After stuxnet, nuclear watchdog could gain computer security role – New Scientist
THE International Atomic Energy Agency could add computer security at nuclear plants to its remit after it emerged that stuxnet, the first computer worm known to attack industrial machinery, is indeed targeted at nuclear energy equipment as many observers had suspected.
“It’s not the IAEA’s primary role to
monitor how well nuclear plants are operating,” says Greg Webb,
spokesman for the nuclear watchdog in Vienna, Austria. “But if our 150
member states want us to, we could facilitate meetings that help nuclear
operators develop more secure computing systems.”
Such measures might include ensuring
there are no connections between office computers and PCs monitoring
control systems – or ensuring plant staff cannot insert USB sticks which
may carry malware into critical hardware.
Webb was speaking to New Scientist after antivirus firm Symantec of Mountain View, California, revealed further findings in its forensic analysis of stuxnet, which infected tens of thousands of computers in Iranian nuclear enrichment facilities in September.
No-one knows who wrote stuxnet, only
that at 600 kilobytes it is a much larger program than most viruses –
and that the differing professional skill sets needed to write it point
to an authoring team of at least ten people. That, say security experts,
points to a well funded operation replete with expertise – resources
consistent with nation state level backing. And given the target, it
was probably Israeli.
Delivered online or via a USB stick,
stuxnet used now-patched Windows vulnerabilities to seek out Windows PCs
running software that monitors industrial control computers made by
Siemens of Germany. But no-one knew what type of industrial machine
stuxnet wanted to meddle with.
They do now. After crowdsourcing some
expert help from industrial computing experts online, Symantec was able
to work out the product codes for the types of industrial machine
stuxnet aims to sabotage, says Orla Cox, chief researcher at Symantec’s
security response lab in Dublin, Ireland.
They found that stuxnet tries to subtly take control of two types of frequency converters made by just two firms: Vacon
of Finland and Fararo Paya of Iran. These machines convert AC power
from the grid at 50 hertz into fast oscillating frequencies that are
used for ultrafine speed control of some types of electric motors. The
higher the frequency, the faster the motor.
Cox says stuxnet only targets Vacon’s
or Fararo Paya’s frequency converters when they run between 807 and 1210
hertz. That range is used for a small number of high speed motor
applications, but chiefly for the centrifuges used in uranium
enrichment. The US Nuclear Regulatory Commission only allows export of
machines rated above 600 hertz on a highly controlled basis.
Symantec’s analysis found that when
stuxnet found such devices, it would subtly vary motor control
frequencies from high (1410 hertz) to low (2 hertz) to not-so-high (1064
hertz) – in cycles that wrecked the purity of the enriched fuel. And it
is thought to have succeeded in its task, says Cox – intelligence
estimates says yields at Iran’s Natanz enrichment plant plummeted
shortly after the virus first appeared.
Could the ability of a computer virus
to effect such a change in a highly secure industry prompt action from
the IAEA? Right now, its chief role is to ensure that nuclear materials
are not diverted from peaceful energy generation purposes to secret bomb
making projects. “We measure how much fuel goes in and how much goes
out – and we want that to be the same,” says Webb.
But he concedes the agency can’t ignore the issue.
“Our goal is just to help countries
develop secure safety systems that are not compromised,” he says. “So we
could begin holding discussions among experts saying what computer
security measures have worked well for them – and let them share those
experiences with nuclear engineers from other countries.”
“We do this already with issues like seismic safety, and radiation safety.”
Explore posts in the same categories: Uncategorized
WarSclerotic 
Leave a comment