New report strengthens suspicions that Stuxnet sabotaged Iran's nuke plants
A new report is strengthening suspicions that the Stuxnet worm
sabotaged Iran's nuclear plants (Hat Tip: William Daroff
The report, released Thursday by the Institute for Science and International Security, or ISIS, indicates that commands in the Stuxnet code intended to increase the frequency of devices targeted by the malware exactly match several frequencies at which rotors in centrifuges at Iran’s Natanz enrichment plant are designed to operate optimally or are at risk of breaking down and flying apart. Read the whole thing
The frequencies of the Natanz rotors were apparently not a secret and were disclosed to ISIS in mid-2008 — the earliest samples of Stuxnet code found so far date back to June 2009, a year after ISIS learned about the frequencies. They were disclosed to ISIS by “an official from a government that closely tracks Iran’s centrifuge program.”
The unnamed government official told ISIS that the nominal frequency for the IR-1 centrifuges at Natanz was 1,064 Hz, but that Iran kept the actual frequency of the centrifuges lower to reduce breakage. According to another source, Iran often ran its centrifuges at 1,007 Hz.
The information would have been gold to someone looking to sabotage the centrifuges since, as ISIS notes, it provided both confirmation that Iran’s centrifuges were prone to an unusual amount of breakage and that they were subject to breakage at a specific frequency of rotation.
According to an examination of Stuxnet by security firm Symantec, once the code infects a system, it searches for the presence of two kinds of frequency converters made by the Iranian firm Fararo Paya and the Finnish company Vacon, making it clear that the code has a precise target in its sights. Once it finds itself on the targeted system, depending on how many frequency converters from each company are present on that system, Stuxnet undertakes two courses of action to alter the speed of rotors being controlled by the converters. In one of these courses of action, Stuxnet begins with a nominal frequency of 1,064 Hz — which matches the known nominal frequency at Natanz but is above the 1,007 Hz at which Natanz is said to operate — then reduces the frequency for a short while before returning it back to 1,064 Hz.
In another attack sequence, Stuxnet instructs the speed to increase to 1,410 Hz, which is “very close to the maximum speed the spinning aluminum IR-1 rotor can withstand mechanically,” according to the ISIS report, which was written by ISIS president David Albright and colleagues.
“The rotor tube of the IR-1 centrifuge is made from high-strength aluminum and has a maximum tangential speed of about 440-450 meters per second, or 1,400-1,432 Hz, respectively,” according to ISIS. “As a result, if the frequency of the rotor increased to 1,410 Hz, the rotor would likely fly apart when the tangential speed of the rotor reached that level.”
ISIS doesn’t say how long the frequency needs to be at 1,410 Hz before the rotor reaches the tangential speed at which it would break apart, but within 15 minutes after instructing the frequency to increase, Stuxnet returns the frequency to its nominal 1,064 Hz level. Nothing else happens for 27 days, at which point a second attack sequence kicks in that reduces the frequency to 2 Hz, which lasts for 50 minutes before the frequency is restored to 1,064 Hz. Another 27 days pass, and the first attack sequence launches again, increasing the frequency to 1,410 Hz, followed 27 days later by a reduction to 2 Hz.
Stuxnet disguises all of this activity by sending commands to shut off warning and safety controls that would normally alert plant operators to the frequency changes.
ISIS notes that the Stuxnet commands don’t guarantee destruction of centrifuges. The length of the frequency changes may be designed simply to disrupt operations at the plant without breaking rotors outright, and the plant could conceivably have secondary control systems in place to protect centrifuges and that are not affected by Stuxnet’s malicious commands.
Labels: centrifuges, Iranian nuclear program, Stuxnet