Symantec found a new Stuxnet variant that made them take a closer look at the 417 attack. Their research results basically match with ours, with a major exception.

According to our analysis, the devices referred to by Symantec as “auxiliary valves” have a completely different function: They do not act as inter-stage shutoffs that would isolate individual stages (thereby blocking the whole cascade). Our intelligence suggests that the first fifteen of these devices act as overpressure relief valves.

 | notes-on-stuxnet-0-5

The footage above is a close-up of a SCADA screen in the Natanz control room from 2010 and shows some of the respective devices as grey objects, labeled EP-4106 to EP-4111, in a non-standard piping & instrumentation diagram. The green arrows indicate direction of flow, which is always out of the centrifuges to an independent collector line on top of the picture, shown in green. This collector line is separate from feed, product, and waste, and obviously has protective rather than productive function.

A better understanding of the basic piping structure can be obtained by looking at the full screen shots that we published earlier. – The depicted millibar pressures should be ignored as the respective cascade is in startup mode when the picture was taken.

The best match we could identify in plant floor footage is shown below, with target objects highlighted by us.

 | notes-on-stuxnet-0-5