back to article SCADA worm a 'nation state search-and-destroy weapon'

A highly sophisticated computer worm that has burrowed into industrial systems worldwide over the past year may have been a “search-and-destroy weapon” built to take out Iran's Bushehr nuclear reactor, according to news reports published on Tuesday. The articles from IDG News and The Christian Science Monitor said the Stuxnet …


This topic is closed for new posts.
  1. MacroRodent

    Windows for Reactors

    Two clear FAILS: Reactor control system running on stock MS Windows, and apparently either connected to the wider net, or anyone can stick USB drives to the control computer with autorun enabled. They got what they deserve.

    To be fair, defending against attackers this sophisticated is hard, but apparently they had not even considered the possibility.

    1. Anonymous Coward
      Anonymous Coward


      1) The virus spread via .lnk files, not autorun. Even with autorun disabled it still worked.

      2) How many Scada packages do you know that run on non-windows operating systems? Most Scada developers use windows.

      3) They were targeting Siemens in particular. If their software was Linux only, they would have put together a Linux virus. They were aiming at whatever platform Siemens used.

      Use of a Windows PC was never a problem before. Your PLC has full control, so even if the windows box dies, your plant is safe. Till this virus came.

    2. Tigra 07
      Gates Halo

      Don't diss Microsoft!

      Don't diss Microsoft!

      In the future Skynet may well be running off it!

      Then who'll be laughing?

      Oh right, us =]

    3. EricByres

      Just to be Clear - Reactor safety systems don't run on Windows, but the HMI's do

      Just to be clear - Reactor safety systems don't run on Windows, but the Human Machine Interface computers (HMI's) and programming stations do. These computers were just the vectors to get to the S7 PLCs that would be controlling the actual processes. Also it is entirely possible that this is not the reactor system that Stuxnet is attacking. A typical complex like Bushehr will have many critical systems besides reactor control.

      Carrying in a USB into a control system is very bad practise, but Iran (if that is where it happened) has notoriously bad security controls: A friend who was working there told me that USB use (and the complete lack of controls) at the plant he was at was bordering on the ridiculous.

      Finally, you alrady know that Autorun is not required...

  2. Anonymous Coward
    Anonymous Coward

    The Christian Science Monitor

    Is this a credible, unbiased source of information and analysis or an untrustworthy font of sky fairy propaganda?

    Just asking.

    1. Dave Harris

      You need to ask?

      Despite have reference to religion in its title (as it turn out, for admirable reasons), the Monitor is actually a very reputable publication and has been for quite a while. More here:

      1. Anonymous Coward
        Anonymous Coward

        you only need

        access to the specs, not the system to design the worm, which is a slightly less dangerous form of espionage, I'm sure.

    2. Joe Cooper

      The CSM

      They've always given me the clear, memorable impression of being real journalists who take their job seriously. I haven't seen them conducting any fear-mongering, now have I seen them mindlessly regurgitating what they read in the news. They're certainly no Fox News for

    3. Anonymous Coward
      Anonymous Coward

      "Just asking"

      Or you could have done 10 seconds research and found that, yes, it is a credible, unbiased source of information and analysis. And a well known one, too.

      Now you just look like a lazy bigot, fixating on the word "Christian".

      1. Anonymous Coward
        Anonymous Coward

        Re: AC@10:12

        Yeah, 10 seconds research - that would do the trick right enough. Or even quicker I could have zapped straight over to Wikipedia and believed wholeheatredly whatever the wikifidders say. If it's on the wiki it must be right.

        Thanks but I'd rather ask the opinion of a group whose output I have experience of. Commetards come and commetards go but there are some on here who post intelligent and useful comment. I've been reading the Reg long enough that I feel I have a chance of sorting the wheat from the chaff.

        So far I've had three responses in the former group and yours is the first in the latter.

      2. Shakje

        I came across a Christian Scientist not too long ago

        and they're completely mad. They believe that the physical world doesn't exist, and because of this are strong advocates of faith healing. While they accept science as a whole, they have really wacky ideas, and while it may well be a very reputable news publication, I would always approach something that is based on such ridiculous ideas as a slightly dodgy source.

        While all this may not sound as crazy as some religious beliefs, if you take some time to look into how they came to these beliefs and what they practice they're as bonkers as homeopathy, and as dangerous to their members as scientology.

      3. Anonymous Coward


        it is the people who insist on using 'Christian' in their title that are the fixated, bogots. I think the poster's questions on the credibility of the source were legitimate (although incorrect in this instance).

      4. No, I will not fix your computer

        10 Seconds of "research"...

        ....will give you "a credible, unbiased source of information and analysis"

        Or you can find out how they used forged documents to report that George Galloway was corrupt, of course the "Christian" in the title is more historical than anything, having it's roots way back when Mary Baker Eddy founded it, I'm not sure if her precription to have at least one religious article is still in force but it is decidly more secular in content these days, one would have to ask, why have something in the name that has no relevance? So either there is still some association with the modern healthcare deniers "Christian Science" (which has directly caused untold deaths) or there is no longer any association, in which case surely a name change is in order?

        You can also debate whether their tax free status is appropriate (given it's secular nature), whether sister publications such as the Hearald, Sentinel and Journal have bias are a different matter, and where they get their funding, it's roots and title are definitely misleading.

        >>Now you just look like a lazy bigot, fixating on the word "Christian".

        I'd have to agree with this statement, however if I set up a sandwich shop selling "Nazi Hollocaust Panini" I suspect that there would be an obvious reaction, even if that particular roll had nothing to do with Nazis, I myself am bigotted against many Christian views, but for rational, justifiable reasons, it is a natual assumption to assume the title bears some association to the product, and a newspaper with "Christian Science" in the title would be expected to have a "Christian Science" slant.

        I'll leave you with a final thought, if you ordered "Bombay Duck" in a resturant, not having heard of it before would you be surprised to be served fish? or would you be a "lazy bigot" for assuming that you would in fact be getting duck?

    4. PhilDin
      Thumb Up

      Yes it is

      The title really give the wrong impression. As a confirmed athiest I drop in on CSM occasionally, I've always found it to be very good quality journalism.

      1. greggo

        CSM Usually very neutral, I have also found

        But I ran into this recently:

        (1) --- neutral, and reports results of an actual aerial survey, and not just the stupid wild-ass guesses.

        (2) --- later article pretends the first one didn't exist; doesn't mention the actual survey, gives usual nonsense 500K and 300K-325K crowd count; and gives a reference for the latter, which turns out to be a tweet of 3rd-hand unofficial SWAG made on the ground, as confirmed (and disclaimed) 13 min later by the second-hand source:


        But yes, on the whole, far more balanced and neutral than Fox. But, you know, so is al-Jazeera.

  3. Anonymous Coward

    The device has acquired...

    Meanwhile Stuxnet may or may not be embedded in industrial systems belonging to other people, whom its authors like right now, but may not in future.

    So if you should make a policy decision that the authors regard as disagreeable, watch out.

    And what's with Siemens writing critical industrial controllers on Windows anyway? You idiots, don't you want it it work???

    1. peter_dtm


      All the IT idiots used to whinge & whine like spoilt brats if anyone dared put non Windows machines into factories. Allways bitching to the financial morons about how it would be cheaper & easier to maintain if only those process people would use 'real' comercial off the shelf Windows boxes.

      Of course they were so wrong, total cost of ownership has proved to be substantialy higher, & now your blaming us ?

    2. Monty Burns

      So says someone who clearly doesn't know them...

      or has ever worked with them. You will be VERY suprised to see how far Siemens PLC's and Factory Link have spread.

  4. The Cube

    Rather improbable, there are better ways, send in Accenture

    Not being funny but, if the creator of this "targeted worm missile" thing has sufficient access to know the exact current operational settings and programming of parts of the SCADA system installed in the reactor then they must already have sufficient access to screw it up.

    If you really wanted to permanently bugger up the alleged capability to refine weapons grade material this is not the way to do it. A permanent fix would be to engage Accenture or McKinsey as management consultants to the Iranian government and General Electric as the engineering contractor, then the plant would take 25 years of delays to never turn on and the government would go bankrupt paying for it....

    Of course it is refreshing to hear the conspiracy theory this way round and not the usual MI6 / CIA trying to spin up more panic to prop up their budgets.

    1. Anonymous Coward


      ..but you still need to put in security defenses before go live. Can I recommend BAE to slow it right down and cause it to run billions over budget.

      1. gerryg

        I.C. Saga

        Does anyone else remember Imperial Electronics?

      2. It'sa Mea... Mario

        Then the icing on the cake..

        ..Get EDS to project manage the whole lot..

  5. Gotno iShit Wantno iShit

    Still a lot more to learn methinks

    Ok so this thing is looking for a specific site and a specific PLC on that site and then it does, erm, something.

    In the CSM article there are a couple of suggested target actions. "It may be that the maximum safety setting for RPMs on a turbine is overridden" - no because PLCs such as a Siemens S7 are not used to control turbines, Turbine Control Systems such as Bently Nevada do that. An S7 is not fast enough to deal with a turbine by a country mile. The S7 will be able to communicate with the BN to ask for more or less of the 'product' of that turbine and yes it could ask for more more more in the hope of overspeeding the turbine. It won't happen, the BN knows the limit. It's like a fly by wire aircraft, the pilot might yank the stick in such a way as to overstress the airframe but the flight computer knows the limit and will not deploy flight surfaces beyond the limit. S7 is the pilot not the flight computer.

    Second suggested action is "lubrication is shut off". Well again the BN will be watching this and shut down the turbine. Bearings might not be servicable after a dry rundown but they will maintain integrity. Then there's the safety system that among other things prevents start up of the turbine until the lube oil pumps are running. If lube oil pressure drops the safety system drops power to the turbine. This will be a separate system and generally they have a physical run/program key. You cannot change the parameters of the safety system while it is in run mode. Oh and it won't communicate with the DCS at all.

    I'm not saying that this attack cannot work, what I'm saying is that there will be other protection mechanisms to overcome in order to achieve an anything big. So hold off on the wailing and gnashing of teeth, there's a hell of a lot more to learn about this yet. Once the target is identified and the specific action understood there will be other safety interlocks preventing stuxnet achieving it's target. Look at what those interlocks are and what has been done to negate them and we will learn a lot more about the attacker.

    1. Tasogare
      Black Helicopters


      If I'm reading you right, you're suggesting that even if the attack worked, it would still be negated by other safety mechanisms. You're assuming that the intent was to destroy rather than delay, though.

      To borrow your example, (lubrication shuts off) -> (mostly-safe system shutdown). Not much damaged (maybe bearings as you said, but I know nothing of the hardware involved), but the owners still have to work out what went wrong and clean the system before they can be comfortable firing it up again. That takes time and manpower. So the producer's perspective may be more like: "If we cause a delay or setback, we've succeeded; and there's always the chance we'll destroy something, which would be a nice bonus but isn't really expected."

      Just because the worm fails in its apparent purpose doesn't mean the attacker didn't succeed in their own intended purpose.

      I hope we hear more about this. Fascinating stuff.

    2. Anonymous Coward
      Anonymous Coward

      But does it need to break?

      How about just slowing down production enough to make the plant owners go "blow this for a lark" and return to the negotiation table? Or make them so paranoid that they stop working on the plant for years while doing a security audit? Stuxnet might be a weapon of mass confusion, not a destructive one. War is the continuation of politics with other means - and this looks highly political...

    3. EricByres

      Sorry but Siemens are used on Turbines, at least on Gas Pipelines

      >"PLCs such as a Siemens S7 are not used to control turbines"

      Yes BN is used, but so is Siemens. I know because I have worked on pipeline compressor stations in Canada with Siemens PLCs running the whole show. And for that matter, all of Solar Turbine's big systems are controlled by AB PLCs.

      > "there's a hell of a lot more to learn about this yet"

      You bet - check out Symantecs further analysis of the S7 code.

      It isn't just disabling OB35, it writes 15 FCs into two different PLCs and at 30 FCs into another. Plus a metric ton of data blocks and OB1 code. Rumour has it over 0.5 Mb of S7 machine code – that a lot. We're talking massive rewrite of a process. Plus it messes with the Profibus-DP drivers in the PLC. Maybe that is enough to mess with all the interlocks and maybe it isn't - who knows if the target diversified their safety system or went for a single integrated control system.

      Just for the record, I never said "easily cause a refinery's centrifuge to malfunction". Refineries don't have centrifuges - they have distillation towers, cat crackers, etc. Now uranium enrichment plants do have centrifuges, but that was another quote.

  6. Pete 8


    Competing vendor to Semens perhaps?

    1. Anomalous Howard


      There are no competing vendors to semen, which is why men still exist.

      1. bolccg


        This AH comment cracked me up. Cheers!

  7. slack

    AC said

    "Is this a credible, unbiased source of information and analysis or an untrustworthy font of sky fairy propaganda?"

    Despite its name the CSM is not a bad read most of the time and has won a bunch of Pulitzers over the years.

  8. Vladimir Plouzhnikov

    A mystery

    "Both reports said the sophistication of Stuxnet suggests Israel or some other nation state is behind the worm"

    Other nation state? Let me guess...

    Fiji! No? Kazakhstan! No, again? Aha, Zimbabwe!! No? I give up.

  9. John Savard


    While I do not want Iran's nuclear ambitions to be realized, this is a highly irresponsible method of attack, as it unlawfully risks damage to legitimate private property.

    1. bolccg

      So that would be...

      the Israelis then?

  10. Rogerborg

    I could point at a UK nukular site

    Where some of the monitoring systems runs on Windows. NT. 3.51.

    No, this is not a joke. Fortunately, it's one of 3 independent systems, and sits in a cupboard line-printing off reams of logging info. The punchline is that every 6 months, they open the cupboard, grab as much paper as made it out of the printer, and reboot the system.

  11. Anonymous Coward

    "UK nukular site .. NT 3.51"

    And exactly what is the problem with that?

    In comparison with later versions of Windows, NT3.x had a better architecture (less stuff unnecessarily in kernel mode) and less code so fewer vulnerabilities to be exploited. Makes sense to me. It's only once Gates' influence started to be really felt that things really went wrong.

    The sites to worry about now are (e.g.) the EPR ones where Areva want the control and safety systems to be integrated rather than separate, as is proposed for the much delayed horribly overbudget Olkiluoto nuclear station currently a couple of years late in Finland. Areva are proposing an integrated system despite this integration (rather than separation) being in complete contravention of long standing European nuclear regulatory policy. What kind of company proposes (and starts building) a setup which it *knows* will not meet regulatory safety requirements?

    Wantno iShit seems to know how things should be done if they are to be done properly. What bothers me in this picture is that today's systems are deliverd by people in outfits like Areva's nuclear side, and as far as I can tell their technical proposals show they *don't care* about the kind of safety considerations Wantno describes. In part this may be because Olkiluoto is fixed price turkey contract, and so Areva have every motivation to penny pinch. No triple modular redundant Bentley Nevada condition monitoring and emergency shutdown for them, their PHBs think they can do it all with Siemens WinCC and some remote IO. And most of the time they'll be right. But there'll come a day when it doesn't go right.

    If anyone can show Areva or similar companies intend to do Olkiluoto or similar systems the proper way, I'll be delighted to be corrected.

  12. This post has been deleted by its author

    1. Anonymous Coward
      Thumb Up


      I suspect the the prevailing attitude in Military circles seems to be "They cant be that smart!".

      Certainly i have it on good sources that this certainly used to be the attiude in the UK civil service (And probably still is), despite plainly obvious evidence to the contrary.

      I suspect some of these idiots still think that middle easteners still start fires by banging rocks together.

      1. Anonymous Coward
        Anonymous Coward

        Smart Iranians

        If the Iranian administration were that smart, they might have taken a leaf from North Korea's book and withdrawn from the NPT. Not being subject to the NPT would mean that, like the others not in the NPT (India, Israel, North Korea and Pakistan), Iran would no longer be subject to sanctions for failure to comply with the NPT. Of course, that would also mean they could no longer obtain nuclear technologies from other NPT signatories - they would have to develop their nuclear weapons by themselves.

        Perhaps many of the smart Iranians have left their homeland until it is no longer in the hands of someone hellbent on conflict with Israel and the USA.

  13. Anonymous Coward
    Anonymous Coward

    What interests me... how Siemens kit ended up in Iran. Working for a competitor of Siemens (making much better kit and systems, obviously :-)) it is pretty much impossible to export any kit to Iran, especially anything that can be considered 'dual-use', due to various embargoes and sanctions currently in place.

    1. Anonymous Coward


      Those sort of sanctions are basically worthless against this kind of thing. All they mean is they cant buy the items direcly, and if they ring up for support they are likely to get the brush off.

      Unless your going to close all their ports, totally close the border, and patrol it hevilly and search all flights, there is going to be a certain amount of smuggling, and Scada equipment is hardly bulky.

      I also would imagine that if the director of something as high profile as a nuclear enrichment facility told his boss "We need some Scada control boxes of this type", come Monday morning, they will be on his desk.

      Sanctions rarely hit the important people. They just make the lesser people hate all outsiders.

      1. Matt Bryant Silver badge

        RE: Sanctions?

        "Those sort of sanctions are basically worthless against this kind of thing...." Yeah, the Iranians just modded some Hawk SAMs to fit on their F-14s just for fun. Oh, and because sanctions stopped them buying Phoenix AAMs. The whole reason the Iranians are probably using Windows is because that's all they can get their hands on.

        ".....All they mean is they cant buy the items direcly...." Correct, they need to find someone that is willing to fake an end user export certificate to get hold of them, a sanctions buster. Every time a company's products are found in a country sanctioned by the US they get a huffy letter from the US government telling them to be more careful who they do business with - too many letters and suddenly you can't import into the US. That means Siemens will already be looking for the supplier that passed the units on to the Iranians and plugging off that route of resupply. So, if the worm did mess up the units they had, Iran will find it even harder to replace them.

        "......Sanctions rarely hit the important people. They just make the lesser people hate all outsiders." More Indymedia male bovine manure. The "lesser people" don't need Scada controllers for turbines or centrifuges. Or Phoenix AAMs. Don't go off on the usual stupidity about the Iraq sanctions and how they "killed millions" as you'll just look even more obtuse. The sanctions against Iran are very targetted, so much so that many would say they are far too narrow. The lesser people aren't affected at all.

  14. Anonymous Coward

    "How Siemens kit ended up in Iran"

    * Submitted at Wednesday 22nd September 2010 14:10 GMT

    (resubmitted at 11:15 BST, edited to reflect Matt's input)

    Do a bit of reading and it seems we're looking at a Russian design and a Russian contractor building it.

    Do US export regulations apply to a non-US company (Siemens) supplying goods to a non-US customer (the Russians) for end use in a country the US thinks may not be their best friends (unlike, say, communist China)? I know some folks would like them to, but...

    edit: Not everybody outside (or even inside) the USA approves of the US's attempts to extraterritorially impose its export control demands. The most support outside the USA seems to come from those whose jobs depend on US-issued "general distribution licences" or whatever they're called these days. Matt, being dependent on HP, would be one of those people. In practical terms, I would be very surprised if the likes of a Siemens S7 PLC weren't available from wide-range electronics distributors similar to Farnell or RS or whatever, so there is no realistic chance of actually enforcing the US's rules in cases like this. We're no longer in the days of the 32bit supermini that needed an HGV to transport it.

    1. Matt Bryant Silver badge

      RE: "How Siemens kit ended up in Iran"

      "Do a bit of reading and it seems we're looking at a Russian design and a Russian contractor building it......" Yes, a Russian company is building the standard Ruski reactor build, using standard Ruski materials and technology, not Siemens bits. The Siemens bits are probably from associated machinery and were either pinched from other projects like the oil industry or smuggled into the country. I don't think the Russians can be blamed for this. After all, if they're using standard Russian kit then the whole plant will be inoperational most of the time due to breakdowns, so we wouldn't need to target it. The S7s targeted are much more likely to be being used in secret and undeclared processing plants. The fact that such a piece of kit is being specifically targeted implies someone already knows the units are there and in use, otherwise they wouldn't have gone to the trouble to make such a complex and specific worm, which means they probably already know how the units got there in the first place.

      ".....Do US export regulations apply to a non-US company (Siemens) supplying goods to a non-US customer (the Russians) for end use in a country the US thinks may not be their best friends (unlike, say, communist China)? I know some folks would like them to, but..." Actually, most foreign companies really want to stay in the Yanks' good books as the US is usually their largest market. An example of this is how Toyota has pulled business out of Iran even though it wasn't in breach of any US sanctions. Sales in the US also tend to plummet if the US public think your company is anti-US (just ask Fiat what happened when it became public knowledge that Quadafyduck's Libya had a massive share in Fiat back during the Westland Affair). Also, all those S7 units go out with serial numbers - should one be found by an UN inspector (or spy) and traced back to a Russian supplier, you can be assured the US will be taking a very close interest in that supplier. A few questions in Congress and Siemens will be desperate to make it clear they are not willingly selling kit to Iran.

      "....Matt, being dependent on HP, would be one of those people...." Actually, the biggest fun I had was getting some Sun workstations into an office in Riyadh. Some dim spark in the US had made a clerical error and thought Riyadh was somewhere in Iraq (this was right before Desert Storm) and stopped the kit shipping. After they failed to admit they had simply made a mistake, the Merkins then insisted we were sanctions busters and were planning to ship the kit to Saddam. The board were bricking themselves over the idea that our company might be branded anti-Yank, so much so they were waving the lawyers at journos that got interested in the story. At that point, I think they would have given up all the Mid-east offices and paraded round in Stars and Stripes underwear to avoid upsetting the US!

      "......I would be very surprised if the likes of a Siemens S7 PLC weren't available from wide-range electronics distributors...." Yes, you can even get secondhand units off eBay. But, if you were buying units abroad you still have to get them to Iran, which means export certificates. You can't just put them in your hand luggage and catch a flight to Tehran. And such control units would attract the attention of customs seeing as they are dual-use and probably covered by existing UN sanctions (it's not just the big bad US of A, see).

  15. Destroy All Monsters Silver badge
    Dead Vulture

    That's actually an act of terrorism.

    Disrupting a perfectly bog-standard civilian nuclear power plant under IAEA inspection is NOT friendly. Then again, the Land Of The Chosen Ones is not above copying passports for some wetwork or braining people in belgian hotels when they feel like it.

    This also has nothing to do with Iranian "nukes" as El Reg subtitles - as every fule knows, these don't exist. Does Tony Blair have the remote control of the editor's vibrator by any chance?

  16. Anonymous Coward
    Anonymous Coward

    "How Siemens kit ended up in Iran"

    Do a bit of reading and it seems we're looking at a Russian design and a Russian contractor building it.

    Do US export regulations apply to a non-US company (Siemens) supplying goods to a non-US customer (the Russians) for end use in a country the US thinks may not be their best friends (unlike, say, communist China)? I know some folks would like them to, but...

    1. Anonymous Coward
      Anonymous Coward

      Siemens kit

      Siemens say they have no such technology licensed in Iran and that they have not traded there for 30 years. Maybe this is their mechanism for disabling non-licensed kit.

      Another possibility is that some sub-contractor supplying the SCADA kit got screwed and decided to invoke a mechanism designed to bring their customer back for negotiations about payment.

      1. Matt Bryant Silver badge

        RE: Siemens kit

        "Siemens say they have no such technology licensed in Iran and that they have not traded there for 30 years...." See, Siemens are already falling over backwards to try and look whiter-than-white in the eyes of the US public.

  17. Anonymous Coward
    Anonymous Coward

    "no such technology licensed in Iran"

    "Siemens say they have no such technology licensed in Iran and that they have not traded there for 30 years."

    Got a source for that?

    And what does it mean anyway?

    Will the Far Eastern PLC manufacturers have the same scruples as Siemens are claiming?

    Meanwhile, back to Matt...

    I wonder if Matt is aware that the Russkies had perfectly satisfactory clones of assorted computers including DEC's PDP11 and VAX families. The only memorable time the Yanks ever really succeeded with their export controls and DEC computers was when they used them to take down allegedly legitimate UK outfit Systime. Read about it in Hansard.

    1. Matt Bryant Silver badge

      RE: "no such technology licensed in Iran"

      ".....I wonder if Matt is aware that the Russkies had perfectly satisfactory clones of assorted computers...." I have seen some Ruski clones of IBM PS2 gear, all down to even the same colour paintwork! The Ruskies largely stopped cloning such platforms when they realised that it was simpler just to smuggle the real items into the USSR via Far Eastern suppliers. With the falling of the wall and the rush of Western companies to get their products into Russia, there is now no need for them to copy our tech, they can simply buy it. But they did (and still do) make their own SCADA devices and other computers for their own nuke plants, so there is very little chance of the Siemens SCADA devices actually being bundled into the Bushehr systems, they are much more likley to be in processing plant systems.

      The original Bushehr plant design was done by a Siemens joint venture, but they pulled out in 1979, long before these units became available. The Russians company involved (Atomstroiexport) used another design, the VVER type which originally dates from the Sixties. The exact model (VVER 1000) is from 1975! AFAIK, the control systems that go with these old VVER designs have been updated but not with Siemens kit.

  18. John Smith 19 Gold badge

    Stranger and stranger

    So it's doing a *major* re-write of control software of *certain* Siemens PLC's, which may be associated with rotating machinery control.

    This is a *lot* of trouble to disrupt (or destroy) someone's *very* specific set of industrial plant.

    3 side notes.

    Does anyone know what the processor on the Siemens PLC's is. It's my impression these tended to be pretty anonymous. The usual interface seemed to be an interpreter for "Relay Ladder Logic" described in some proprietary language. The UK one is located somewhere in Greater Manchester (can't rember where. Just look for the primary school with the big industrial plant next to if and the blank patch on Google maps).

    AFAIK the *only* gas used in enrichment centrifuges is Uranium Hexafluoride (UF6). Part of what makes centrifuge design tough is making the whole gas system gas tight for *life*, typically all welded stainless steel. If it gets out (for example bearings seizing and rotor shearing off) and hits water (including the water vapor in human lungs) you have Hydrofluoric Acid, which can etch glass (its effect on your lungs is less benign). That *does* sound like a terrorist act to me also.

    As to why you would attack site X (where ever it happens to be) this way if you have an inside person they are not exposed to additional risk planting it (it got in from outside, or it *could* have got in from outside if they do have to plant it). OTOH it may be the source who told the builders all about the system they are looking for no longer has *any* access to it.

  19. Anonymous Coward
    Thumb Up

    @John Smith 19

    Is there a sentence missing from your post? Here goes anyway.

    The UK enrichment plant you're thinking of may be URENCO's Capenhurst plant, near Chester. At one time there was a selection of nuclear-related sites in and around Warrington and north Cheshire, not sure how many are still active.

    Wrt processors and languages: in the days of ladder logic, you might well get a proprietary processor effectively built from discrete logic. That was a long time back. Then along came processors based on off the shelf chips such as the AMD2900 bitslice, or based on off the shelf computer innards such as the PDP8 (honest [1]).

    Siemens S5 and S7 PLCs and indeed most of the recent non-bottom-end market can be programmed in a variety of languages besides ladder logic.

    One of the nicer, "open standard", languages was called FunctionChart/FunctionPlan (it's an IEC standard). Whatever the source language, the development tools on the host would convert the user input into data to be downloaded to the PLC, data which in turn gets executed by the processor on the PLC. Right now I don't know what processors are in common use or whether the PLC has an OS of any significance.

    "This is a *lot* of trouble to disrupt (or destroy) someone's *very* specific set of industrial plant."

    Quite. Almost, but not quite, an unbelievable amount of trouble.


  20. John Smith 19 Gold badge


    "Is there a sentence missing from your post? Here goes anyway."

    Yes there was. You got the gist spot on.

    "The UK enrichment plant you're thinking of may be URENCO's Capenhurst plant, near Chester. "

    That's the one I was thinking of, although the primary school may be a UL. Excellent safety record although they were reputed to like propping up the bar come Friday afternoon.

    "Then along came processors based on off the shelf chips such as the AMD2900 bitslice, or based on off the shelf computer innards such as the PDP8 (honest [1])."

    AMD released the 29K series whose core seemed to be essentially 4 or 8 2900 bit slices on a chip. Very RISC. Very fast. IIRC it did a lot of business in printers so a PLC would be well within its capabilities. As for the PDP8. Just about the most popular minicomputer ever. Used as a core processor for early internet routers (for the *whole* campus) and IIRC Chorus had a regular order in for their steel plant mill control systems for *decades*.

    "languages was called FunctionChart/FunctionPlan "

    Sounds intriguing. I may investigate.

    "Quite. Almost, but not quite, an unbelievable amount of trouble."

    And now expanding into China.

    Does there seem to be a pattern emerging?

This topic is closed for new posts.