Researchers Found They Could Hack Entire Wind Farms

On a sunny day last summer, in the middle of a vast cornfield somewhere in the large, windy middle of America, two researchers from the University of Tulsa stepped into an oven-hot, elevator-sized chamber within the base of a 300-foot-tall wind turbine. They’d picked the simple pin-and-tumbler lock on the turbine’s metal door in less than a minute and opened the unsecured server closet inside.

Jason Staggs, a tall 28-year-old Oklahoman, quickly unplugged a network cable and inserted it into a Raspberry Pi minicomputer, the size of a deck of cards, that had been fitted with a Wi-Fi antenna. He switched on the Pi and attached another Ethernet cable from the minicomputer into an open port on a programmable automation controller, a microwave-sized computer that controlled the turbine. The two men then closed the door behind them and walked back to the white van they’d driven down a

gravel path that ran through the field.

Staggs sat in the front seat and opened a MacBook Pro while the researchers looked up at the towering machine. Like the dozens of other turbines in the field, its white blades—each longer than a wing of a Boeing 747—turned hypnotically. Staggs typed into his laptop's command line and soon saw a list of IP addresses representing every networked turbine in the field. A few minutes later he typed another command, and the hackers watched as the single turbine above them emitted a muted screech like the brakes of an aging 18-wheel truck, slowed, and came to a stop.

'We Were Shocked'

For the past two years, Staggs and his fellow researchers at the University of Tulsa have been systematically hacking wind farms around the United States to demonstrate the little-known digital vulnerabilities of an increasingly popular form of American energy production. With the permission of wind energy companies, they’ve performed penetration tests on five different wind farms across the central US and West Coast that use the hardware of five wind power equipment manufacturers.

As part of the agreement that legally allowed them to access those facilities, the researchers say they can't name the wind farms’ owners, the locations they tested, or the companies that built the turbines and other hardware they attacked. But in interviews with WIRED and a presentation they plan to give at the Black Hat security conference next month, they're detailing the security vulnerabilities they uncovered. By physically accessing the internals of the turbines themselves—which often stood virtually unprotected in the middle of open fields—and planting $45 in commodity computing equipment, the researchers carried out an extended menu of attacks on not only the individual wind turbine they'd broken into but all of the others connected to it on the same wind farm's network. The results included paralyzing turbines, suddenly triggering their brakes to potentially damage them, and even relaying false feedback to their operators to prevent the sabotage from being detected.

“When we started poking around, we were shocked. A simple tumbler lock was all that stood between us and the wind farm control network,” says Staggs. “Once you have access to one of the turbines, it’s game over.”

In their attacks, the Tulsa researchers exploited an overarching security issue in the wind farms they infiltrated: While the turbines and control systems had limited or no connections to the internet, they also lacked almost any authentication or segmentation that would prevent a computer within the same network from sending valid commands. Two of the five facilities encrypted the connections from the operators’ computers to the wind turbines, making those communications far harder to spoof. But in every case the researchers could nonetheless send commands to the entire network of turbines by planting their radio-controlled Raspberry Pi in the server closet of just one of the machines in the field.

“They don’t take into consideration that someone can just pick a lock and plug in a Raspberry Pi,” Staggs says. The turbines they broke into were protected only by easily picked standard five-pin locks, or by padlocks that took seconds to remove with a pair of bolt cutters. And while the Tulsa researchers tested connecting to their minicomputers via Wi-Fi from as far as fifty feet away, they note they could have just as easily used another radio protocol, like GSM, to launch attacks from hundreds or thousands of miles away.