A Dutch researcher helped to piece the puzzle together, after Symantec launched a call for help on its Security Response Blog early this month. Thanks to help from the land of lax flax laws, Symantec discovered Stuxnet needs specific frequency converter drives manufactured by suppliers Vacon, Finland and Fararo Paya located in Iran’s capital Tehran, alongside a S7-300 CPU and a CP-342-4 Profibus communications module.
In an industrial control system, the frequency converter drives control the speed of a motor, such as used in water systems, gas pipelines and so on. A low frequency sets a low motor speed, whereas higher frequencies make things faster.
A frequency converter drive is a power supply that can change the frequency of the output, which controls the speed of a motor. The higher the frequency, the higher the speed of the motor.
Stuxnet basically monitors the system and changes pace, up or down, should the frequency converter drives operate in the range of 807Hz to 1210Hz.
This sabotages an entire process which requires high frequencies, causing major headaches and panic to all engineers involved.
Symantec stated it did not know what on Earth these speeds are required for, but it added it would be unlikely that “a conveyor belt in a retail packaging facility” is the target.
The security company did however say “efficient low-harmonic frequency converter drives that output over 600Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment”.
As Iran has been hit by Stuxnet, it has been speculated Stuxnet was designed to sabotage the country’s nuclear program. Iran has been blaming Israel and the USA for spreading Stuxnet, whereas other people believe China coded it to bang up India.
Symantec’s full and updated paper on Stuxnet can be found here.