The global site of the UK's leading magazine for automation, motion engineering and power transmission
29 March, 2024

LinkedIn
Twitter
Twitter link

Stuxnet targets Vacon inverters

15 November, 2010

UPDATED  The latest revelations about the Stuxnet virus suggest that it contains code to alter the operation of  frequency inverters made by the Finnish drives-maker Vacon and an Iranian supplier named Fararo Paya, to vary the speeds of motors they are controlling.

The discovery was made by the anti-virus specialist Symantec, following a tip-off from a Dutch Profibus expert. In a recent blog, Symantec’s Eric Chien says that although his company had previously discovered that Stuxnet modifies PLC code in a potential act of sabotage, it had not been able to determine Stuxnet’s exact purpose or its target.

However, the latest findings indicate that Stuxnet needs the industrial control system to contain drives from at least one of the two vendors, as well as the Siemens Simatic S7-300 CPU and CP-342-5 Profibus communications module discovered previously. The diagram below depicts a typical installation that could be affected. According to Chien, Symantec now knows the purpose of all of Stuxnet’s code.

The virus needs the drives to be operating at the relatively high frequency of 807–1,210Hz, which is only required for a limited number of applications. When Stuxnet finds the specified inverters operating at these speeds, it changes their output frequencies and thus the speed of the motors they control for short intervals over periods of months, thus disrupting the operation of the processes being controlled.

Chien concedes that Symatec is not an expert in industrial control systems and he does not know all of the possible applications that would require drives to operate at these speeds. However, he points out that low-harmonic drives with outputs above 600Hz are regulated for export by the Nuclear Regulatory Commission in the US because they can be used for uranium enrichment. Earlier reports have suggested that Stuxnet might be targeting centrifuges used by Iran as part of its nuclear programme.

If the drives continue to run at the high frequencies for a period of time (about 13 days), Stuxnet hijacks the PLC code and begins modifying the behaviour of the drives. Over a period of months, it changes the output frequency to 1,410Hz for short periods of time, and then to 2Hz and 1,064Hz. This “essentially sabotages the automation system from operating properly,” says Chien. Other parameters may change, also causing unexpected effects.

As well as disrupting the controlled processes, the changes in speed could damage the motors. The problems would appear intermittent and thus difficult to diagnose.

Details of Symantec’s latest findings are contained in an updated version of its White Paper on Stuxnet. Chien says that the company would welcome any feedback or further tips or explanation of the data from experts in industrial control systems. 

Symatec has also created a YouTube video demonstrating how Stuxnet can hijack PLCs.

♦   Vacon has issued a statement saying that it has been investigating the matter and, according to its present knowledge, Stuxnet is not capable of infecting Vacon AC drives. It adds that it does not know of any instances where Stuxnet would have created problems for its customers and that “in this respect, the processes of Vacon`s customers are not at risk”.

Vacon also says that there has been "incorrect or inaccurate" information on the Internet about its sales of AC drives to Iran. It emphasises that it has not sold AC drives to Iran against the embargo.

Vacon reports that Stuxnet seems to be capable of infecting certain PLCs [made by Siemens] which can, in turn, be used to control the operation of Vacon AC drives. An infected PLC may operate defectively and thus control the operation of Vacon drives in an unwanted manner. Vacon says that any customers who suspect that their processes might be infected by Stuxnet, should contact the PLC supplier.

The Vacon statement adds that the malware is activated in the infected PLC when certain specific conditions are all true at the same time – including the drive running at an extremely high output frequency. Therefore, any possible effects would affect only “extremely limited and targeted” AC drives applications. Vacon reports that its experts have not found a single potential case where all of the conditions of the malware would be fulfilled.

The Finnish company concludes that it “takes this matter seriously and continues to study the potential impact of Stuxnet”. It will also keep its customers, partners and all other relevant stakeholders informed whenever new important information arises.




Magazine
  • To view a digital copy of the latest issue of Drives & Controls, click here.

    To visit the digital library of past issues, click here

    To subscribe to the magazine, click here

     

Poll

"Do you think that robots create or destroy jobs?"

Newsletter
Newsletter

Events

Most Read Articles