Documentary film makers have uncovered plans for an extended cyber attack against Iran, code-named Nitro Zeus. While I appear in the movie, I haven’t seen it yet and base the following on the reporting in the New York Times.
According to the Times, Nitro Zeus’ objectives were to disable Iran’s air defenses, communication systems, and crucial parts of the power grid, as well as disable the Fordow nuclear enrichment plant in case the negotiations with Iran would fail.
Certainly the idea that military action against Iran — or any other adversary — would involve cyber appears like a no-brainer after Stuxnet. It is also reasonable to assume that air defenses, communication networks, and the power grid are logical targets. The idea to go after Fordow is a different thing.
WTF is Fordow?
Fordow is just another nuclear enrichment plant in Iran. It was detected in 2009 by US intelligence and went operational in December 2011. The problem with Fordow is that it poses the much bigger threat than Natanz for a couple of reasons. First, Fordow is even more protected against air strikes by natural rock, making success unlikely for anything short of a tactical nuclear weapon. Second, Iran used Fordow mostly for the production of 20% enriched Uranium. Third, due to space limitations Fordow can host only a maximum of 3000 centrifuges, making it unfeasible for large-scale production of LEU that can be used in nuclear power plants.
The problem with 20% enriched Uranium, which is already categorized as HEU (highly enriched), is that it is much easier to go from 20% to weapons-grade rather than from 5% (power plant grade) to 20%. In other words, a stockpile of 20% HEU is a significant factor for a breakout scenario (breaking out of the IAEA regime and going to weapons-grade HEU). At the same time, Iran’s allegations that the stock produced in Fordow would be for medical purposes never was deemed credible. Therefore, if there was any high priority target in the Iranian nuclear program in 2012 and following, it was Fordow.
Attack options
Unfortunately, our spirited team of cyber attackers had been way to noisy with the 2009 version of Stuxnet to support the idea that a copycat could be launched against Fordow. While the first (2007) version of Stuxnet can be thought of as a sniper operation that every now and then shoots the target in the leg, in the arm, and in the butt, the 2009 version would compare as a bunch of Hooligans equipped with baseball bats that would appear randomly to beat the crap out of the target and disappear again. It was bound to be detected. Obviously, a similar tactic had zero chance for success after Iran finally understood what had been going on over years in the caves of Natanz.
But then why would anybody care about a sustained covert operation to break a couple hundred centrifuges here and there when at the same time a full-blown cyber attack against defense systems and critical infrastructure is under way, most likely supported by a kinetic operation (why else would one plan to mess up air defense). Therefore, the logical thing to do would have been to try taking out Fordow in one lethal attack without any effort to stay covert.
The easy path to destroy a centrifuge
Both the Stuxnet 2007 attack against the Cascade Protection System and the 2009 attack against the Centrifuge Drive System could have destroyed the infected machines if that would have been the attackers’ objective. Forensic analysis tells us that obviously it was not. But the idea to use the same attack vector and just tighten it up has no credibility as Iranian engineers would need to be idiots if they still wouldn’t catch rogue ladder logic on their PLCs.
The logical alternative and easy path to success is to go after power supply. Cutting power for the electrical drives that spin the centrifuges will create a UF6 shock wave that is a sure kill for the delicate rotors.
On August 17, 2012 one could see a test run for this scenario when the power line feeding Fordow was disrupted by explosives. Well, at least myself and Olli Heinonen, former Deputy Director-General for Safeguards at the IAEA, with whom I discussed the incident back in 2013 when preparing To Kill a Centrifuge. It is clear for anybody that Fordow, just like any other enrichment plant, has its power backup systems in order to cope with being cut off from the grid. So either the attackers had already tried to disable the backup power but failed, or they intended to experiment with its behavior and capabilities in order to figure out a good way to mess it up in a later cyber attack.
The power of electrical power
That brings us to the bottom line and big picture considerations. While about 90% of the public discussion on cyber-physical attacks focuses on the national power grid, cyber attacks against localized power systems are much easier to accomplish and may still cause substantial damage. This is true from anything between a nuclear enrichment plant and a data center. Now go check those electrical systems — backup generators, “smart” electrical switches, uninterruptable power supplies with network and remote access. Ask your IT department if they have ever looked at the cyber security of those systems. In most cases, they have not — if only for the simple reason that they are considered electrical systems rather than IT systems. If you do take a closer look, don’t be surprised to see a similar lack of cyber security as in any other PLC, protective relay, you name it.
Cyber-physical attacks don’t require “zero days”, and that’s perhaps a significant flaw of the documentary because it reflects exactly those in its title. They require simple and solid engineering analysis, just like what it’s called for on the defensive side.
Ralph Langner