Did Stuxnet Take Out 1,000 Centrifuges At Natanz?

AffidavitDonda writes "In late 2009 or early 2010, Iran decommissioned and replaced about 1,000 IR-1 centrifuges in the Fuel Enrichment Plant (FEP) at Natanz, implying that these centrifuges broke. Iran's IR-1 centrifuges often break, yet this level of breakage exceeded expectations and occurred during an extended period of relatively poor centrifuge performance. Although Iran has not admitted that Stuxnet attacked the Natanz centrifuge plant, it has acknowledged that its nuclear sites were subject to cyber attacks."

"IDF’s Military Intelligence Unit 8200"

[Suki+I]

It's interesting how US was jabbing so much about cyber warfare and how they need to defend themself, and still they're the first one to attack.

From TFA, the rumored culprit is not the USA, it is "IDF’s Military Intelligence Unit 8200".

Re:Well that was the intention of the virus

[garyisabusyguy]

Just spent a minute at wikipedia...

Apparently the virus is Windows specific and targets industrial control systems manufactured by Siemens.

They have distributed a removal tool, which is dependent on current patching from Microsoft

Of course, this soooo many questions, like;
Who else uses the same Siemens controllers, should they be worried as well?
Who holds the keys to this thing?
What is preventing anybody else from hijacking the root kitted systems?
What are the chances of any Microsoft patches being poisoned by the author?

And finally... Why the heck are our friends at Siemens selling systems to the Iranians?

Re:Maybe we will know in the future.

[fuzzyfuzzyfungus]

Seems pretty logical to me. Assuming that the US, or an ally close enough for them to know about it, was behind the work, the success of the attack presumably served as an oh-shit moment for anybody who wasn't a complete moron and hadn't previously had one on the topic of computer security. Plus, projecting your activities onto others seems to be a fairly common human trait. Not only would watching a successful attack team awaken them to the possibilities, it would likely increase their perception that others were likely up to similar things.

By all accounts, stuxnet caused considerable trouble and delay for Iranian enrichment efforts and(at least in public) the closest anybody has gotten to figuring out who did it has basically been pointing fingers at the intersection of "people who don't like Iran" and "people who are good at computers and stuff". A reasonable strategy, to be sure; but not one that suggests they have the slightest in hard evidence to go on. Unless it was unbelievably costly to develop, that is a pretty clear win for whoever was behind it.

I'm sure US military and industrial types could think of a few (thousand) things that they really would not want that happening to, never mind the continual, low-level; but costly, stream of financial scamming and fraud, much of which is electronic and much of which is a net flow from the US to assorted offshore gangs.

That's the old model centrifuge

[Animats]

The IR-1 is an older model centrifuge. It's basically a copy of an old URENCO design. Iran has an IR-2 and an IR-3 model, which use carbon fibre rotors, and new installations use those. Iran has at least three enrichment plants, incidentally, and they're all different. Various reports indicate replacement of the older models by newer ones, so some of this might be a routine phase-out.

Did the centrifuges break -or the controllers?

[RubberDogBone]

My take on this story was that the Siemens controllers were the problem. The centrifuges quit working right because the controllers went nuts, and then the controllers were careful to hide their defect.

So if Iran examined the controllers and centrifuges and figured (wrongly) that the centrifuges were the problem and replaced them, wouldn't the controllers just wreck the new ones as well? And if so, wouldn't that cause Iran to spend a lot of time replacing centrifuges again and again? It seems like that could account for some of the buying.

And of course, once the actual problem is figured out, then you need to replace the controllers and probably the centrifuges that got broken the second or third time around, and of course figure out how to keep the whole thing from happening again. Sure, you can replace the rogue controllers but how did they go bad to start with? If you don't know, this could cause a lot of extreme paranoia.

How Iran actually reacted is not clear to me, but I know what would happen if this occurred in a US factory.

If a machine broke, you'd replace the machine. If it broke again, you'd replace it again and start getting mad. If it broke again, then maybe you'd look at the controller. If it tests OK -and why would it lie to you- then you replace the centrifuge again. Etc. It might take a relatively long time to figure out that the controller is actually the problem AND that it was deliberately being subtle about it to avoid detection. The assumption with machines is that they don't lie to you. If they are good or bad, generally they will be straightforward to sort out via testing or diags.

So to start with, you have to accept the concept that yes, they can lie, before the source of the problem can begin to be understood much less dealt with.

Re:Maybe we will know in the future.

[arivanov]

Not really.

It sounds like a much more professional attack than previously considered.

Varying speed by itself should have just sent yield to hell. Varying speed properly with the full knowledge of the centrifuge design and construction allows to select resonating frequencies (which each centrifuge has) and keep it at those until it disintegrates. In my "previous life" doing biotech I have seen what happens when a rotor goes off balance at 50000 rpm. The effect is more or less similar to that of a hand grenade in a closed space.

Add to that the fact that a broken uranium enrichment centrifuge will leak UF6 all over the place which is highly toxic and corrosive and you have your perfect sabotage method.

There is one more question to be answered here which puts the final dots over Is and crosses the last Ts. The people who have analysed the source so far in AV companies were malware professionals, not chemists or industrial automation experts. So they left one question open - does it try to determine the frequencies or it knows them already. If it is the latter, this means that the attacker has managed to obtain the exact design of a centrifuge with the actual improvements used by Iran so Iran's nuclear programme is way leakier than we thought and everyone and their dog has that centrifuge design now (with the actual improvements done by Iran after they got it from our "allies" in Pakistan). If it is the former, the same attack can be applied to all kind's of industrial automation equipment and Siemens kit provides enough telemetry to run the attack. That is probably even scarier than the first possibility. Resonance is lovely stuff... Nothing can withstand it for a sufficiently long time.

Re:Maybe we will know in the future.

[PatrickThomson]

I'm a chemist and I actually did some freelance investigation into UF6 centrifuges a while back - quite fascinating. They're tall thin cylinders, barely a handsbreadth wide, with maglev vacuum bearings and a rotation speed in excess of 100,000 RPM. The outer wall of the centrifuge experiences a million G's of acceleration, and a sweaty thumb-print can off-balance one enough to self-destruct. Also, one cylinder only enriches uranium by 1% or so, so you need to daisy-chain many hundreds together flawlessly to get pure 235 out the end.

I imagine with a system that fragile, you don't need to find the precise resonant frequency. IIRC, all stuxnet did was blip the frequency down to 0 Hz for a short time - which I imagine would eventually throw the drive off-center and cause it to fail noisily.