WarSclerotic

After stuxnet, nuclear watchdog could gain computer security role – tech – 16 November 2010 – New Scientist.

THE International Atomic Energy Agency could add computer security at nuclear plants to its remit after it emerged that stuxnet, the first computer worm known to attack industrial machinery, is indeed targeted at nuclear energy equipment as many observers had suspected.

“It’s not the IAEA’s primary role to monitor how well nuclear plants are operating,” says Greg Webb, spokesman for the nuclear watchdog in Vienna, Austria. “But if our 150 member states want us to, we could facilitate meetings that help nuclear operators develop more secure computing systems.”

Such measures might include ensuring there are no connections between office computers and PCs monitoring control systems – or ensuring plant staff cannot insert USB sticks which may carry malware into critical hardware.

Webb was speaking to New Scientist after antivirus firm Symantec of Mountain View, California, revealed further findings in its forensic analysis of stuxnet, which infected tens of thousands of computers in Iranian nuclear enrichment facilities in September.

No-one knows who wrote stuxnet, only that at 600 kilobytes it is a much larger program than most viruses – and that the differing professional skill sets needed to write it point to an authoring team of at least ten people. That, say security experts, points to a well funded operation replete with expertise – resources consistent with nation state level backing. And given the target, it was probably Israeli.

Delivered online or via a USB stick, stuxnet used now-patched Windows vulnerabilities to seek out Windows PCs running software that monitors industrial control computers made by Siemens of Germany. But no-one knew what type of industrial machine stuxnet wanted to meddle with.

They do now. After crowdsourcing some expert help from industrial computing experts online, Symantec was able to work out the product codes for the types of industrial machine stuxnet aims to sabotage, says Orla Cox, chief researcher at Symantec’s security response lab in Dublin, Ireland.

They found that stuxnet tries to subtly take control of two types of frequency converters made by just two firms: Vacon of Finland and Fararo Paya of Iran. These machines convert AC power from the grid at 50 hertz into fast oscillating frequencies that are used for ultrafine speed control of some types of electric motors. The higher the frequency, the faster the motor.

Cox says stuxnet only targets Vacon’s or Fararo Paya’s frequency converters when they run between 807 and 1210 hertz. That range is used for a small number of high speed motor applications, but chiefly for the centrifuges used in uranium enrichment. The US Nuclear Regulatory Commission only allows export of machines rated above 600 hertz on a highly controlled basis.

Symantec’s analysis found that when stuxnet found such devices, it would subtly vary motor control frequencies from high (1410 hertz) to low (2 hertz) to not-so-high (1064 hertz) – in cycles that wrecked the purity of the enriched fuel. And it is thought to have succeeded in its task, says Cox – intelligence estimates says yields at Iran’s Natanz enrichment plant plummeted shortly after the virus first appeared.

Could the ability of a computer virus to effect such a change in a highly secure industry prompt action from the IAEA? Right now, its chief role is to ensure that nuclear materials are not diverted from peaceful energy generation purposes to secret bomb making projects. “We measure how much fuel goes in and how much goes out – and we want that to be the same,” says Webb.

But he concedes the agency can’t ignore the issue.

“Our goal is just to help countries develop secure safety systems that are not compromised,” he says. “So we could begin holding discussions among experts saying what computer security measures have worked well for them – and let them share those experiences with nuclear engineers from other countries.”

“We do this already with issues like seismic safety, and radiation safety.”

This entry was posted on November 17, 2010 at 8:26 AM and is filed under Uncategorized. You can subscribe via RSS 2.0 feed to this post's comments. You can comment below, or link to this permanent URL from your own site.