Handout A: SCADA Diagnostic Output

Captured from the WinCC operator console during centrifuge array diagnostics, June 2010. The displayed frequency readings should match the physical behavior of the centrifuge drive system. Examine both the operator view and the raw PLC register dump.

Operator Console Display

Siemens WinCC v5.0 - Process Overview
=====================================

Centrifuge Array Status Report
Generated: 2010-06-15 14:23:47 UTC

CENTRIFUGE UNIT ARRAY (P-1/P-2 Cascades):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Unit ID  | Status    | Frequency | Feed Press | Product Conc. | Feed Rate
────────┼────────────┼───────────┼──────────┼──────────────┼──────────
P-1-001  | RUNNING   | 1064 Hz   | 2.3 bar   | 4.2% U-235    | 2.1 STP
P-1-002  | RUNNING   | 1064 Hz   | 2.2 bar   | 4.3% U-235    | 2.0 STP
P-1-003  | RUNNING   | 1064 Hz   | 2.1 bar   | 4.1% U-235    | 2.1 STP
P-1-004  | RUNNING   | 1064 Hz   | 2.3 bar   | 4.2% U-235    | 2.1 STP
P-2-001  | RUNNING   | 1064 Hz   | 1.9 bar   | 2.1% U-235    | 1.0 STP
P-2-002  | RUNNING   | 1064 Hz   | 2.0 bar   | 2.2% U-235    | 1.1 STP
P-2-003  | RUNNING   | 1064 Hz   | 1.8 bar   | 2.0% U-235    | 0.9 STP

All Units: NORMAL OPERATION (Target: 1064 Hz nominal frequency)

IM NOTES (Do Not Show to Players): This is the operator view. All frequencies show 1064 Hz (nominal). This is what the operators see – everything appears normal. But this is the deception at the heart of Stuxnet.

PLC Memory Register Dump (Raw Values)

[CONFIDENTIAL] Siemens S7-300 PLC Register Export
Generated: 2010-06-15 14:23:47 UTC

DB Block 100 - Frequency Controller Parameters:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Memory Address | Register | Current Value | Description
───────────────┼──────────┼──────────────┼─────────────────────────────
0x1200         | DB1      | 0x042C       | [ACTIVE MODE OVERRIDE]
0x1202         | DB2      | 0x057E       | Current Freq Output: 1410 Hz (ATTACK: OVERSPEED)
0x1204         | DB3      | 0x0001       | Mode Flag: ATTACK MODE ENABLED
0x1206         | DB4      | 0x0000       | Reserved
0x1208         | DB5      | 0x03E8       | Reported Freq to SCADA: 1064 Hz (DISPLAY VALUE)
0x120A         | DB6      | 0x0000       | Checksum: MODIFIED

[Timeline Log - Last 6 Hours]
Time        | Reported Freq | Actual Output | Status
────────────┼───────────────┼──────────────┼──────────────
10:00 UTC   | 1064 Hz       | 1064 Hz      | NORMAL
11:30 UTC   | 1064 Hz       | 1410 Hz      | ATTACK MODE TRIGGERED
12:15 UTC   | 1064 Hz       | 1410 Hz      | OVERSPEED PHASE
13:45 UTC   | 1064 Hz       | 0002 Hz      | UNDERSPEED PHASE
14:23 UTC   | 1064 Hz       | 0002 Hz      | HOLDING UNDERSPEED

IM NOTES (Do Not Show to Players): This is the raw PLC memory. The key values:

  • Actual output (0x057E = 1410 Hz, 0x0002 = 2 Hz) does NOT match reported frequency
  • Reported to SCADA (0x03E8 = 1064 Hz) is hardcoded to match nominal speed
  • Mode flag (0x0001) indicates attack code is running
  • The centrifuges experience extreme overspeed (1410 Hz = ~33% over nominal) which causes intense vibration and bearing stress, then underspeed (2 Hz near stall) which causes thermal stress. This cycle destroys centrifuges physically without being detected by operators.

This is the documented behavior reported by Ralph Langner’s analysis: Stuxnet maintained normal reported frequencies while running the centrifuges at destructive speeds. The attacker had detailed knowledge of the exact centrifuge specifications and control system architecture.

Key Discovery Questions

  • What is the relationship between the β€œReported Frequency” and β€œActual Output”?

Players should recognize that someone or something is intercepting sensor data or falsifying PLC registers to show operators one value while the actual control output is completely different.

  • How would an operator detect this discrepancy using only the WinCC console?

They can’t – if the SCADA system is also compromised or if the false data is injected at the PLC level, the operator sees only what the compromised PLC reports. This is why critical facilities need out-of-band monitoring (independent sensors, physical indicators).

  • What physical damage would result from the frequency patterns shown in the register dump?

Stuxnet’s actual attack sequence:

  1. Overspeed phase (1410 Hz): Causes rotor imbalance and bearing wear. The centrifuges rattle and vibrate internally.
  2. Underspeed phase (2 Hz): Near total stall causes thermal stress and material degradation.
  3. Repeated cycles: Over weeks, the physical stress accumulates until centrifuges catastrophically fail.

This is deliberate and precise – it’s designed to destroy the equipment while looking like mechanical failure, not attack.

IM Facilitation Notes

Use this handout when players discover system logs showing normal operation but suspect something is wrong. It helps them understand:

  1. Deception at multiple levels: The attacker controls both the output AND the reporting mechanism
  2. Air-gap irrelevance: The SCADA network can be air-gapped, but if the PLCs themselves are compromised, air-gapping doesn’t help
  3. Insider knowledge: Destroying centrifuges this way requires knowing exact specifications and failure modes
  4. Nation-state indicators: The sophistication of falsifying sensor data at the PLC level while simultaneously controlling physical outputs points to extremely advanced attacker capabilities