The travel and group meeting restrictions from COVID-19 have allowed me to catch up on some reading about viruses; not the type that get transmitted to humans. This article is about the Stuxnet virus and what I learned from the book “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon” by Kim Zetter (Published in 2014).  It focuses on how Stuxnet manipulated control and safety systems to inflict physical damage to the equipment under control (centrifuges). Some information is also taken from “To Kill a Centrifuge”, by Ralph Langner, one of the people credited with uncovering Stuxnet.

Stuxnet was way more than “just” a virus. It was a combination worm (for spreading) and virus (for infecting) that ultimately propagated to some 300,000 PCs. Not only did it infect USB flash drives (one of four zero-day exploits), it also included forgery of digital certificates (for authenticating the source of software), hijacking and replacement of control system .dll’s, manipulation of PLC firmware, and “man-in-the middle” attacks. “Released” in five different versions incorporating two attack vectors, it was designed to manipulate the Siemens control and safety systems in order to sabotage operation of the Natanz Uranium enrichment facility.   

The goal of Stuxnet was to damage centrifuges so that they failed prematurely; not to destroy them all at once. Stuxnet exploited physical vulnerabilities via two different attack vectors. The first (and more complex) attack attempts to over-pressurize centrifuges, the second attack tries to over-speed centrifuge rotors and take them through their critical (resonance) speeds.

Figure. Stuxnet Attack Vectors (Ref Langner)

Stuxnet inserted a rogue .dll into the Siemens control system, hijacking communication between engineering stations, the operator interface (HMI), and the PLCs. The malware stayed dormant on the system passing legitimate command / operations and process data between components until an attack was unleashed. During an attack it would pass false process data and commands, thus spoofing the control logic, protection system, alarm system, and operator interface. 

Stuxnet’s first attack was designed to create an over-pressure condition by opening and closing the valves that controlled the flow of Uranium enriched gas into and out of the centrifuges. During one sequence feed valves were kept open and exhaust valves were kept closed to increase the pressure inside the centrifuge, leading to solidification and damage to the spinning rotors. Stuxnet disabled the protection system that was meant to prevent one damaged centrifuge from destroying others. 

The sequence also included a man-in-the-middle attack. Process values from normal operation were recorded for a period of 21 seconds and then replayed in a constant loop during the execution of the attack. The data passed to, and displayed by, the HMI screens in the control room indicated normal operation to human operators and to the alarm system. During the attack sequence, legitimate code continued to execute but received fake input values. Attempted manipulations of final control elements were not passed to the output signals to the field.

Figure. Centrifuge Cascade Protection System HMI Application (Langner)

The second attack vector was designed to over-speed centrifuge rotors and to take them through their critical speeds (resonant frequencies). This was accomplished by manipulating the setpoint to the frequency converters that controlled the speed of individual centrifuges. Designed to spin at a nominal rate of 1064 Hz, Stuxnet would increase the speed to 1410 Hz, hold for 15 minutes, and then return the centrifuge to its normal speed. A few days later, the malware would suddenly decrease the centrifuge speed to 2 Hz, hold for 50 minutes, and then return it back to its normal speed. This pattern was repeated every 26 days.

Prior to manipulating centrifuge speed, Stuxnet would suspend execution of the PLC code such that input and output memory registers did not get updated (static process data). The false frequency data prevented the safety system from activating and prevented alarms from being generated that would have notified the operator that something was amiss. It also kept the operators in the dark as to what was actually happening, since their HMI screens presented data indicating that everything was normal. 

So, if you are “keeping score”, Stuxnet first initiated a hazardous situation (high pressure, speed). Then it effectively disabled the safeguards that were designed to prevent the hazardous situation from escalating to an incident. This certainly should be an eye-opener for those of us who are concerned with the safe operation of process plants.

References

“Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon” by Kim Zetter Crown Publishers, 2014

“To Kill A Centrifuge: A Technical Analysis of What Stuxnet’s Creators Tried to Achieve”, The Langner Group, November 2013