14 DAY TRIAL // A new report from the Institute for Science and International Security (ISIS) suggests that Stuxnet might be responsible for 1,000 broken IR-1 centrifuges replaced at Iran's Natanz Fuel Enrichment Plant (FEP).
It's a known fact that Stuxnet, the most complex piece of malware ever created, was designed to target industrial SCADA systems, in particular those with frequency converter drives attached to them.
According to an analysis of its code, Stuxnet looks only for such drives produced by two companies, one located in Finland and one in Tehran.
Furthermore, the malware checks if the equipment operates at frequencies between 807 Hz and 1210 Hz for long periods of time.
One of the few applications for converter drives operating at such high frequencies is uranium enrichment centrifuges.
In November, Iranian President Mahmoud Ahmadinejad admitted that several of the country's centrifuges used for uranium enrichment were affected by malware.
Now, ISIS reports that 1,000 centrifuges were decommissioned at Natanz in late 2009, early 2010, noting that "Iran’s IR-1 centrifuges often break, yet this level of breakage exceeded expectations and occurred during an extended period of relatively poor centrifuge performance."
"The crashing of such a large number of centrifuges over a relatively short period of time could have resulted from an infection of the Stuxnet malware," the institute says.
There are several factors to suggest this. First, it's the timing. The earliest Stuxnet samples seen so far date from mid-2009. It would have taken time for the malware to unknowingly be carried by scientists to Natanz on USB sticks, as the plant's computers are not connected to the Internet.
The second indication is Stuxnet's routine when it discovers frequency converter drives that match the defined parameters. It begins by lowering their frequency to a minimum of 2 Hz for 50 minutes, which compromises their operation, then raises it back to 1,064 Hz.
As it happens, 1,064 Hz was described in mid-2008 as the nominal frequency of IR-1 centrifuges by an official of a government which closely tracks the Iranian fuel enrichment program.
After the first attack sequence, the malware waits 27 days then raises the frequency to 1410 Hz for 15 minutes. This frequency falls within the maximum speed range that IR-1 rotors can withstand mechanically.
"As a result, if the frequency of the rotor increased to 1410 Hz, the rotor would likely fly apart when the tangential speed of the rotor reached that level," ISIS notes.
Stuxnet hides the attack by sending commands to disable the frequency converters’ warning and safety controls which would normally alert operators.
ISIS ends its assessment with an warning, saying that "Countries hostile to the United States may feel justified in launching their own attacks against U.S. facilities, perhaps even using a modified Stuxnet code."