Home » Gadgets » Power supply: E-mail accounts are better secured than wind parks

Power supply: E-mail accounts are better secured than wind parks

Monday, September 11th, 2017 | Gadgets

Wind turbines are a visible sign of the energy demand in Germany and also German manufacturers are regarded as successful examples of modern industrial policy. Unfortunately, this does not mean that the professional-looking systems meet current IT security requirements. Internetwache.org and Golem.de have found through a monthly research that many plants are vulnerable by numerous weaknesses – and the awareness of IT security both at the manufacturer as well as apparently with the operators is not particularly pronounced. Moreover, there is evidently a responsibility which makes the clear allocation of responsibility more difficult.

As an example, we document the problems with equipment from the manufacturer Nordex, which we have also consulted on the weaknesses we have found. Even simple Google searches can retrieve detailed information about wind parks, and many devices use the same security certificate. So if you compromise a plant, you could take over many others. This effort does not even have to make an attacker. Because the communication with the web interface is standard in many systems unencrypted.
The software on the systems is also not up-to-date, in addition, consumer routers with inadequate security are often used to connect the systems to the Internet. Attackers could start ransomware attacks and lash the windmills until a ransom is paid. If this happens to a large extent, the lack of capacity could lead to irregularities in the electricity grid. A goal-oriented shutdown of hundreds of plants, as it would be conceivable in a Hollywood hacker film, is however after our searches however at all not to be feared.

According to our request, Nordex referred to these safety guidelines and insisted that the company adhere to the laws. A spokesman said, "We would like to ask you for your understanding that we do not want to make detailed statements about our internal procedures and the security mechanisms involved in plant control." Among IT experts such an argument is called "Security by Obscurity". This approach is not recommended because it is assumed that no one will look so closely and the security problems disappear magically. We, however, have looked carefully.
How we found the weak spots
At first, as at the beginning of many other searches, we searched the Internet for manufacturers from the industry. After some time, our experience comes to inevitably to concrete products and partly also to software. Within the scope of our research, we drew attention to various manufacturers who were very generous with information on their wind turbines on their website.
Numerous of the plants we have found come from Nordex. The simple search for the three words "wind farm portal" has already provided a hit with the IP address of an wind turbine on the first search page on Google. As we found out, you can even use a search filter to display all Google's well-known Nordex wind farm portal systems. On Google alone we find about 100 systems, which are apparently intended for the administration of wind parks.
Why search engines are generally known or, more precisely, known, is questionable, since it is hardly an advantage for operators to find the administrative portal of their wind parks via Google. Nordex has notified us as follows: "Indexing through search engines is largely determined by the respective operator, and this is done by Nordex (eg by using a robots.txt)."
On 181 systems and thus on an absolute majority of the systems was no robots.txt to be found. This, however, does not prevent the indexing within Google, but only the caching behavior. To avoid indexing within Google, a noindex tag would be necessary in this case. The source code must be modified; according to our knowledge, this is solely the responsibility of Nordex. Not all operators seem to be aware of the problem at all. Some of them were surprised at the request of Golem.de that their systems were found in the net.
But the search for Google was just the first step in our research.

Related

Divers find women at the same time in fr

In the waters off Denmark's capital the torso of a woman was recovered.

Andrea Iannone: "On the Suzuki fast

01 August 2017 – 15:49 His start at Suzuki got a nightmare for

Once again a German married couple of Tu

In Turkey a German couple should have come into police custody. But there

Green bulbs: father and children struggl

Frankfurt doctors are fighting for the lives of three children and their father,