Did Stuxnet Take Out 1,000 Centrifuges At Natanz?

AffidavitDonda writes "In late 2009 or early 2010, Iran decommissioned and replaced about 1,000 IR-1 centrifuges in the Fuel Enrichment Plant (FEP) at Natanz, implying that these centrifuges broke. Iran's IR-1 centrifuges often break, yet this level of breakage exceeded expectations and occurred during an extended period of relatively poor centrifuge performance. Although Iran has not admitted that Stuxnet attacked the Natanz centrifuge plant, it has acknowledged that its nuclear sites were subject to cyber attacks."

Maybe we will know in the future.

[Suki+I]

If this is for real, this targeting sounds like a big step in the cyber attack side of the world. I wonder how cyber defense will counter it.

Re:Maybe we will know in the future.

[fuzzyfuzzyfungus]

Seems pretty logical to me. Assuming that the US, or an ally close enough for them to know about it, was behind the work, the success of the attack presumably served as an oh-shit moment for anybody who wasn't a complete moron and hadn't previously had one on the topic of computer security. Plus, projecting your activities onto others seems to be a fairly common human trait. Not only would watching a successful attack team awaken them to the possibilities, it would likely increase their perception that others were likely up to similar things.

By all accounts, stuxnet caused considerable trouble and delay for Iranian enrichment efforts and(at least in public) the closest anybody has gotten to figuring out who did it has basically been pointing fingers at the intersection of "people who don't like Iran" and "people who are good at computers and stuff". A reasonable strategy, to be sure; but not one that suggests they have the slightest in hard evidence to go on. Unless it was unbelievably costly to develop, that is a pretty clear win for whoever was behind it.

I'm sure US military and industrial types could think of a few (thousand) things that they really would not want that happening to, never mind the continual, low-level; but costly, stream of financial scamming and fraud, much of which is electronic and much of which is a net flow from the US to assorted offshore gangs.

Re:Maybe we will know in the future.

[fuzzyfuzzyfungus]

I suspect that the problem is, depending on the sense in which you consider it, both better and worse than your analogy suggests:

On the one hand, hardening specific systems against electronic infiltration is probably(especially if you are willing to put up with hassles) easier and cheaper than burying them in sealed bunkers under entire mountains and other nuclear defense stuff.

On the other, it is overwhelmingly easier for just about anybody to launch petty, nibbling attacks against soft targets with minimal fear of reprisal, or even identification. A lot of such attacks even pay for themselves. The industry of nigerian scammers, spammers, PIN skimmers, etc. launches millions of such a year, some percentage of which net serious rewards, and only a trickle ever get caught. And that is largely a non-ideological private sector game. Once state actors, or ideologically driven non-state actors step up to the table, and start hitting similarly soft, but not necessarily profitable, targets, you have problems...

Re:Maybe we will know in the future.

[arisvega]

Attacking is easy. Defense is hard. ( ex. Nuclear Weapons use)

Not true, numerous counterexamples; the simplest one being barricaded somewhere on a mountain with the weather on your side, batteries, ammo, a trustworthy sniper rifle, lots of food, and an internet connection (for your idle time between headshots)

Re:Maybe we will know in the future.

[arisvega]

Everything in the future will be analog. And World War IV will be fought with sticks and stones.

No, it will be with cybernetics, that-thing-that-fries-opponents-with-an-arc, flying cars and LOTS of slow-motion KungFu

Re:Maybe we will know in the future.

[khallow]

Not true, numerous counterexamples; the simplest one being barricaded somewhere on a mountain with the weather on your side, batteries, ammo, a trustworthy sniper rifle, lots of food, and an internet connection (for your idle time between headshots)

You're either shallow enough to get burned out or deep enough to get buried. Very effective techniques for taking out pill boxes and deep fortifications were developed in the Second World War.

Re:Maybe we will know in the future.

[arivanov]

Not really.

It sounds like a much more professional attack than previously considered.

Varying speed by itself should have just sent yield to hell. Varying speed properly with the full knowledge of the centrifuge design and construction allows to select resonating frequencies (which each centrifuge has) and keep it at those until it disintegrates. In my "previous life" doing biotech I have seen what happens when a rotor goes off balance at 50000 rpm. The effect is more or less similar to that of a hand grenade in a closed space.

Add to that the fact that a broken uranium enrichment centrifuge will leak UF6 all over the place which is highly toxic and corrosive and you have your perfect sabotage method.

There is one more question to be answered here which puts the final dots over Is and crosses the last Ts. The people who have analysed the source so far in AV companies were malware professionals, not chemists or industrial automation experts. So they left one question open - does it try to determine the frequencies or it knows them already. If it is the latter, this means that the attacker has managed to obtain the exact design of a centrifuge with the actual improvements used by Iran so Iran's nuclear programme is way leakier than we thought and everyone and their dog has that centrifuge design now (with the actual improvements done by Iran after they got it from our "allies" in Pakistan). If it is the former, the same attack can be applied to all kind's of industrial automation equipment and Siemens kit provides enough telemetry to run the attack. That is probably even scarier than the first possibility. Resonance is lovely stuff... Nothing can withstand it for a sufficiently long time.

Re:Maybe we will know in the future.

[PatrickThomson]

I'm a chemist and I actually did some freelance investigation into UF6 centrifuges a while back - quite fascinating. They're tall thin cylinders, barely a handsbreadth wide, with maglev vacuum bearings and a rotation speed in excess of 100,000 RPM. The outer wall of the centrifuge experiences a million G's of acceleration, and a sweaty thumb-print can off-balance one enough to self-destruct. Also, one cylinder only enriches uranium by 1% or so, so you need to daisy-chain many hundreds together flawlessly to get pure 235 out the end.

I imagine with a system that fragile, you don't need to find the precise resonant frequency. IIRC, all stuxnet did was blip the frequency down to 0 Hz for a short time - which I imagine would eventually throw the drive off-center and cause it to fail noisily.

Re:Maybe we will know in the future.

[vlm]

I wonder how cyber defense will counter it.

Hmmm. I've got a stunning idea! How bout not plug your centrifuge into a PC based ethernet network?

My doctors blood centrifuge does not have an ethernet port. Nor does my dentist's xray machine. Nor my doctors stethoscope, nor that hammer thingy they hit your knee with to test your reflexes.

The argument used to be that the DSP based controller software required to balance the rotor required a rather high end server grade PC at least $3000 worth of pentium 75s, so we need to spread that PC cost across multiple centrifuges. The problem is I can get better DSP performance out of a five dollar PIC microcontroller now. And they'll never be susceptible to an external attack, so why bother with firewalls and who cares if they are on ethernet with the modern equivalent of typhoid mary, the standard PC.

Who will win, the hardware guys whom make cheap ethernet interfaces, or the hardware guys whom make cheap microcontroller hardware? In some cases, same company different departments?

Now if they blew up something that inherently must be decentralized like an electrical grid, then we'd have a (slight) puzzle.

Re:Maybe we will know in the future.

[Opportunist]

Excuse me? How was the German attack on Poland any different than the US attack on Iraq? In both cases the attacker knew very well that the attacked had no snowball-in-hell chance to ever stage any sensible attack unless he's suicidal, in both cases propaganda blew the enemy's aggression potential way out of proportion and in both cases it was a given how it has to end.

If the US should ever "pre emptively" attack China, we can talk about Pearl Harbor. Until then, it's Germany vs. Poland. Without England and France declaring war on Germany.

Re:Maybe we will know in the future.

[gtall]

Not entirely, Poland was not ruled by a murderous dictator. And Germany invaded Poland for Lebensraum, and never intended to give it back to the Poles. The U.S. never intended to keep Iraq. Also, Germany didn't have to keep a significant threat over Poland to keep it in line as the U.S. did. At the time, sanctions were breaking down because the dear Allies in Europe saw nothing wrong with helping re-equip Saddam. The alternative was to allow Saddam to rearm...hmm...wonder what he intended to rearm for?

"IDF’s Military Intelligence Unit 8200"

[Suki+I]

It's interesting how US was jabbing so much about cyber warfare and how they need to defend themself, and still they're the first one to attack.

From TFA, the rumored culprit is not the USA, it is "IDF’s Military Intelligence Unit 8200".

Re:"IDF’s Military Intelligence Unit 8200"

[Dutchmaan]

It's interesting how US was jabbing so much about cyber warfare and how they need to defend themself, and still they're the first one to attack.

From TFA, the rumored culprit is not the USA, it is "IDF’s Military Intelligence Unit 8200".

You act as if people are willing to differentiate the two...

Re:"IDF’s Military Intelligence Unit 8200"

[SvnLyrBrto]

Eh?

Israel has, on numerous occasions in the past, demonstrated that it's quite willing to act independently of, and sometimes contrary to the wishes and interests of, the United States. I have no idea what the actors or circumstances behind stuxnet were. But it's definitely conceivable that the IDF took the action without consulting the US. It is certainly in their best interests to prevent Iran from gaining nuclear weapons; considering it is the publicly-stated policy and goal of the latter state to: "wipe the jews off the map"*.

And yes, before you jump on me for it, I'm quite aware that there is some debate as to whether Ahmadinejad's statement most accurately translates to "off the map" or "out of history". But either way, the meaning of the euphemism is quite clear.

And really... considering the fact that Israel has nukes of it's own and likely would not be willing to just be slaughtered without a fight... Until the world's technology advances past the need for oil, the global economic consequences of nuclear war in the middle east make it pretty much it in the best interest of everyone but Iran to prevent Iran from gaining nuclear weapons... and therefore to sabotage or destroy their facilities by any means necessary. And plenty of countries besides the US and Israel have hackers.

Mission Accomplished

[dragonhunter21]

Somewhere, some guy working for the CIA/NSA/TLA just shat himself laughing.

Re:Well that was the intention of the virus

[garyisabusyguy]

Just spent a minute at wikipedia...

Apparently the virus is Windows specific and targets industrial control systems manufactured by Siemens.

They have distributed a removal tool, which is dependent on current patching from Microsoft

Of course, this soooo many questions, like;
Who else uses the same Siemens controllers, should they be worried as well?
Who holds the keys to this thing?
What is preventing anybody else from hijacking the root kitted systems?
What are the chances of any Microsoft patches being poisoned by the author?

And finally... Why the heck are our friends at Siemens selling systems to the Iranians?

Would Windows Security Essentials have protected?

[BadAnalogyGuy]

What antivirus software would have protected the victims of this virus? Kaspersky? AVG? Windows Security Essentials? ClamAV?

While on the one hand, it is important to prevent infections from becoming a massive swarm with the ability to hammer away at particular locations in a DDOS, in this particular case it seems like specific machines were infected with the goal of harming them directly. Since these machines are running on specialized hardware, it doesn't really make sense to consider StuxNet a "swarm" virus. The swarming aspect only seems to have helped it spread in an organic way towards the targeted systems.

On the very end lay the centrifuges, but between those and the Internet lay Windows PCs. Would having Norton (or any other AV) running on startup have blocked this virus?

If none, then what hope do we really have of protecting ourselves from deliberate attacks on our network infrastructure?

Quite frightening, actually. (Unless Windows Security Essentials would have caught it.)

Re:Well that was the intention of the virus

[Ancantus]

It also uses (i believe) 4 windows specific 0 day hacks. Usually a 'common' virus writer uses only one, because you can use the other 3 to make 3 more viruses. It really shows these people REALLY wanted this to work. and for it to infect as many systems as it could before caught and stopped. Siemens can sell to whomever they want. Iran can use those controllers for making plush teddy bears just as easily as for nuclear refinement. And the command/control servers for the virus were taken offline a while ago, so no-one holds the keys to deactivating virus anymore.

Re:Well that was the intention of the virus

[keeboo]

Apparently the virus is Windows specific and targets industrial control systems manufactured by Siemens.

Why the hell Siemens is running Windows for such kind of application, to begin with?

And finally... Why the heck are our friends at Siemens selling systems to the Iranians?

Friends?
Neither companies nor government have friends, they have interests.

Re:Would Windows Security Essentials have protecte

[afidel]

No, AV software would not have protected those systems from infection because the virus didn't attack the OS or any 'normal' program that an AV vendor would be used to protecting, it attacked a very specific installation of an industrial control package. Better computer hygine like not taking media from lower security systems to higher security ones would have prevented the infection of the vulnerable machines but even the NSA has admitted that they do not have 100% control over such procedures.

Charlie Wilson's War II

[linzeal]

Iran has stepped up efforts at helping Hamas, Hezbollah, the Taliban and is now releasing all of its Al Qaeda terrorists back into the wilds of the Middle East, the question we should be asking, was this attack worth it if terrorism increased because of it? From what I have seen, no, we are now dealing with Iran supplying larger and larger munitions to the Taliban, 'Charlie Wilson's War' is going to have a sequel and this time the protagonist is going to be Iranian.

That's the old model centrifuge

[Animats]

The IR-1 is an older model centrifuge. It's basically a copy of an old URENCO design. Iran has an IR-2 and an IR-3 model, which use carbon fibre rotors, and new installations use those. Iran has at least three enrichment plants, incidentally, and they're all different. Various reports indicate replacement of the older models by newer ones, so some of this might be a routine phase-out.

Re:That's the old model centrifuge

[Ensign+Morph]

IIRC it did that as well. Specifically it didn't just speed up the centrifuges (which would probably be noticed) but did so in brief oscillating bursts, with the intent of mixing up the partly separated isotopes again.

Re:That's the old model centrifuge

[vlm]

Any mechanical design that results in failure due to a speed change of 6% was prone to failure anyway. I was expecting a more sophisticated attack that would deliver process failure rather than a mechanical failure.

The term from mechanical engineering that you don't know to google / wikipedia for, is "critical speed" or for that matter "Rotordynamics" in general.

If the only limiting parameter is critical shaft speed, and "everyone knows" you can very reliably measure time / rotation speed to less than parts per billion, you wanna run right up to the limit of mechanical Q and manufacturing tolerance. Running at 6% below is ridiculously sloppy engineering, especially if process efficiency might scale as square or cube of RPM or maybe worse.

"Everyone knows" you can trust timing measurements, at least in this modern era, to way under parts per billion. Screwing up that assumption by 6% is actually an extremely sophisticated attack.

Iran would be happy with these rumors too

[seyyah]

I think Iran -- or any other country -- would be pleased to have these kind of rumors about the damage done circulating. Disinformation or uncertainty as to the present condition of their activities can only benefit them, especially if it causes the enemy to underestimate their power. This assumes that Stux wasn't feeding back information about its activity or that another good source doesn't exist.

Re:Iran would be happy with these rumors too

[m50d]

Not for nuclear weapons. The whole point of nukes is to let other people know you have them; no-one wants to have to actually use the things.

Re:Iran would be happy with these rumors too

[AlterEager]

Not for nuclear weapons. The whole point of nukes is to let other people know you have them; no-one wants to have to actually use the things.

Dr. Strangelove: Of course, the whole point of a Doomsday Machine is lost, if you *keep* it a *secret*! Why didn't you tell the world, EH?

Ambassador de Sadesky: It was to be announced at the Party Congress on Monday. As you know, the Premier loves surprises.

Did the centrifuges break -or the controllers?

[RubberDogBone]

My take on this story was that the Siemens controllers were the problem. The centrifuges quit working right because the controllers went nuts, and then the controllers were careful to hide their defect.

So if Iran examined the controllers and centrifuges and figured (wrongly) that the centrifuges were the problem and replaced them, wouldn't the controllers just wreck the new ones as well? And if so, wouldn't that cause Iran to spend a lot of time replacing centrifuges again and again? It seems like that could account for some of the buying.

And of course, once the actual problem is figured out, then you need to replace the controllers and probably the centrifuges that got broken the second or third time around, and of course figure out how to keep the whole thing from happening again. Sure, you can replace the rogue controllers but how did they go bad to start with? If you don't know, this could cause a lot of extreme paranoia.

How Iran actually reacted is not clear to me, but I know what would happen if this occurred in a US factory.

If a machine broke, you'd replace the machine. If it broke again, you'd replace it again and start getting mad. If it broke again, then maybe you'd look at the controller. If it tests OK -and why would it lie to you- then you replace the centrifuge again. Etc. It might take a relatively long time to figure out that the controller is actually the problem AND that it was deliberately being subtle about it to avoid detection. The assumption with machines is that they don't lie to you. If they are good or bad, generally they will be straightforward to sort out via testing or diags.

So to start with, you have to accept the concept that yes, they can lie, before the source of the problem can begin to be understood much less dealt with.

Re:Really?

[sjames]

Because normal people consider removable media to contain data but MS and by extension Windows considers it something that must be executed without gaining consent from or even informing the user.

Windows must be kept locked up in a padded cell and straitjacket. If it sees a bottle marked poison, it will drink it. If it sees a pencil it'll jam it up it's nose. Give it a pillow and it'll suffocate itself.

Re:Well that was the intention of the virus

[sjames]

1. There are a lot of perfectly legitimate uses for industrial controllers. 2. Corporations have no friends, only avarice. They may act friend-like if you are currently the highest bidder but the moment they have your money they'll turn to the next highest bidder.

Re:Well that was the intention of the virus

[mangu]

Why the hell Siemens is running Windows for such kind of application, to begin with?

My question exactly. Twenty years ago the standard system for such applications was the VAX/VMS and I still have to see any successful virus for the VAX/VMS. There have existed many proof-of-concept viruses and worms written for VMS, sure, but never one that caused any widespread damage.

There's a good analysis of the reasons for this here. In simple words, VMS is not quite as user-friendly as Windows and that makes all the difference.

That's the reason why I wish the "year of Linux on the desktop" will never come. We don't need an Eternal September on the Linux desktop.

Re:Would Windows Security Essentials have protecte

[Opportunist]

You're not a high profile target.

Could your apartment door keep out an exceptional burglar who specialized in breaking into high profile objects? Could your home safe stop someone who is an expert in opening bank safes? Would someone trained in defeating multi layer security systems trip your alarm system at home?

I think none of those answers could be answered positively.

But these people do not break into your home. They got better, more profitable, targets to rob.

Likewise, nobody would "waste" 4 0day vulnerabilities just to infect YOU, and ONLY YOU (a blanket attack on multiple, nonspecific, targets is usually trivial to discover through early warning means and also quite easy to protect against).

As odd as it may sound, there's safety in numbers. The garden variety trojan is not targeted. They don't care too much who they infect, their goal is not a specific target, their goal is to infect as many machines as possible, for various reasons, but no matter what the reason, it's better (for them) to infect many instead of a specific target. Phishing, botnets, they all need many, but not specific, machines.

This is not the case here. The target was very specific and I am actually quite sure that infecting anything else with this trojan would actually have been seen as a flaw in the whole operation.

I'd guess that the malware was installed specifically where it should strike, not in the usual "release and wait" way but targeted and planted. In other words, I'd guess it would have taken a physical person to be physically present to get this rolling.

This is nothing that would affect you, or any Joe Randomsurfer for that matter.

Re:Well that was the intention of the virus

[ddrichardson]

Eset has a particularly interesting paper on Stuxnet which may interest you.

Re:Well that was the intention of the virus

[xded]

And finally... Why the heck are our friends at Siemens selling systems to the Iranians?

Because otherwise the Russians would.

And then, good luck getting right the cyrillic encoding for the default password.

Re:Well that was the intention of the virus

[omglolbah]

ABB still support a huge number of plants running on "Conductor VMS" systems. They are so stable that the customers are reluctant to change ;)

The problem with this is that there are few spare parts, few people with the needed skills and even fewer people who know how to -properly- set up the system.

The new HMI system is called 800xA and runs on top of Windows 2003 Server. Why?

I suspect money... And the ability to actually run it in a few years time when the old DEC hardware finally goes out of production :p

What people fail to get is that the control system functions do not run on the windows servers. The control loops and logic runs on dedicated controllers out in the field. What runs on the windows machines is the HMI or interface for operators. Getting access to the windows system doesnt mean you get access to the control functionality...

And for christ sake people, properly secure your removable media damnit..... You run the systems isolated for a reason! >.