Stuxnet Worm Was Ideal For Disrupting Centrifuges

The "Stuxnet" computer worm that infected computers at Iran's Bushehr atomic reactor was perfectly tuned to disrupt the operations of uranium enrichment centrifuges, the New York Times reported yesterday (see GSN, Nov. 18).

Specialists studying the worm, believed to be specifically developed to sabotage Iran's nuclear program, have not yet determined who created the system. Many experts agree, though, that its uncommon sophistication indicates strongly it was the product of a state-backed effort.

Israel -- the nation to most stridently oppose Tehran's controversial atomic work -- was early on speculated to have created Stuxnet. Jerusalem has not claimed responsibility for the worm. In recent weeks, however, Israeli officials have responded with big grins when questioned if their government had produced Stuxnet, according to the Times (see GSN, Sept. 30).

The United States is considered the other leading candidate to have created the worm but indicated Stuxnet was developed outside the country. Washington, Jerusalem and European powers believe Iran is seeking a nuclear weapons ability. Tehran adamantly maintains its nuclear program is strictly peaceful.

To date, four U.N. Security Council resolutions have been passed targeting Iran's nuclear program. Multiple nations have also passed unilateral sanctions against the country for refusing to halt uranium enrichment operations, which can produce reactor fuel and weapons material.

Computer experts say Stuxnet sabotages centrifuges by causing rapid fluctuations in motors' rotation rates. Altering the rotating speed "sabotages the normal operation of the industrial control process," analyst Eric Chien of the cyber security firm Symantec wrote in an online post last week.

These changes in speed can have significant consequences for the thousands of centrifuges Iran uses in its uranium enrichment efforts, even causing them to explode, according to nuclear experts. International Atomic Energy Agency reports on Iran's nuclear program point to a variety of challenges the country has faced in maintaining a high number of working centrifuges. Since summer 2009, hundreds of units have been taken out of service.

"We don’t see direct confirmation" that the worm was intended to sabotage Iran's uranium development. "But it sure is a plausible interpretation of the available facts," Institute for Science and International Security President David Albright said yesterday.

Prior to the Nov. 12 release of an analysis on Stuxnet by Chien and colleagues at Symantec, experts had just said the worm was developed to disrupt specific types of Siemens machinery employed at a broad range of global industrial operations.

The Symantec study asserted the worm's main agenda was to assume control of the converters that set the frequency of centrifuge rotations. Stuxnet's operating commands were determined to go after the converters manufactured by two firms -- Iran-based Fararo Paya and Finland-based Vacon.

The U.S. Homeland Security Department backed up these determinations in its own analysis, a high-ranking official said yesterday.

An ISIS report issued on Wednesday asserted that if Stuxnet increased the frequency of the electrical power supply to the centrifuges, it would cause them to increase their rotating speed. When the power supply reaches 1,410 rotations per second, the centrifuges reportedly blow apart.

Stuxnet concludes its assault by setting the power supply to operate at just the right speed for the centrifuges, which have already theoretically been sabotaged beyond saving, Albright said.

The recent reports do not establish beyond doubt that Iran was Stuxnet's intended victim. Converters are used to command a variety of machines such as turbines, saws and lathes, and the worm has turned up in other nations including India and Indonesia.

Industrial control systems specialist Ralph Langner wrote in an online posting last week that a date appeared repeatedly in the Stuxnet code -- September 24, 2001. That date obviously long precedes the worm's creation. Langner speculated the date was a communication from the writers of the code.

According to Symantec analysts, another set of numbers present in the code -- 19790509 -- could point to the date May 9, 1979, when Tehran put to death Habib Elghanian, a Jewish-Iranian man, on charges of acting as a spy for Israel.

One investigator speculated that Stuxnet might have been created many years before it was released.

While the core of the Stuxnet code seems to have been developed by a group of highly advanced creators , the program that sent the worm live pointed to lower-skilled writers, said cyber security expert Tom Parker. That the worm was discovered and proliferated to so many nations means it was an unsuccessful program, he said.

"The end target is going to be able to know they were the target, and the attacker won't be able to use this technique again," Parker said (Broad/Sanger, New York Times, Nov. 18).

November 19, 2010

The "Stuxnet" computer worm that infected computers at Iran's Bushehr atomic reactor was perfectly tuned to disrupt the operations of uranium enrichment centrifuges, the New York Times reported yesterday (see GSN, Nov. 18).