DPG FrŸ hjahrstagung Dresden March 2013

Cyber meets NuclearStuxnet and the Cyberattack on Iranian Centrifuges

Matthias Englert

The Centrifuge

Presentation Mohammed Saeidi http://www.world-nuclear.org/

ww

w.ipfm

.org

Slide idea adapted from A. Glaser ã Making Highly enriched Uranium - lectureÒ

Centrifuges for Uranium Enrichment

Centrifuge Separative Capacity

δUmax =π

2LDρ(

∆Mv2

2RT)2

ww

w.ipfm

.org

SWU Separative Work Units (kg SWU/year)

δU = V (Np)P + V (Nw)W − V (NF )F

Value Function V (N) = (2N − 1)ln(N

(1 − N))

Centrifuge Separative Power

δUmax =π

2LDρ(

∆Mv2

2RT)2

δU = δUmaxεiεcεf εe

δUmax ∼ Lv2εf

Early Design 0.35-0.45

Production 0.6-0.7

Advanced 0.8-1.1

Name Material D [cm][ L [m] V [m/s[!U

[kg-SWU/y]

Zippe Aluminum 7.4 0.3 350 0.44

Early Urenco Aluminum 10 2 350 2-3

G2 Steel 15 1 450 5-6

TC-10 Carbon 15 3.2 500 21

TC12 Carbon 20 3 620 40

Some Centrifuges

Glaser S&GS 2008

Whitley ,Physics in Technology 1978

Iranian Cascades

Classic cascade design

Product P, NP

Feed F, NF

Waste W, NW

3.5%

93%

0.25%

0.71%

Typical cascade shapes (here 6000, separation factor 1.15)

One centrifuge not enough

Natanz Site, Iran, 2007

Sep 2002

200 meters

(FEP)

FuelEnrichment

Plant

(FEP)

2Courtesy A. Glaser

Hall A and B each with 8 modules. One module contains 18 cascades with 164 centrifuges (~3000 centrifuges)

Natanz Capacity

Data IAEA

Total of 8271 kg LEU (net total 5974) produced since Feb. 2007. Rate approx 240 kg/m.Pilot FEP and FFEP enriched a total of 2244 kg LEU 3.5% to 280 kg 20%

(net total 167 kg). Rate at 4-5 kg/m in recent months.

2008 2009 2010 20110

10

20

30

40

50

Date

Cascad

esAll

enriching

under vaccum

installed

under construction

enriching installed casings centrifuges

A21 -

A22 -

A23 -

A24 18 164 2952

A25 18

A26 6 164 984

12 174 1968

A27 1 174 174

1 93 93

A28 18 174 3132

Natanz cascades installed Aug 2012

Feb 2013, 74 installed, 53 enrich

PFEP and FFEP

PFEP 2012 2 Aug 2013 3 Feb

1 164 IR1 164 IR1

2 10 IR42962

IR4IR6IR6s

3 -92

IR2mIR1

4 123 IR4 164 IR4

5 162 IR-2m 162 IR-2m

6 164 IR1 164 IR1

FFEP 2012 2 Aug 2013 3 Feb

Unit 14*1741*52

3

enrichinstalledempty

- -

Unit 2 4*1744*174

enrichinstalled

2x24

interc.empty

Iran Breakout

Feedstock [t UF6] Feed [%] Waste [%] Time [d]

5,6 0,7 0,3 521

23 0,7 0,45 382

0,827 3,5 0,7 147

4,5 3,5 3 83

0,119 20 0,7 43

0,135 20 3,5 30

For 25 kg HEU (93%) with 3500 SWU optimal productionusing SWU calculation

Natural Uranium

LEU Reactor

LEU Research Reactor

Total of 5.97 t LEU produced

Pilot FEP 0.167 t 20%.

Stuxnet

Timeline

Symantec

2005 Earliest date known - Command and Control Server Registration

2006 Bush Administration decides Operation Olympic Game

2007 Beacon operations - Scanning of network and hardware (Flame?)

2008 Obama Administration proceeds - closely administered by Obama

himself - (horse blanket map)

2007-2008 Testbed operation and development of Stuxnet 1.x

2008?-2010 Sabotage operations

2012 Infection stops

Stuxnet for non Computer Scientists

L-Dopa

Exploits

4 Windows 0-day exploits, Step7 software exploit, root kits installed,

certificate stolen

Especially certificate brandishing - only very few people capable of

developing this attack, only with supercomputers possible because of

cryptography (or by help of companies?)

Symantec

Sophisticated Attack

- Denial of control

- Denial of View

- Man in the middle attack (like heist in bank)

- Air Gap:

thumb drive (probably by russian PLC company)

later by other technology)

TargetS7-300 Siemens PLC (Programmable Logic Controller)

Wikipedia

Target

Symantec

Number of cascades controlled by a S7-300 is unclear. Depends on how

many frequency converters are used

Whitley ,Physics in Technology 1978

IR-1 Freq. [Hz] Wall Speed m/s

Maximum 1410 443

nominal 1064

Iran 1007 316

Critical ParametersBurst and Resonance

Attack routines found

A: Target S7-300 PCL, right communication module, Vacon Frequency

Converter (Finnish)

1) raise frequency incrementally (o.3525 Hz/s) to 1325-1380 within 15 minutes.

Then normal operation

2) after 27 days turn frequency to 2 Hz for 50 minutes and back to normal.

Repeat 1) and 2) after 27 days

But first flexural solid body resonance is above 2000 Hz.

Burst destroys centrifuge not resonance. Maybe also stress to Endcaps or

bearings.

B: Like A but for Iranian made Frequency converters.

Attack routines found

C and stuxnet 0.5: Attack Siemens S7-417 (high end model)

which controls 18 modules.

Attack on Valves. Closing Valves leads to overpressure in

centrifuge and probably to solidifaction of UF6 at rotor walls.

But code missing, was apparently not used.

Product P, NP

Waste W, NWSymantec. Routine for Stuxnet 0.5

Attack routines found

C and stuxnet 0.5: Attack Siemens S7-417 (high end model)

which controls 18 modules.

Attack on Valves. Closing Valves leads to overpressure in

centrifuge and probably to solidifaction of UF6 at rotor walls.

But code missing, was apparently not used.

Product P, NP

Waste W, NW

Symantec. Routine for Stuxnet 0.5

Timeline

2005 Earliest date known - Command and Control Server Registration

Nov. Domain registration of C&C Server - 4 Advertising companies.

Symantec. Routine for Stuxnet 0.5

Timeline

2005 Earliest date known - Command and Control Server Registration

2006 Bush Administration decides Operation Olympic Game

2007 Beacon operations - Scanning of network and hardware (Flame?)

2008 Obama Administration proceeds - closely administered by Obama

himself - (horse blanket map)

Timeline2007-2008 Testbed operation and development of Stuxnet 1.x

Probably with help of Oak Ridge National Lab, where supposedly the Libyan centrifuges were stored. New ones may have been fabricated. Also hints about Dimona as testbed location (enrichment activities before, Ò rows and rows of centrifugesÓ A. Cohen). Some centrifuges sent to UK.All had extreme difficulties running the P-1, which is known to be a bad design. Israel supposedly brought in decisive knowledge and according to anonymous sources from intelligence community, experimented with centrifuges.

PLC attack development is associated with Idaho National Lab.With knowing or unknowing help by Siemens?Attack was according to NYT spread over several labs.

Source: NYT

Timeline

2005 Earliest date known - Command and Control Server Registration

2006 Bush Administration decides Operation Olympic Game

2007 Beacon operations - Scanning of network and hardware (Flame?)

2008 Obama Administration proceeds - closely administered by Obama

himself - (horse blanket map)

2007-2008 Testbed operation and development of Stuxnet 1.x

2008 Starting 2008 Iranians get confused. Fear of sabotage from within or outside. Erratic behavior leads to all kinds of suspicion. No two attacks are alike. In the end people sat in cascade hall and radio back to operators what they see with their eyes.

Timeline

2005 Earliest date known - Command and Control Server Registration

2006 Bush Administration decides Operation Olympic Game

2007 Beacon operations - Scanning of network and hardware (Flame?)

2008 Obama Administration proceeds - closely administered by Obama

himself - (horse blanket map)

2007-2008 Testbed operation and development of Stuxnet 1.x

2010 Code escapes.

Until today unclear who is responsible and why. Supposedly code was

changed to spread more aggressively to reach key areas in Natanz. Escape

with service technician laptop into internet.

Attribution

Basically by NYT article

Many other hints come up with dense story involving US and Israel.

Most likely Israel Unit 8200 with NSA.

Testbed operation was successful: Ò Rubble of centrifuge spread over table in situation room of white houseÓ

From code: no hint to country, but from code analysis it can be said

(Langner) that Stuxnet was not about a message but about destroying

centrifuges.

Source: NYT

Impact

Symantec

Albright 2011

Impact

Apparently only A26 was hit. 11 cascades disconnected in maximum.

IAEA confirmed exchange of 984 centrifuges (6 cascades).

Feb 2013 53 cascades with roughly 9000 centrifuges enriching.

Stuxnet Ò ConspiracyÓ Theories

Where are Libyan centrifuges? How many where there (allegedly only 2 complete)?Why is virus 2 tiered?Was there a testbed somewhere?Why did it attack only A26 and not more cascades?Any industrial help?Why only limited damage?

Most likely story: U.S. and/or Israel with limited (unknowing help) of industry and UK developed a virus which did some, but not so much harm (why?) to really destroy Natanz. Some interpretations:1) It was a sophisticated and cheap method (compared to military strike) to say: Hello, we know everything, stick to the rules or we do harm you seriously2) It was a sophisticated and expensive effort, but was not very successful in dealing damage3) Was successful in setting back program as part of wider sabotage strategy until sanctions kicked in more hardly and Israelis were kept from attacking.

Conclusion

Stuxnet not the only malware Flame (earlier, beacon contains similar code as stucnet) and Duqu (spys for industrial controllers), Gauss etc.

Kinetic attack from cyberrealm - crossing the Rubicon

Undermines IranÕ s securityShows dedication of U.S. Lead Iran into thinking U.S. has no interest diplomatic solution but is still searching for regime change (plausible denial effort failed)

Cyber Meets Nuclear

Kennette BenedictParallel between 1945 and today.- New weapon developed out of fear others develop weapon.- Use of weapon without knowing physical consequences and influence on arms race dynamics- Scientists and engineers warn political and military leaders about consequences and call for regulation- Unleashing new weapon without public discussion

I am not so sure about those parallels, but I see the possible dangers (industrial attacks, critical infrastructure e.g. airtraffic)

How ironic that first kinetic cyberweapon is used to prevent nuclear proliferation!

Source: Bulletin of the Atomic Scientist

Fin