1. A Panoramic View of Automatic Control Systems in Heavy Industrial Enterprises—Industrial Control System Architecture

---

Currently, there are two main types of industrial control systems: distributed control systems (DCS) and fieldbus control systems (FCS). The architectures of DCS and FCS are shown in Figure 1 and Figure 2, respectively.

Figure 1 DCS Architecture

Figure 2 FCS Architecture

DCS is characterized by field instruments communicating based on analog signals, such as 4mA-20mA analog current signals; FCS, on the other hand, uses field instruments for digital communication based on fieldbus and fieldbus protocols. Aside from this, configuration software (such as WinCC, Zhejiang University Control System, KingSCADA, etc.) plays a essentially the same role in both DCS and FCS, primarily functioning as the controller (regulator) in the automatic control system—essentially implementing a virtual controller in software. Transmitters, controllers, and actuators are the three core components of modern automatic control systems.

The basic principle block diagram of a modern automatic control system (process control system) is shown in Figure 3.

Figure 3. Block Diagram of the Basic Components of a Modern Automatic Control System

Some companies’ automatic control systems combine features of DCS and FCS. This is mainly because the field instruments are not all intelligent instruments based on single-chip microcomputers and embedded systems. However, regardless of whether it is DCS or FCS, the controller is implemented by configuration software.

Modern controllers can select from various control algorithms, such as P (proportional), PI (proportional-integral), PD (proportional-derivative), and PID (proportional-derivative-integral). The control algorithm and related parameters are the core factors determining the characteristics and actual performance of the automatic control system. For configuration software, the control algorithm and related parameters are generally stored in configuration files or databases; for example, WinCC uses an SQL Server database.

2. The Impact of Attacks on Industrial Control Systems on Field Devices

---

(Taking the Stuxnet worm attack on WinCC configuration software as an example)

2.1 Principle of Separating Nuclear Fuel Uranium-235 from Natural Uranium

Natural uranium generally cannot be used directly as nuclear fuel or atomic bomb warhead because only the isotope uranium-235 possesses the ability to undergo slow neutron-induced fission. Natural uranium has three isotopes: uranium-238, uranium-235, and uranium-234. Uranium-238 constitutes over 99%, uranium-235 accounts for only about 0.7%, and uranium-234 is present in trace amounts. If used as reactor fuel, the uranium-235 concentration must reach approximately 4%. For weapons-grade uranium-235 used as atomic bomb warheads, the concentration is generally above 90%.

Since the three isotopes of uranium have identical chemical properties, it is impossible to separate or enrich uranium-235 using chemical methods. The separation or enrichment of uranium-235 is generally carried out using physical methods. The principle is as follows: natural uranium ore is processed through hydrometallurgy to obtain ammonium diuranate [(NH4)2U2O7], commonly known as yellowcake, which is then further processed to obtain volatile uranium hexafluoride (UF6). The slight difference in gas density between uranium hexafluoride-238 and uranium hexafluoride-235 is then used for separation.

The earliest method used was gaseous diffusion, which was employed to separate the nuclear charge in my country’s first atomic bomb, but it was relatively inefficient. In the 1960s and 70s, gas centrifugation (hereinafter referred to as centrifugation) was put into practical use, with the centrifuge as its core equipment. A simple analogy can illustrate the basic principle of centrifugation: if rice and chaff are placed together in a sieve and rotated, the heavier rice will be “thrown” to the edges, while the lighter chaff will be less likely to be “thrown” out and will concentrate in the center. In centrifugation, uranium hexafluoride-238 is analogous to “rice”, and uranium hexafluoride-235 is analogous to “chaff”.

2.2 Equipment and Its Automatic Control for Centrifugal Separation of Uranium-235

The basic equipment for separating uranium-235 by centrifugation is a centrifuge. In order to obtain a higher concentration of uranium-235, multiple centrifuges are usually used in series.

The automatic control of centrifuges is quite complex, with up to seven controlled variables. To give a simple example: centrifuge speed is a crucial parameter affecting separation power and separation coefficient. For a specific centrifuge, the speed must be kept constant; otherwise, the separation of uranium-235 will be severely affected. To maintain a constant centrifuge speed, speed sensors and transmitters are used to measure the centrifuge speed. The speed data is sent to the controller, which then controls the speed regulator (actuator) to complete the automatic control of the centrifuge speed.

2.3 The Impact of Attacks on Industrial Control Systems on Centrifuges

In centrifugal uranium-235 enrichment plants, a DCS (Distributed Control System) can be used, with WinCC configuration software implemented as a virtual controller, serving as the core of the automatic control system. WinCC stores measurement and control data, including control algorithms and related parameters, in an SQL Server database.

The Stuxnet worm attacks WinCC. Because WinCC uses hard-coded storage of usernames and passwords required to access the SQL Server database, the Stuxnet worm can easily modify the WinCC monitoring and control data stored in the SQL Server database.

A possible attack scenario: Assuming the centrifuge speed is automatically controlled using a PID algorithm, the Stuxnet worm attacks WinCC and modifies the PID algorithm parameters in the SQL Server database. This would cause changes in the centrifuge speed, potentially leading to the failure of automatic speed control. At best, this would result in a decrease in centrifuge separation power and separation coefficient, leading to failure in separating nuclear fuel-grade or weapons-grade uranium-235 (due to insufficient uranium-235 concentration). At worst, it could damage the centrifuge, ultimately causing a production shutdown. See Figure 4.

Figure 4. A Possible Attack Scenario