida Power and Light (FPL), evaluating sites that have been considered critical assets under North American Electrical Reliability Corp. (NERC) standards for Critical Infrastructure Protection (CIP). Burns & McDonnell has made recommendations to ensure FPL is prepared to meet or exceed the NERC CIP guidelines in both physical and cyber security. These audits have included site visits and capturing system configurations to determine the current state of the security protections in place.

Source : Burns and McDonnell