How Stuxnet cyber weapon targeted Iran nuclear plant
Researchers from California and Germany dove into the Stuxnet code and found it sought out specialized components used in Iran nuclear centrifuges – and could cause them to explode.
(Page 2 of 2)
Symantec researchers were aided by a Dutch industrial control systems expert who revealed the connection with Tehran and Finland firms. It turns out that the special drives Stuxnet targets are built to operate "at very high speeds ... speeds used only in a limited number of applications," Symantec stated in a report update Nov. 12. Such drives are "regulated for export in the US by the Nuclear Regulatory Commission," because one of their main uses is for uranium enrichment, it noted.Skip to next paragraph
Subscribe Today to the Monitor
Once Stuxnet has locked its sights on the target, it alternately brings the centrifuge process to either a grinding slowdown or an explosive surge – by sabotaging the centrifuge refining process. It tells the commandeered PLC to force the frequency converter drive to do something it's not ever supposed to do: Switch back and forth from high speed to low speed at intervals punctuated by long period of normal operation. It also occasionally pushes the centrifuge to far exceed its maximum speed.
"Stuxnet changes the output frequencies and thus the speed of the motors for short intervals over periods of months," Symantec researcher Eric Chien reported Nov. 12 on his blog. "Interfering with the speed of the motors sabotages the normal operation of the industrial control process."
Normal operating frequency of the special drive is supposed to be between 807 and 1210 Hz – the higher the hertz, the higher the speed. One hertz means that a cycle is repeated once per second.
Stuxnet "sabotages the system by slowing down or speeding up the motor to different rates at different times," including sending it up to 1410 Hz, well beyond its intended maximum speed. Such wide swings would probably destroy the centrifuge – or at least wreck its ability to produce refined uranium fuel, others researchers say.
"One reasonable goal for the attack could be to destroy the centrifuge rotor by vibration, which causes the centrifuge to explode" as well as simply degrading the output subtly over time, Ralph Langner, the German researcher who first revealed Stuxnet's function as a weapon in mid-September, wrote on his blog last week.
All of the circumstantial evidence points in the same direction: Natanz.
The Natanz nuclear centrifuge fuel-refining plant may have been hit first by Stuxnet in mid-2009, said Frank Rieger, a German researcher with Berlin encryption firm GSMK. The International Atomic Energy Agency found a sudden drop in the number of working centrifuges at the Natanz site, he noted in an interview in September.
"It seems like the parts of Stuxnet dealing with PLCs have been designed to work on multiple nodes at once – which makes it fit well with a centrifuge plant like Natanz," Mr. Rieger says. By contrast, Bushehr is a big central facility with many disparate PLCs performing many different functions. Stuxnet seems focused on replicating its intrusion across a lot of identical units in a single plant, he said.
That and Symantec's new findings also dovetail nicely with Mr. Langner's detailed findings in his ongoing dissection of Stuxnet. Parts of the code show Stuxnet causing problems for short periods, then resuming undisturbed operation, Symantec's findings show. As a result, Langner writes, "the victim, having no clue of being under a cyber attack, will replace broken centrifuges by new ones – until ending in frustration. It’s like a Chinese water torture."
Ultimately, the Stuxnet cyber attack "is as good as using explosives," Langner notes. Actually, it's even better, he writes. Iran is believed to have other hidden centrifuge plants and "with a well designed attack plan, you even hit the unknown facilities."