One day after a hacker posted screen shots and data to a hacking mailing list, saying he had broken into a New Mexico wind turbine facility, the company that runs the turbines says it has seen no evidence of a computer intrusion.
The hacker, who calls himself Bigr R, made the claims Saturday, posting screenshots of the facility's management interface, screenshots of an FTP server and project management system, as well as Web server info and configuration data from a Cisco router.
But NextEra Energy Resources, the company that manages the 200 megawatt Fort Sumner wind facility, says there's no evidence that it's been hacked. "We have investigated the claims of a potential computer hacking and found that the information provided as proof of hacking is largely publicly available information, which by itself would not be adequate to launch a successful attack against the named SCADA system or wind site," said Steve Stengel, a company spokesman. "We have not seen any evidence of a breach."
SCADA or supervisory control and data acquisition computer systems are used to manage industrial production at places such as factories, chemical companies and utilities.
Stengel did not say exactly what information that the hacker posted had previously been made public and what was not.
PNM, he New Mexico utility company that uses the plant's energy said Sunday that it knew of no incidents affecting the company's Fort Sumner facility.
In an email interview with the IDG News Service, Bigr R, said he was a former employee of NextEra's parent company, Florida Power & Light. He said he used a bug in the Cisco Security Device Manager software used by NextEra to break into the site. "They gave to it public IP, so it was easy to hack into it through the Web," he said. "They used default passwords, which I got from one of administrators. Then I obtained level 15 priv. (superuser), and understood the topology of SCADA networks. Then it was easily to detect SCADA and turn it off."
Security experts contacted Sunday said that it wasn't possible to tell whether Bigr R's claims were true. It's also not clear that he ever really worked for Florida Power & Light, said Wesley McGrew, an industrial systems security researcher with McGrew Security. "It's just really difficult to establish what's going on either way," he said.
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com