Technical Stuxnet article in Control magazine

Ralph has written a short technical article on Stuxnet for control system engineers that was printed in Control magazine (January 2011 edition) and is also available online.



What Stuxnet is all about

Once upon a time, some organization which follows the nuclear situation in Iran closely determined that international sanctions and sabotage would not be sufficient to stop the growing enrichment capability in Natanz. Iran was installing new centrifuges at a speed that would get them in reach of the bomb soon. In the search for an alternative to conventional warcraft, somebody figured out that sabotage is not limited to 20th century style messing with mechanical and electrical component characteristics. Cyber sabotage could achieve much more. If any target would justify a full-blown cyberwar strike for the first time in history, those centrifuges certainly would. It looked like it would have been stupid and irresponsible not to try. Read more »



Cascade cluster performance manipuation

This cascade cluster performs poorly. The black line gives an idea why. Black line corresponds to the right vertical axis, cascade lines to the left. (Data extracted from actual 417 attack code.)



Stuxnet eats LEU

While we, as many others, have believed for some time that Stuxnet’s goal would be to crash IR-1 centrifuges, code analysis of the 417 attack code shows that things are not that simple. Ok, this shouldn’t surprise anyone who followed the Stuxnet saga for a while; this damn virus just keeps coming up with new surprises. Besides cracking centrifuges, another major goal of the attack seems to be the reduction of LEU output (LEU = Low Enriched Uranium).

The following diagram shows four attack profiles of the 417 code that can be thought of as performance diagrams. The vertical axis denotes the number of centrifuges in a cascade. So does the horizontal axis, only that the attackers chose to group the 164 centrifuges that make up a cascade in 15 groups for ease of operation. For example, the 15 to the right end of the horizontal axis corresponds to centrifuges 161 to 164, for example, and the 10 corresponds to centrifuges 81 to 104. An IR-1 cascade is linear, meaning that 164 centrifuges are piped together in one line. UF6 is fed into centrifuge 1 and enriched. From there, it is passed to centrifuge 2, and so on, up to centrifuge 164, and from there to the next cascade.

Now let’s take a closer look at those attack profiles. In an ideal world, performance would probably be linear, resulting in a straight line from down left to up right. The next best thing to ideal seems to be profile 4 in the graph; that’s as good as it got in Natanz. Profile 2 and 3, almost identical, leave something to be desired. But profile 1 is really shitty. Every time profile 1 is activated, somebody is missing LEU output.



Year-end roundup

After the significant discoveries of the last days, let’s end the year with an up-to-date bottom line.

1. It is beyond reasonable doubt that Stuxnet was developed to delay the Iranian uranium enrichment program by physically damaging centrifuges.

2. The attack was not designed for one simultaneous big bang. It was designed to proceed slowly and incrementally. We expect that right now, many more centrifuges than the 984 mentioned in the ISIS report have been damaged by Stuxnet. (The next IAEA inspection, scheduled to take place in about two months, will give clarity.)

3. A full analysis of the attack is possible without even getting near the control system cabinets in Natanz. All that is needed is a good understanding of how an IR-1 cascade is organized and operated, along with some basic information on the instrumentation.

4. The forces behind such a high-profile attack can be traced easily. Stuxnet required an extreme amount of intelligence about the Natanz plant layout, a full understanding of the IR-1 operation (presumably with a mockup test system available), and an extreme amount of insider knowledge of the Siemens products involved. This limits the search for the originators to very few organizations in the world.

5. Stuxnet’s attack code, available on the Internet, provides an excellent blueprint and jump-start for developing a new generation of cyber warfare weapons. It must be assumed that nation states with any intent to build up cyber warfare capability, such as China and Russia, are already in the process of analyzing the code down to the last bit, and are developing concepts and tools for similar attacks. The targets for these future weapons will most likely not be located in the Middle East.

Best wishes for 2011 from the Langner team



Stuxnet attack cluster configuration

We do now have a good idea of how the different attack routines (315 & 417) fit together. In a nutshell, Stuxnet attacks its target (uranium enrichment centrifuges) from two vectors. It’s like an assassination with two shooters from different angles for a sure kill. Vector one (315) is the rotor speed control, and vector two (417) is the process & safety system which controls things like valves and pumps.

While the 315 attack code operates only on one cascade, the 417 attack code operates on six cascades. In order to put this into perspective, we created the following diagram. Each single centrifuge cascade corresponds to the diagram with the frequency converters that you have seen in Symantec’s Stuxnet dossier.



417 data structures = cascade structure = reported damage

Here’s a closer look at the 417 data structures. If you follow this blog closely, you will remember that we posted details on the man in the middle on Nov 24. Go back to that post and have another look at FC 6069. FC 6069 stores 984 inputs in an array in DB 8063.

This array is structured as 164 x 6 entries. The attack code operates on these entries more than once. See for example what FC 6068 does (pseudo-coded from the original STL attack code):

FC 6068 is called from FC 6070 six times, passing values from 1 to 6. Funny enough, 164 centrifuges are in one IR-1 cascade. Six cascades translate to 984 centrifuges.

Now go back to the ISIS report. The number of damaged cascades is six. That’s how you arrive at the “about 1,000 centrifuges”. The exact number is 984. Bottom line: We bet a gefilte fish that the damaged centrifuges were attached to one infected 417.



Breaking news: 417 = centrifuge safety system

On Nov 13, we published that there are two potential targets for the 417 attack: A high level controller for the uranium enrichment centrifuges, or the steam turbine controller for Bushehr.

When I was reading through ISIS‘ report on the centrifuges for the third or fourth time, suddenly a coin dropped inside my head. It made a loud noise.

An IR-1 centrifuge cascade consists out of 164 centrifuges. Haven’t we seen the number 164 before? Yes, we have. The 417 attack code operates on an array of 164 x 6 inputs. So if a 417 takes care of dumping the uranium hexafluoride in the event of rotor imbalance, and that is disabled by the attack code, the gas helps the rotor cracking, and worse coming to worse, all that precious gas spills when the centrifuge breaks.

So after all here’s some good news before the year ends: The whole idea and procedure of the attack will be fully understood soon. Stay tuned for details.

Ralph Langner



The short path from cyber missiles to dirty digital bombs

More and more details of the Stuxnet malware and its purpose become clear. Stuxnet appears to be the first real cyber warfare attack in history, with “real” meaning that the virus caused physical destruction of heavily fortified military targets, some of them buried 75 feet underground. Plans had been made to destroy these targets by air strikes when it became clear that sanctions alone would not stop Tehran on its way to nuclear weapon capability. Both Israel and the United States had not only planned for military action, but, in the case of Israel, even done rehearsals.

Iran’s president Ahmadinejad himself confirmed on November 29, 2010 that uranium enrichment centrifuges had been damaged by Stuxnet. The Bushehr nuclear power plant that was scheduled to go operational on August 21, 2010, did not – because of “technical problems”. Since the official explanation of what these problems are (first, it was “severe hot weather”, thereafter “a leak”) seem to be blunt attempts to fool the public, it can be suspected that Stuxnet is also responsible for Bushehr’s delay. Iran confirmed on September 25, 2010 that computer systems in the Bushehr nuclear power plant were infected by Stuxnet.

If we assume that Stuxnet managed to severely damage the steam turbine in the Bushehr nuclear power plant, repairing or replacing that turbine may cost a significant amount of money (up to several million dollars). The material damage on the centrifuges depends on how many centrifuges have been destroyed. Presently it looks like more than 1,000 centrifuges have been damaged in the Natanz facility alone, with unknown damage in Fordow and, certainly, in any unknown centrifuge plants. All this translates to another multi-million dollar damage. And replacing the damaged parts takes time. Parts for gas centrifuges and power plant turbines cannot be ordered on Ebay. They won’t be delivered by UPS overnight, but in some cases through complex smuggling networks. Getting new parts on site may take many months; in the case of the steam turbine probably over a year. During this timeframe, the Iranian nuclear program is severely crippled. Read more »



Cascade crippling

To get another idea of how cyber forensics work, check out this preliminary report from ISIS on Stuxnet’s potential impact on the centrifuge cascades in Natanz. David Albright and his team did a great job here. Even if you’re in a hurry, do not miss to read at least the last section, titled ”A Final Concern”.

Older posts «

» Newer posts