Platt Perspective on Business and Technology

Stuxnet and its effects – thinking through the scenarios and their consequences

Posted in business and convergent technologies, in the News by Timothy Platt on February 1, 2011

This is my 13th posting in a series examining issues of cyber-security and cyber-conflict and I add it in as a response to a reader comment offered in reaction to my 12th posting here.

I have written repeatedly of the uncertainties inherit to cyber-conflict, and in identifying sources of attack, intended target as opposed to collateral damage targets, and reason for action taken. Cyber-security in due diligence preparation for the potential of cyber-attack, and analysis of what happened after such an event can be complex and filled with uncertainty too. And there are almost always multiple possibilities to consider in any given event or possible event. I have written this series so far primarily looking at these issues in terms of single scenarios and how they do or might play out. The press and news media in general tend to take this same simplifying approach. But in the real world, effective proactive preparation and effective response to any developing event has to include understanding and preparing for multiple scenarios. And post-event analysis has to take this same approach too, if it is to offer reasonable likelihood of value.

In earlier postings and here I specifically focus on the most recent two:

Stuxnet and the evolution of truth and myth – a January, 2011 update and
Stuxnet – some further thoughts re my January, 2011 update

I followed through along the lines of a basic scenario for which Stuxnet was successfully entered into Iran’s Natanz uranium-235 enrichment facility and it did work, destroying some 20% of its P-1 ultracentrifuges and effectively taking the facility off-line. That is, of course only one possibility and as a bare bones outline even that covers several alternatives with very different long term consequences. My goal in this posting is to look at some of these possibilities and at the complexity that would have to be allowed for and accounted for in any national security reviews, and for any country with interest in this story. I will divide the scenarios into two naturally distinct sets:

• What if Stuxnet did not work, and the consequences there, and
• What if Stuxnet did work with the consequences that entails, some of which would not be good and even for countries most adverse to seeing Iran develop an atomic bomb.

“Stuxnet failed” scenarios

Stuxnet was developed as a targeted and very precise cyber-weapon with a focused capability for damaging specific types of industrial systems that are managed by specific controller computers and their known-vulnerability software. In principle at least, this cyber-weapon is capable of destabilizing the operation of these ultracentrifuges, leading to their destruction through catastrophic mechanical failure – with them literally tearing themselves apart. Two possible scenarios come immediately to mind here as to why this might not happen.

One is that the Siemens PCS-7 controller computers this malware was built to target, might not have actually been configured and programmed as expected. That could mean unexpected security software added in, or it could mean the controlling software in place was of a different version or build than planned for by the attackers. Stuxnet might not have worked because the target in fact was different than the target in planning.

It is also possible that Stuxnet not work even though it was a precise fit to the actual system in place and even though the controller computers were effectively infected with it. And here I turn to some pertinent details about P-1 ultracentrifuges and cascades constructed from them. P-1 ultracentrifuges are notoriously difficult to keep running smoothly and within specifications. They break down and they can easily be disrupted and even just from normal operations. Their design is crude and the engineers who designed and built the Natanz facility have to have known that.

Even relatively minor, sudden changes in the voltage for the power supplies they manage in the electrical regulators that run between the controller computers and the ultracentrifuges could cause sudden and even catastrophic systems-wide failures. That can be prepared for as part of the basic design, but there are other possible problems that can cause failure in as sensitive and unforgiving a system as this, and one of them is impurities in the flow of uranium hexafluoride entering the ultracentrifuge cascades. Any fluctuation in the density or viscosity of this material could lead to the same types of failure that Stuxnet would cause – and uranium hexafluoride is produced through a complex, multi-stage series of processes and there are opportunities for contamination and impurities at each step. So along with automated systems for shutting down operations in the event of potentially damaging events (which Stuxnet was apparently designed to evade), a well designed facility would also have readily and rapidly available kill switches for shutting operations down. Did someone very alert and in the right place hit a cut-off switch and limit damage to much less than that 20% figure? They would not need to know why the cascades were running into trouble – only hear them starting to over-rev.

It would be in Iran’s best interest to hide any failure of Stuxnet to work if it did not work at all, or if it did but to limited extent. And according to these and similar scenarios Iran would still be in a position to enrich uranium toward fulfilling its goals. That end point is what the comment writer I am responding to had in mind as a starting assumption. And now let’s consider the other basic alternative

What if Stuxnet did work?

Two issues come immediately to mind here, and one of them involves Stuxnet itself and the other involves Natanz and the technology deployed there. I will start with that second point.

P-1 uranium enrichment ultracentrifuges are finicky at best, as noted above, and break down and need to be taken off-line and replaced, for repair or completely. That would simply have to planned for in developing and running a facility like the one at Natanz, and even if even the possibility of a cyber-weapon like Stuxnet was never considered. And even if these ultracentrifuges were rock steady in operation and completely reliable, uranium enrichment facilities have been destroyed by more conventional military means. So even if Stuxnet did work, what does Iran have in the way of back-up resources and either to replenish or rebuild at Natanz, or to continue on at another and perhaps more hidden facility? Even if Stuxnet did work, that may have only caused a more temporary setback than analysts are currently predicting.

And the other issue that comes to mind involves Stuxnet itself, and given the news this may apply with equal force whether Stuxnet actually worked or not. Stuxnet is out there with its code readily available to study and built from. And Stuxnet is widely seen as having proven that a whole new level of highly targeted smart bomb cyber-weapons is possible. It is a proof of principle weapon with an extremely dangerous principle made known and now proven.

I will add that Stuxnet looks to have been authored from several sources and it is of modular design. No, I do not think this was built by script-kiddies as I suggested in an earlier posting as a far-fetched but still possible-in-principle source. But Stuxnet has opened a window to a lot of possibilities and most of them have nothing to do with Iran or uranium enrichment per se. We have to watch out for what might be viewed as Stuxnet’s children now, and with a wide range of potential computer controlled industrial systems in mind. Think of cyber-security and cyber-conflict as falling onto two eras now: pre-Stuxnet, and now and from now on.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: