The Stuxnet worm may have a new target. The now-infamous malware was possibly built to sabotage Iran’s nuclear program, while North Korea has unveiled a new uranium enrichment plant that might share components with Iran’s facilities. Are Pyongyang’s centrifuges vulnerable?
While U.S. officials are trying to figure out how to respond to North Korea’s unveiling of a new uranium enrichment plant, there are clues that a piece of malware believed to have hit Iran’s nuclear efforts could also target the centrifuges Pyongyang’s preparing to spin.
Some of the equipment used by the North Koreans to control their centrifuges—necessary for turning uranium into nuclear-bomb-ready fuel—appear to have come from the same firms that outfitted the Iranian nuclear program, according to David Albright, the president of the Institute for Science and International Security and a long-time watcher of both nuclear programs. “The computer-control equipment North Korea got was the same Iran got,” Albright told Danger Room.
Nearly two months before the Yongbyon revelation, Albright published a study covering the little that’s publicly known about the North’s longstanding and seemingly stalled efforts at enriching its own uranium. (.pdf) Citing unnamed European intelligence officials, Albright wrote that the North Korean control system “is dual use, also used by the petrochemical industry, but was the same as those acquired by Iran to run its centrifuges.”
Albright doesn’t know for sure that the North Koreans’ control system is exactly like the one the Iranians use. Siegfried Hecker, the U.S. nuclear scientist invited by Pyongyang to view the Yongbyon facility, wasn’t allowed to check out the control room thoroughly, and his report about what he saw merely says that the control room is “ultra-modern,” decked out with flat-screen computer panels.
Nor is Albright to specify which company manufactured the control system—something that determines whether Stuxnet would have any potency. “But that’s really what the Stuxnet virus is taking over,” Albright says, “the control equipment, giving directions to the frequency converters.”
That suggests the vulnerabilities to Stuxnet suspected within Iran’s centrifuge-command systems might be contained within North Korea’s new uranium facility. Even if they’re not identical computer systems, Stuxnet demonstrated that the type of command systems employed in centrifuge-based enrichment is vulnerable to malware attack.
That’s not to say that Stuxnet is making its way inside the North Korean facility: Someone would have to infiltrate the Hermit Kingdom’s most sensitive sites and introduce the worm into the command systems, a hard bargain to say the least. In other words, don’t go thinking the United States or an ally could magically infect North Korea with Stuxnet. But if more information emerges about the North’s command systems, that might provide fodder for a copycat worm—provided someone could introduce it into Yongbyon.
Stuxnet was discovered last June by a Belorussian security firm, which found it on the computers of one of its unnamed clients in Iran. The sophisticated code is the first known malware designed to effectively target industrial control systems, also known as Supervisory Control and Data Acquisition (SCADA) systems. SCADA systems control various parts—such as automated assembly lines, pressure valves—at a wide variety of facilities, such as manufacturing plants, utilities and nuclear-enrichment plants.
Stuxnet targeted only a specific system made by Siemens – Simatic WinCC SCADA system – and only a specific configuration of the system.
According to the latest findings uncovered by security firm Symantec, Stuxnet first looks for Simatic systems that are controlling two particular types of frequency converter drives made by Fararo Paya in Teheran, Iran, or by Vacon, which is based in Finland.
Frequency converter drives are power supplies that control things such as the speed of a motor. Stuxnet only initiates its malicious activity, however, if there are at least 33 of these converter drives in place at the facility and if they are operating at a high speed between 807 Hz and 1210 Hz.
Such high speeds are used only for select applications, such as might be found at nuclear facilities. Speculation on Stuxnet’s likely target has focused on Iran’s nuclear facilities at Bushehr or Natanz. Symantec has been careful not to say definitively that Stuxnet was targeting a nuclear facility, but has noted that “frequency converter drives that output over 600 Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”
But according to a Department of Homeland Security official who spoke on background, frequency converter drives operate at this and similar high speeds in many facilities, not just nuclear plants.
“[They]are used anywhere you try to control a very precise process,” he says. They’re used extensively in the petro-chemical industry and in balancing machines that are used to build fan blades for jet engines. They’re also used for mining and metal manufacturing and in environments that require precise heating, cooling and ventilation. And they’re used in food processing for big mixers, conveyors and high-speed bottling lines.
As for the export limitation on high-speed drives that run above 600 Hz, the DHS official said this isn’t the only restriction on frequency converters. He notes that the Finnish manufacturer whose drives are targeted by Stuxnet requires buyers to have a special licence to operate at frequencies exceeding 320 Hz—not out of concern that they would be used in a nuclear enrichment facility, but out of concern that they’re used properly.
“Because a lot of times you use them in very complex processes to develop exotic materials,” he says. “If you’re blending chemicals to create rocket fuel, you want to have this type of equipment be controlled so you need to have a licence to purchase them, like you need a licence to purchase bulk volumes of nitroglycerin.”
Albright was quick to add that the fact that “we don’t know much at all” about North Korea’s uranium enrichment means that “we can’t make judgments” about how vulnerable Pyongyang is to Stuxnet. It’s also possible that different command systems exist in facilities the United States doesn’t know about. “This could be a Potemkin centrifuge plant,” he says. “It’s so weird to put it at Yongbyon,” the centre of North Korea’s plutonium production. “They obviously want to show it off,” Albright continues, perhaps “to distract us from their real centrifuge program.” [Image credit: John Pavelka / Flickr ]