Now that we have the Stuxnet 315 code pretty much out of the way and the world a little bit more convinced that we are in fact looking at a cyberwar weapon aimed at Iran’s nuclear power program, let’s try to make some sense out of the 417 attack code. There are two places where the 417 would be useful:
1) As a higher-level controller for the centrifuge cascade. The 315s can’t control the centrifuges alone, and they certainly do not control the cascade. They would only control the rotors of single modules in the cascade. There must be additional controllers that take care of pumps, valves etc. This could be the 417.
2) At a completely different target that is another key asset of the Iranian nukes program.
At this time we believe option two has the better odds. The 417 code is very different from the 315 code, written with different tools, presumably by different people. With DB 8063 over 20k in size, it’s a real banger; much more complex than the 315 code, and it does not directly access Profibus. It could still talk to Profibus devices via mapped I/Os, but it just doesn’t seem likely.
The search for another target is not very difficult. It is sitting in Bushehr. Many people had misinterpreted our initial target theory in a way that we were suggesting the aim of Stuxnet was to cause a thermonuclear explosion. Many commentators, including some with a background in nukes, pointed out that this would not be possible due to the safety systems in a NPP. No disagreement here, we never thought in this direction. There is no reason to go after the reactor. Just go after that other big thingy with much less independent safety: The steam turbine.
Some people will remember the experiments done by INL in 2007 which were later semi-published under the title “Aurora vulnerability”. Compared to Bushehr’s turbine, what you see in the Aurora CNN video is a toy. If you blow a 1000 Megawatt turbine, you will very likely be able to see the impact by satellite imagery. To destroy the turbine, the attackers would try to get it to overspeed by taking away the generator load under full steam, or to vibrate in the critical RPM window. Of course this would require that there was no external turbine protection system (TPS), which we don’t know at this time. In modern installations, the TPS is integrated in the turbine control system (TCS). If we assume that both are integrated on S7-417(F)Hs, this is what you would want to attack. If that architecture is implemented in Bushehr and attacked by Stuxnet, you can forget about redundancy (think common mode failure) and safety instrumented systems.
Do we know that Bushehr’s turbine is driven by Siemens controllers? Pretty much. The turbine (a K-1000-60/3000-3) is manufactured by a Russian company called Power Machines. It’s the same type of turbine that is used in the Bellene (Bulgaria) NPP which is also built by Atomstroyexport, using Siemens controllers. By the way, Siemens is a major shareholder of Power Machines. It just wouldn’t make sense to have their subsidiary’s products equipped with I&C from competitors; it would contradict the business model. So the next thing to look at would be the TPS installed at Bushehr, or to get insight in the configuration of a gas centrifuge cascade (would we see a 417 there?). Submit your suggestions to stuxnethelp(at)langner.com or to the fellows from Symantec who are invited for a beer or two.