ISIS Reports

Stuxnet Worm Targets Automated Systems for Frequency Converters: Are Iranian Centrifuges the Target?

by David Albright and Andrea Stricker

November 17, 2010

* Corrected version (12/20/2010)

On Friday, November 12, 2010, the Symantec Corporation posted an update of its analysis of the Stuxnet worm and narrowed the target to automated systems that control frequency converters manufactured by two firms: Fararo Paya in Tehran, Iran, and Vacon in Finland.  It concludes that frequency converters in Iran’s gas centrifuge plants could be the target of Stuxnet. 

The information, on its own, is not yet sufficient to determine if Stuxnet is indeed aimed at Iranian centrifuge plants.  Frequency converters of the type identified as Stuxnet’s target have many other uses than centrifuge plants.  For example, they are used to drive turbomolecular vacuum pumps, which are not typically used in centrifuges plants but have wide application in high-technology industries. 

Moreover, it is unknown if Fararo Paya provides frequency converters to the Iranian enrichment program.  In any case, it is unlikely that Fararo Paya makes frequency converters from scratch for Iran’s enrichment plants.  It likely either makes them from major subcomponents acquired abroad or purchases them intact from overseas suppliers.  The latter is difficult to accomplish successfully since frequency converters with a range of 600-2,000 Hz are considered nuclear-related dual-use goods controlled for export by Nuclear Suppliers Group (NSG) guidelines.  But Iran could pursue a strategy of seeking major subcomponents abroad, which are less controlled. 

Despite the need for more confirmation of Stuxnet’s target, Symantec makes a legitimate case that Stuxnet could indeed disrupt or destroy Iranian P1-type centrifuge plants.  The “P” stands for Pakistan, which was the supplier of the centrifuge designs and initial P1 centrifuges used at the Natanz enrichment plants.  Iran in parallel created a manufacturing complex to make P1 centrifuges, which it calls IR-1 centrifuges, using a wide variety of goods acquired illegally from abroad by its smuggling networks. 

In the Symantec post, Eric Chien writes:

Once operation at those frequencies occurs for a period of time [Stuxnet requires the frequency converter drives to be operating at between 807 Hz and 1210 Hz], Stuxnet then hijacks the PLC code and begins modifying the behavior of the frequency converter drives.  In addition to other parameters, over a period of months, Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz.  Modification of the output frequency essentially sabotages the automation system from operating properly.  Other parameter changes may also cause unexpected effects.

For the P1 centrifuge found at the Natanz enrichment plants, a frequency of 1410 Hz would translate into a tangential rotor wall speed of 443 meters per second, at the limit of what the spinning aluminum P1 rotor could withstand mechanically.  As a result, if the frequency of the rotor increased to 1410 Hz, the rotor would likely fly apart when the tangential speed of the rotor reached that level.  Perhaps, the rotor does not reach that speed—either because of the time allotted for the attack sequence is too short, or an automatic safety system not controlled by Stuxnet slows down the centrifuge.

If the centrifuges survived that attack, the next attack sequence would lower the frequency to 2 Hz before raising it to 1064 Hz, the nominal frequency of the IR-1 centrifuge.  Slowing down might seem safe, but not necessarily for a centrifuge.  The deceleration can destroy the centrifuge rotor due to excessive vibration as it passes through critical frequencies or imbalances if the uranium hexafluoride gas is not emptied.  Centrifuge plants are designed to empty centrifuges quickly of uranium hexafluoride in the event of a malfunction.  The reason is that if a centrifuge rotor assembly runs down with the uranium hexafluoride inside, the rotor will likely become unbalanced and “crash,” or break.  Chien stated in a comment of an earlier version of this report that they found no code in Stuxnet that would block the dumping of uranium hexafluoride from the centrifuges.  After a period of 50 minutes, Stuxnet commands an increase in speed to 1064 Hz.  If the rotor decreases in speed to 2 Hz, it may not survive the critical frequencies as it speeds up.  A frequency of 1064 Hz corresponds to a tangential rotor wall speed of about 334 meters per second.  This speed is a nominal operational speed of Iran’s P1 centrifuge and the Stuxnet attack sequence identifies 1064 Hz as the nominal frequency of the motor driven by the frequency converter.  According to knowledgeable officials, this is the nominal frequency of the IR-1 centrifuge, although one added that often the IR-1 centrifuges operate at 1,002 Hz to lower the rate of centrifuge breakage encountered at that speed.

The attack sequences instituted by Stuxnet appear to be suitable to crash or destroy the Iranian P1 centrifuge, where from a normal operational frequency, the first attack sequence commands a speed-up, followed later by an attack sequence that orders a slow-down, and than a return to the nominal speed.  But questions remain about the purpose of Stuxnet and the progression of its attacks, particularly the damage they would cause.

During the attack sequences, Stuxnet takes over the control system for frequency converters.  Thus, the rotors would speed up or slow down without any interference from this control system’s safety features intended to prevent just such risky operation.  In fact, as part of launching the attack sequence Stuxnet shuts off all these warning and safety controls aimed at alerting operators of a problem and protecting the centrifuges from unsafe operation.  It is unclear whether other safety systems independent of this control system would intervene to save the centrifuges.

For a P2-type centrifuge of the type Iran is developing, a frequency of 1410 Hz would translate into a tangential rotor wall speed of 642 meters per second, faster than what a rotating maraging steel rotor could withstand.  However, Iran has developed a carbon fiber, or composite, rotor for its modified P2 design.  From a material standpoint, a carbon fiber should be able to withstand that speed.  In practice, the rotor may not survive because of the failure of other parts, such as lower bearings inherited from the P2 centrifuge that were not designed for such high speeds.  In any case, the effect of Stuxnet for a P2-type rotor would be to possibly cause multiple runs through critical frequencies of the centrifuge, increasing the risk of it crashing.  Overall, Stuxnet’s effect would likely be less destructive in the case of the P2-type centrifuge plant.

 

email us twitter share on facebook