Stuxnet Watch: Iran Centrifuges Likely Broken

Monday, January 3, 2011 @ 06:01 PM gHale

Stuxnet might be responsible for 1,000 broken IR-1 centrifuges replaced at Iran’s Natanz Fuel Enrichment Plant (FEP), according to a new report.

Stuxnet, an incredibly complex piece of malware, targeted industrial SCADA systems. Stuxnet looks only for frequency converter drives produced by two companies, one located in Finland and one in Tehran, according to a report from the Institute for Science and International Security (ISIS).

Furthermore, the malware checks if the equipment operates at frequencies between 807 Hz and 1210 Hz for long periods of time.

One of the few applications for converter drives operating at such high frequencies is uranium enrichment centrifuges.

In November, Iranian President Mahmoud Ahmadinejad said there were some of the country’s centrifuges used for uranium enrichment affected by malware.

Now, the ISIS report (http://isis-online.org/isis-reports/detail/did-stuxnet-take-out-1000-centrifuges-at-the-natanz-enrichment-plant/) said 1,000 centrifuges ended up decommissioned at Natanz in late 2009, early 2010, noting “Iran’s IR-1 centrifuges often break, yet this level of breakage exceeded expectations and occurred during an extended period of relatively poor centrifuge performance.”

“The crashing of such a large number of centrifuges over a relatively short period of time could have resulted from an infection of the Stuxnet malware,” according to the report.

There are several factors to suggest this. First, it’s the timing. The earliest Stuxnet samples seen so far date from mid-2009. Since the plant’s computers did not connect to the Internet, it would take time for scientists to unknowingly carry the malware to Natanz on USB sticks.

The second indication is Stuxnet’s routine when it discovers frequency converter drives that match the defined parameters. It begins by lowering their frequency to a minimum of 2 Hz for 50 minutes, which compromises their operation, then raises it back to 1,064 Hz.

As it happens, in the mid 2008’s 1,064 Hz was the nominal frequency of IR-1 centrifuges, according to an official of a government which closely tracks the Iranian fuel enrichment program.

After the first attack sequence, the malware waits 27 days then raises the frequency to 1410 Hz for 15 minutes. This frequency falls within the maximum speed range that IR-1 rotors can withstand mechanically.

“As a result, if the frequency of the rotor increased to 1410 Hz, the rotor would likely fly apart when the tangential speed of the rotor reached that level,” ISIS said in the report.

Stuxnet hides the attack by sending commands to disable the frequency converters’ warning and safety controls which would normally alert operators.

ISIS issued a warning, saying “countries hostile to the United States may feel justified in launching their own attacks against U.S. facilities, perhaps even using a modified Stuxnet code.”