Search

Begin New Search Topic Cybersecurity Author Christina Walrond

1. Stuxnet Malware and Natanz: Update of ISIS December 22, 2010 Report

Author:
David Albright, Paul Brannan, and Christina Walrond
Publication Date:
02-2011
Content Type:
Special Report
Institution:
Institute for Security and International Studies (ISIS)
Abstract:
In the December 22, 2010 ISIS report on Stuxnet, 1 ISIS found that this malware contained important evidence indicating that its target was the IR-1 centrifuges at the Fuel Enrichment Plant (FEP) at Natanz. ISIS focused on the attack sequences generated by a Siemens S7-315 programmable logic controller (PLC) connected to frequency converters of a particular type. The ISIS analysis centered on the rotational frequencies listed in these detailed attack sequences. These frequencies matched, in two cases identically, key frequencies characteristic of the IR-1 centrifuge at the FEP. A further analysis of another attack sequence has revealed that this code contains a description of what appears to be an exact copy of the IR-1 cascade at the FEP. The attack is titled “Sequence C” by Symantec, the computer security company that has conducted the most thorough and reliable open analysis of the malware’s code, or “417 code” after the advanced Siemens S7-417 programmable logic controller that Stuxnet targets. 2 However, the 417 code is not activated and thus unable to launch an attack. 3 Moreover, key data is missing from the code available to Symantec that would define exactly what is affected or sabotaged. 4 Symantec has assessed that the 417 code is likely unfinished, perhaps a work in progress. Additional analysis also lends more support to the conclusion that the Stuxnet malware is aimed principally at destroying centrifuges, not manipulating parameters of the centrifuge cascades so as to lower the production of low enriched uranium (LEU) on a sustained basis. To date, Stuxnet is known to have had at least one successful attack. It is increasingly accepted that, in late 2009 or early 2010, Stuxnet destroyed about 1,000 IR-1 centrifuges out of about 9,000 deployed at the site. The effect of this attack was significant. It rattled the Iranians, who were unlikely to know what caused the breakage, delayed the expected expansion of the plant, and further consumed a limited supply of centrifuges to replace those destroyed. Nonetheless, Iran took steps in the aftermath of the attack that likely reduced further damage by Stuxnet, principally shutting down many centrifuge cascades for months. The shutdown lasted long enough for the malware to be discovered publicly, by which time Iran could have found Stuxnet on the Natanz control systems.
Topic:
Cybersecurity, Nuclear Energy, and Natanz Fuel Enrichment Plant (FEP)
Political Geography:
Iran and Middle East

2. IAEA Iran Safeguards Report: Shutdown of Enrichment at Natanz Result of Stuxnet Virus?; Downgrade in Role of Fordow Enrichment Site; LEU Production May Have Decreased

Author:
David Albright, Andrea Stricker, and Christina Walrond
Publication Date:
11-2010
Content Type:
Special Report
Institution:
Institute for Security and International Studies (ISIS)
Abstract:
The International Atomic Energy Agency (IAEA) released on November 23, 2010 its latest report on the implementation of NPT safeguards in Iran and the status of Iran’s compliance with Security Council Resolutions 1737, 1747, and 1803. The following analysis highlights the IAEA’s key findings, including 1) a mysterious halt to enrichment at Natanz resulted in centrifuges not enriching for up to one week during November 2010, which ISIS speculates could have been the result of the Stuxnet virus; 2) fewer P1 centrifuges are planned for the Fordow enrichment site; and 3) the average monthly rate of low enriched uranium production increased but many additional centrifuges enriching by end of reporting period; and 4) monthly production rates of 20 percent enriched LEU remain steady.
Topic:
Cybersecurity, Uranium, Nuclear Energy, and Natanz Fuel Enrichment Plant (FEP)
Political Geography:
Iran and Middle East

3. Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant?

Author:
David Albright, Paul Brannan, and Christina Walrond
Publication Date:
12-2010
Content Type:
Special Report
Institution:
Institute for Security and International Studies (ISIS)
Abstract:
In late 2009 or early 2010, Iran decommissioned and replaced about 1,000 IR-1 centrifuges in the Fuel Enrichment Plant (FEP) at Natanz, implying that these centrifuges broke. Iran’s IR-1 centrifuges often break, yet this level of breakage exceeded expectations and occurred during an extended period of relatively poor centrifuge performance. Although mechanical failures or operational problems have often been discussed as causing problems in the IR-1 centrifuges,1 the crashing of such a large number of centrifuges over a relatively short period of time could have resulted from an infection of the Stuxnet malware.2 This malicious code seeks to take over an industrial control system in order to destroy equipment while hiding its presence.3 Given Stuxnet’s much greater prevalence in Iran compared to other countries, it is likely that this malware was aimed at Iran. Stuxnet covertly changes the frequencies of certain types of frequency converters, which control the speed of motors. The frequencies listed in Stuxnet’s attack sequences, including the nominal frequency of a motor, imply that a target is the IR-1 centrifuge.4 However, Stuxnet’s exact purpose or its overall effect on the FEP remains hard to assess. If Stuxnet’s goal was the destruction of all the centrifuges in the FEP, Stuxnet failed. But if its goal was to destroy a more limited number of centrifuges and set back Iran’s progress in operating FEP while making detection of the malware difficult, it may have succeeded, at least for a while.
Topic:
Cybersecurity, Nuclear Energy, Natanz Fuel Enrichment Plant (FEP), and Centrifuges
Political Geography:
Iran and Middle East