This is the second article on the topic of using resonances to destroy physical objects.
The first article "The Russian footprint of the Stuxnet virus" was introductory and was intended for a wide non-professional audience.
It's time to get acquainted with this method in detail, and first, watch the video with a visual example of resonance, after that I think the topic of the article will become clearer, because it is better to see once than read a hundred times …
Here's a video:
Here's another:
So please treat resonance with respect.
So famous, unknown to Stuxnet
The world famous Stuxnet virus has by now turned into a kind of horror story, everyone knows about it, but no one fully understands how he managed to secretly destroy centrifuges for uranium enrichment for two years. This is not even sabotage, but a more sophisticated method of sabotage - sabotage.
Just think over the course of two years, hundreds of centrifuges are constantly breaking down, all production schedules are disrupted, specialists are called "on their ears" and can not do anything until a message comes from Belarus about the detection of a virus, the combat load of which was the update modules of the internal software for industrial automation from Siemens.
Subsequently, this virus was named Stuxnet. We figured out the method of infection used, with the methods of its penetration to the kernel level, and the method of cracking the password protection of Simatic S7 controllers in the local network. We understood something from what the virus-updated firmware of the centrifuge group controller does.
But no one has yet explained the physical method of disabling equipment in this act of sabotage. Therefore, we ourselves will try to figure out this most important riddle.
What do we know
Here is this Simatic S7 controller assembled with peripheral modules:
The microprocessor unit itself is a box with a blue key, everything else is peripherals. The microcontroller software (a special STEP 7 interpreter language is used) is located in the internal flash memory. Updating the software and firmware of the controller itself occurs via the network, or physically, via a removable flash drive. Such controllers were group control devices for 31 gas centrifuges at once.
But they directly broke centrifuges through other devices, - a frequency converter for operating an electric motor, approximately as follows:
This is how frequency converters (converters) for asynchronous electric motors of various powers look like. The name implies the functional purpose of this device, it converts the voltage of a standard network (three phases 360V) into a three-phase voltage of a different frequency and a different rating. The voltage conversion is controlled by signals from the network, or set manually from the control panel.
One Simatic S7 controller immediately controlled a group (31 devices) of frequency converters, respectively, it was a group control unit for 31 centrifuges.
As the specialists found out, the Semantics of the group control controller software was heavily modified by the Stuxnet virus, and they considered the issuance of group control commands to frequency converters by the modified software of the Simatic S7 controller as the direct cause of centrifuge breakdowns.
The software of the control device modified by the virus changed the operating frequency of each frequency converter for 15 minutes once during a five-hour interval, and, accordingly, the rotational speed of the centrifuge electric motor connected to it.
Here's how it is described in a study by Semantic:
Thus, the speed of the motor is changed from 1410Hz to 2Hz to 1064Hz and then over again. Recall the normal operating frequency at this time is supposed to be between 807 Hz and 1210 Hz.
So the motor speed changes from 1410Hz in 2Hz steps to 1064Hz and then reverses back. As a reminder, the normal operating frequency at this time was maintained between 807 Hz and 1210 Hz.
And the Semantic concludes on the basis of this:
Thus, Stuxnet sabotages the system by slowing down or speeding up the motor to different rates at different times
(Thus, Stuxnet sabotages the system by slowing down or accelerating the engine to different speeds at different times.)
For modern programmers who know physics and electrical engineering only in the volume of secondary school, this is probably enough, but for more competent specialists such an explanation is not consistent. A change in the rotational speed of the centrifuge rotor within the permitted range and a short-term excess of the operating frequency by 200 Hz (about 15%) from the nominal value in itself cannot lead to massive equipment breakdowns.
Some technical details
This is how a cascade of gas centrifuges for the production of enriched uranium looks like:
There are dozens of such cascades at uranium enrichment factories, the total number of centrifuges exceeds 20-30 thousand …
The centrifuge itself is a rather simple device in design, here is its schematic drawing:
But this constructive simplicity is deceiving, the fact is that the rotor of such a centrifuge, about two meters long, rotates at a speed of about 50,000 rpm. Balancing a rotor with a complex spatial configuration, almost two meters long, is a very difficult task.
In addition, special methods of rotor suspension in bearings are required; for this, special flexible needle bearings are used, complete with a complex self-aligning magnetic suspension.
For the reliability of gas centrifuges, the main problem is the resonance of the mechanical structure, which is associated with certain speeds of rotation of the rotor. Gas centrifuges are even categorized on this basis. A centrifuge operating at a rotor speed above the resonant one is called supercritical, below - subcritical.
Do not think that the rotor speed is the frequency of mechanical resonance. Nothing of the kind, mechanical resonance is related to the speed of rotation of the centrifuge rotor through very complex relationships. The resonance frequency and rotor speed can differ by an order of magnitude.
For example, a typical resonance area of a centrifuge is a frequency in the range of 10Hz-100Hz, while the rotor speed is 40-50 thousand rpm. In addition, the resonance frequency is not a fixed parameter, but a floating one, it depends on the current operating mode of the centrifuge (composition, gas temperature density in the first place) and backlash in the rotor suspension structure.
The main task of the equipment developer is to prevent the centrifuge from operating in modes of increased vibration (resonances), for this, automatic emergency blocking systems for vibration level (strain gauges), operation at rotor speeds causing resonance of the mechanical structure (tachometers), increased current loads of the motor (current protection).
Emergency systems are never combined with equipment responsible for the normal operation of the installation, they are separate, usually very simple electromechanical systems for stopping work (simply emergency switches). So you cannot programmatically disable and reconfigure them.
Colleagues from the USA and Israel had to solve a completely non-trivial task, - destroy the centrifuge without triggering the protective automatics.
And now about the unknown how it was done
With the light hand of the translators of the scientific center "NAUTSILUS", who translated the research of the Symantik specialists into Russian, many specialists who did not read the Symantik report in the original had the opinion that the accident was caused by the operating voltage frequency reduced to 2Hz to the centrifuge electric motor.
This is not the case, the correct translation is given at the beginning of the article.
And in principle, it is impossible to reduce the frequency of the supply voltage of a high-speed induction motor to 2Hz. Even a short-term supply of such a low-frequency voltage to the windings will cause a short circuit in the windings and trigger the overcurrent protection.
Everything was done much smarter.
The method of excitation of resonance in electromechanical systems described below could claim to be new, and I am considered its author, but it is most likely already used by the authors of the Stuxnet virus, so, alas, it remains only to plagiarize …
And nevertheless, I explain on my fingers, at the same time conducting an educational program on the basics of physics. Imagine a massive load, say a ton, hanging on a cable, let's say 10 meters long. We have obtained the simplest pendulum with its own resonant frequency.
Suppose further that you want to swing it with your little finger, applying an effort of 1 kg. A single attempt will produce no visible result.
So you need to push it repeatedly, applying forces to it by 1 kg, say 1000 times, then we can assume that such a multiple force will be equivalent in total to a single application of an effort per ton, this is quite enough to swing such a pendulum.
And so, we change tactics, and we begin to repeatedly push the suspended load with our little finger, each time applying an effort of 1 kg. We won't succeed again, because we don't know physics …
And if they knew, then first they would calculate the period of oscillation of the pendulum (the weight is absolutely unimportant, the suspension is 10 meters, the force of gravity is 1g) and began to push the load with this period with the little finger. The formula is well known:
In 10-20 minutes, this pendulum weighing a ton would swing so that "mama do not cry."
Moreover, it is not necessary to press the little finger on every quality of the pendulum; this can be done once, twice, or even after a hundred oscillations of the pendulum. It's just that the buildup time will increase proportionally, but the buildup effect will be completely preserved.
And yet, I will surprise people who know physics and mathematics in the volume of secondary school (the level of knowledge of a typical modern programmer), the oscillation period of such a pendulum does not depend on the oscillation amplitude, swing it by a millimeter or a meter from the rest point, the oscillation period and, accordingly, the oscillation frequency of the pendulum will be constant.
Any spatial structure has not even one, but several resonant frequencies; in fact, there are several such pendulums in it. Gas centrifuges, due to their technical features, have a so-called main resonant frequency of high quality factor (they effectively accumulate vibration energy).
It remains only to swing the gas centrifuge with a finger at the resonant frequency. It's a joke, of course, if there is an electric motor with an automatic control system, then the same can be done much more imperceptibly.
To do this, you need to increase / decrease the speed of the electric motor in jerks (as the virus did, at 2 Hz) and issue these jerks with the resonance frequency of the mechanical structure of the centrifuge.
In other words, it is necessary to output to the motor with the frequency of mechanical resonance using a frequency voltage converter with variable frequency. The moment of force that occurs in the motor when the frequency of the supply voltage changes will be transmitted to the case with the frequency of mechanical resonance and gradually the resonant oscillations will reach a level at which the installation will begin to collapse
Frequency fluctuations near a certain average value are called "beats", this is a standard effect of any frequency converter, the frequency, as they say, "walks" within certain limits, usually no more than tenths of a percent of the nominal. The saboteurs disguised as these natural beats of frequency, their own, artificially introduced, modulation of the frequency of the electric motor and synchronized it with the frequency of mechanical resonance of the spatial structure of the centrifuge.
I will not go into the topic any further, otherwise I will be accused of writing step-by-step instructions for saboteurs. Therefore, outside the discussion, I will leave the question of finding the resonant frequency for a particular centrifuge (it is individual for each centrifuge). For the same reason, I will not describe the method of "fine" adjustment, when it is necessary to balance on the verge of triggering the emergency protection against vibrations.
These tasks are solved through the software available output voltage current sensors installed in frequency converters. Take my word for it - this is quite realizable, it's just the algorithms.
Again about the accident at the Sayano-Shushenskaya HPP
In the previous article, it was hypothesized that the accident at the hydroelectric power station was caused in the same way (by the resonance method) as at a uranium enrichment plant in Iran, using special software.
This of course does not mean that the same Stuxnet virus was working there and here, of course not. The same physical principle of object destruction worked - an artificially induced resonance of a mechanical structure.
The presence of resonance is indicated by the presence of unscrewed fastening nuts of the turbine cover and the readings of the axial vibration sensor, which was the only working sensor at the time of the accident.
Taking into account the coincidence of the time and causes of the HPP accident with the fact of sabotage at the Iranian uranium enrichment plant, the continuous vibration control system turned off at the time of the accident, the operation of the unit under the control of the automatic control system of the turbine unit, it can be assumed that the resonance was not an accidental phenomenon, but a man-made one.
If this assumption is correct, then, unlike the situation with gas centrifuges, the task of destroying the turbine unit required manual intervention. The equipment available at the HPP did not allow the sabotage software to automatically detect the individual resonance frequency and then keep the vibrations within the emergency mode without triggering the emergency sensors.
At the hydroelectric power station, the work of sabotage software required the use of the "human factor". Someone somehow had to turn off the vibration control server, and before that transfer to the developers of the sabotage software the parameters of the resonances of a particular turbine unit, which were removed from it six months before the accident during a scheduled repair.
The rest was a matter of technique.
No need to think that the resonance occurred in the very body of the turbine rotor, of course not. The resonance of the water layer, saturated with elastic cavitation cavities, located between the turbine rotor and the guide vanes, was caused.
In a simplified way, one can imagine such an analogy, at the bottom there is a spring made of cavitation cavities between the turbine rotor and the blades of the guide vanes, and this spring is supported by a column of water one hundred meters high. It turns out an ideal oscillatory circuit. To swing such a pendulum system is a very real task.
It is because of this resonance ALL the blades of the guide vanes were broken, and not mechanically, from impacts, but broken by dynamic load. Here is a photo of these broken blades, there are no traces of mechanical shock on their surfaces:
The broken blades of the guide vanes blocked the drain hole of the turbine, and it was from this unforeseen circumstance that the accident began to develop into a catastrophe.
The turbine rotor resembled a supertanker propeller, and began to rotate in a "closed can of water" with a mass of one and a half thousand tons and a rotation speed of 150 rpm. In the working area of the turbine, such an overpressure of water was created that the lid was ripped off, and the turbine itself, according to eyewitnesses, together with the generator rotor (a colossus of 1,500 tons) flew up to the ceiling of the turbine hall.
What was further known to everyone.
