The ICS Security Community had an interesting event, or perhaps a test, this weekend with the false report of a FPL Wind Farm in New Mexico being hacked. So far we know of a similar, but not identical, emails providing details of the hack hoax being sent to three places:
- the Full Disclosure list
- the Repository of Industrial Security Incidents (RISI)
- Omar Sherin, a
QatariQatar-CERT Section Manager who writes a CIP Vigilance blog
The three emails are all slightly different, not in important content but in small details in the wording, capitalization, and other minor issues. This indicates at least a portion of each message was hand typed.
The assortment of recipients is a bit strange as well. A well known full disclosure list that is also picked up by other full disclosure lists, a niche ICS Security organization that is very conservative with disclosure in RISI, and a Qatari blogger and member of Q-CERT. Odd.
And the choice of doing this on a Saturday is odd as well because it would have much less, or at least a delayed, impact on Saturday as compared to a weekday.
Omar’s entry publishes the email header which shows the email coming from 126.96.36.199. This resolves to http://anonymizer2.blutmagie.de/, an email anonymizer out of Germany. It would be interesting to know if the other emails were also sent via this or another anonymizer.
Now the creator of the hoax itself had to know it would be determined to be a hoax in a matter of hours or days. The German text, wrong ICS product, incorrect displays, etc., this was not going to withstand scrutiny. At first it might be FPL who said so, but shortly after one or more skilled researchers would point out the inconsistencies. So what was the purpose of this effort? To wind up the mainstream media or ICS media? Just someone having some fun?
It is a mystery, but there is another possibility:
What if it were a test to see how organized and effective the analysis and response to attack information was?
Overall, I’d say the ICS security community handled this very well. There were not a lot of over-the-top blog entries about FPL. Most were circumspect, taking it as a potentially serious issue but waiting until the analysis took place. Even the SCADASEC thread on this topic was very tame, but again this may have been because it occurred on a weekend.
One last question is what should have ICS-CERT done in this case? They were notified at the start according to RISI. They have been silent to date on this, which may be the right thing to do for a false report. But with a dedicated expert team and early notification, they should have known before independent researchers that this was not what it purported to be. Should they have made some statement? If it had not been resolved by Ruben and others would they have stepped in? Just add it to the many questions I have for ICS-CERT; hopefully some will be answered at ICSJWG next month.
Image by nathanmac87