Post on 07-Apr-2018
DPG FrŸ hjahrstagung Dresden March 2013
Cyber meets NuclearStuxnet and the Cyberattack on Iranian Centrifuges
Matthias Englert
Presentation Mohammed Saeidi http://www.world-nuclear.org/
ww
w.ipfm
.org
Slide idea adapted from A. Glaser ã Making Highly enriched Uranium - lectureÒ
Centrifuges for Uranium Enrichment
Centrifuge Separative Capacity
δUmax =π
2LDρ(
∆Mv2
2RT)2
ww
w.ipfm
.org
SWU Separative Work Units (kg SWU/year)
δU = V (Np)P + V (Nw)W − V (NF )F
Value Function V (N) = (2N − 1)ln(N
(1 − N))
Centrifuge Separative Power
δUmax =π
2LDρ(
∆Mv2
2RT)2
δU = δUmaxεiεcεf εe
δUmax ∼ Lv2εf
Early Design 0.35-0.45
Production 0.6-0.7
Advanced 0.8-1.1
Name Material D [cm][ L [m] V [m/s[!U
[kg-SWU/y]
Zippe Aluminum 7.4 0.3 350 0.44
Early Urenco Aluminum 10 2 350 2-3
G2 Steel 15 1 450 5-6
TC-10 Carbon 15 3.2 500 21
TC12 Carbon 20 3 620 40
Some Centrifuges
Glaser S&GS 2008
Whitley ,Physics in Technology 1978
Classic cascade design
Product P, NP
Feed F, NF
Waste W, NW
3.5%
93%
0.25%
0.71%
Typical cascade shapes (here 6000, separation factor 1.15)
One centrifuge not enough
Natanz Site, Iran, 2007
Sep 2002
200 meters
(FEP)
FuelEnrichment
Plant
(FEP)
2Courtesy A. Glaser
Hall A and B each with 8 modules. One module contains 18 cascades with 164 centrifuges (~3000 centrifuges)
Natanz Capacity
Data IAEA
Total of 8271 kg LEU (net total 5974) produced since Feb. 2007. Rate approx 240 kg/m.Pilot FEP and FFEP enriched a total of 2244 kg LEU 3.5% to 280 kg 20%
(net total 167 kg). Rate at 4-5 kg/m in recent months.
2008 2009 2010 20110
10
20
30
40
50
Date
Cascad
esAll
enriching
under vaccum
installed
under construction
enriching installed casings centrifuges
A21 -
A22 -
A23 -
A24 18 164 2952
A25 18
A26 6 164 984
12 174 1968
A27 1 174 174
1 93 93
A28 18 174 3132
Natanz cascades installed Aug 2012
Feb 2013, 74 installed, 53 enrich
PFEP and FFEP
PFEP 2012 2 Aug 2013 3 Feb
1 164 IR1 164 IR1
2 10 IR42962
IR4IR6IR6s
3 -92
IR2mIR1
4 123 IR4 164 IR4
5 162 IR-2m 162 IR-2m
6 164 IR1 164 IR1
FFEP 2012 2 Aug 2013 3 Feb
Unit 14*1741*52
3
enrichinstalledempty
- -
Unit 2 4*1744*174
enrichinstalled
2x24
interc.empty
Iran Breakout
Feedstock [t UF6] Feed [%] Waste [%] Time [d]
5,6 0,7 0,3 521
23 0,7 0,45 382
0,827 3,5 0,7 147
4,5 3,5 3 83
0,119 20 0,7 43
0,135 20 3,5 30
For 25 kg HEU (93%) with 3500 SWU optimal productionusing SWU calculation
Natural Uranium
LEU Reactor
LEU Research Reactor
Total of 5.97 t LEU produced
Pilot FEP 0.167 t 20%.
Timeline
Symantec
2005 Earliest date known - Command and Control Server Registration
2006 Bush Administration decides Operation Olympic Game
2007 Beacon operations - Scanning of network and hardware (Flame?)
2008 Obama Administration proceeds - closely administered by Obama
himself - (horse blanket map)
2007-2008 Testbed operation and development of Stuxnet 1.x
2008?-2010 Sabotage operations
2012 Infection stops
Exploits
4 Windows 0-day exploits, Step7 software exploit, root kits installed,
certificate stolen
Especially certificate brandishing - only very few people capable of
developing this attack, only with supercomputers possible because of
cryptography (or by help of companies?)
Symantec
Sophisticated Attack
- Denial of control
- Denial of View
- Man in the middle attack (like heist in bank)
- Air Gap:
thumb drive (probably by russian PLC company)
later by other technology)
Target
Symantec
Number of cascades controlled by a S7-300 is unclear. Depends on how
many frequency converters are used
Whitley ,Physics in Technology 1978
IR-1 Freq. [Hz] Wall Speed m/s
Maximum 1410 443
nominal 1064
Iran 1007 316
Critical ParametersBurst and Resonance
Attack routines found
A: Target S7-300 PCL, right communication module, Vacon Frequency
Converter (Finnish)
1) raise frequency incrementally (o.3525 Hz/s) to 1325-1380 within 15 minutes.
Then normal operation
2) after 27 days turn frequency to 2 Hz for 50 minutes and back to normal.
Repeat 1) and 2) after 27 days
But first flexural solid body resonance is above 2000 Hz.
Burst destroys centrifuge not resonance. Maybe also stress to Endcaps or
bearings.
B: Like A but for Iranian made Frequency converters.
Attack routines found
C and stuxnet 0.5: Attack Siemens S7-417 (high end model)
which controls 18 modules.
Attack on Valves. Closing Valves leads to overpressure in
centrifuge and probably to solidifaction of UF6 at rotor walls.
But code missing, was apparently not used.
Product P, NP
Waste W, NWSymantec. Routine for Stuxnet 0.5
Attack routines found
C and stuxnet 0.5: Attack Siemens S7-417 (high end model)
which controls 18 modules.
Attack on Valves. Closing Valves leads to overpressure in
centrifuge and probably to solidifaction of UF6 at rotor walls.
But code missing, was apparently not used.
Product P, NP
Waste W, NW
Symantec. Routine for Stuxnet 0.5
Timeline
2005 Earliest date known - Command and Control Server Registration
Nov. Domain registration of C&C Server - 4 Advertising companies.
Symantec. Routine for Stuxnet 0.5
Timeline
2005 Earliest date known - Command and Control Server Registration
2006 Bush Administration decides Operation Olympic Game
2007 Beacon operations - Scanning of network and hardware (Flame?)
2008 Obama Administration proceeds - closely administered by Obama
himself - (horse blanket map)
Timeline2007-2008 Testbed operation and development of Stuxnet 1.x
Probably with help of Oak Ridge National Lab, where supposedly the Libyan centrifuges were stored. New ones may have been fabricated. Also hints about Dimona as testbed location (enrichment activities before, Ò rows and rows of centrifugesÓ A. Cohen). Some centrifuges sent to UK.All had extreme difficulties running the P-1, which is known to be a bad design. Israel supposedly brought in decisive knowledge and according to anonymous sources from intelligence community, experimented with centrifuges.
PLC attack development is associated with Idaho National Lab.With knowing or unknowing help by Siemens?Attack was according to NYT spread over several labs.
Source: NYT
Timeline
2005 Earliest date known - Command and Control Server Registration
2006 Bush Administration decides Operation Olympic Game
2007 Beacon operations - Scanning of network and hardware (Flame?)
2008 Obama Administration proceeds - closely administered by Obama
himself - (horse blanket map)
2007-2008 Testbed operation and development of Stuxnet 1.x
2008 Starting 2008 Iranians get confused. Fear of sabotage from within or outside. Erratic behavior leads to all kinds of suspicion. No two attacks are alike. In the end people sat in cascade hall and radio back to operators what they see with their eyes.
Timeline
2005 Earliest date known - Command and Control Server Registration
2006 Bush Administration decides Operation Olympic Game
2007 Beacon operations - Scanning of network and hardware (Flame?)
2008 Obama Administration proceeds - closely administered by Obama
himself - (horse blanket map)
2007-2008 Testbed operation and development of Stuxnet 1.x
2010 Code escapes.
Until today unclear who is responsible and why. Supposedly code was
changed to spread more aggressively to reach key areas in Natanz. Escape
with service technician laptop into internet.
Attribution
Basically by NYT article
Many other hints come up with dense story involving US and Israel.
Most likely Israel Unit 8200 with NSA.
Testbed operation was successful: Ò Rubble of centrifuge spread over table in situation room of white houseÓ
From code: no hint to country, but from code analysis it can be said
(Langner) that Stuxnet was not about a message but about destroying
centrifuges.
Source: NYT
Albright 2011
Impact
Apparently only A26 was hit. 11 cascades disconnected in maximum.
IAEA confirmed exchange of 984 centrifuges (6 cascades).
Feb 2013 53 cascades with roughly 9000 centrifuges enriching.
Stuxnet Ò ConspiracyÓ Theories
Where are Libyan centrifuges? How many where there (allegedly only 2 complete)?Why is virus 2 tiered?Was there a testbed somewhere?Why did it attack only A26 and not more cascades?Any industrial help?Why only limited damage?
Most likely story: U.S. and/or Israel with limited (unknowing help) of industry and UK developed a virus which did some, but not so much harm (why?) to really destroy Natanz. Some interpretations:1) It was a sophisticated and cheap method (compared to military strike) to say: Hello, we know everything, stick to the rules or we do harm you seriously2) It was a sophisticated and expensive effort, but was not very successful in dealing damage3) Was successful in setting back program as part of wider sabotage strategy until sanctions kicked in more hardly and Israelis were kept from attacking.
Conclusion
Stuxnet not the only malware Flame (earlier, beacon contains similar code as stucnet) and Duqu (spys for industrial controllers), Gauss etc.
Kinetic attack from cyberrealm - crossing the Rubicon
Undermines IranÕ s securityShows dedication of U.S. Lead Iran into thinking U.S. has no interest diplomatic solution but is still searching for regime change (plausible denial effort failed)
Cyber Meets Nuclear
Kennette BenedictParallel between 1945 and today.- New weapon developed out of fear others develop weapon.- Use of weapon without knowing physical consequences and influence on arms race dynamics- Scientists and engineers warn political and military leaders about consequences and call for regulation- Unleashing new weapon without public discussion
I am not so sure about those parallels, but I see the possible dangers (industrial attacks, critical infrastructure e.g. airtraffic)
How ironic that first kinetic cyberweapon is used to prevent nuclear proliferation!
Source: Bulletin of the Atomic Scientist