How To Stop Flame and Stuxnet (Super-Malware) Dead in Their Tracks

A new plug-and-play device for factories and power plants could stop malicious code from triggering a major malfunction, or worse. How To Stop Flame and Stuxnet (Super-Malware) Dead in Their Tracks

Let me introduce you to Norm.

“Norm!”

No, not George Wendt. Norman is an IT security company based in Norway that’s selling a box that just might save the world from the next nuclear disaster.

Perhaps you’ve heard of a beefy piece of malware dubbed “Flame” that’s been getting some attention lately. This week it became the latest dark monarch to reign in the underworld kingdom of scary code. Norm — sorry, Norman — says its new box could douse Flame and stop destructive cousins like Stuxnet and Duqu in their tracks, too.

While Flame‘s reported ability to disable security software, turn on a system’s microphone, and take screen captures is scary enough, a more disturbing issue concerns our new friend Norman: Many of the networks and administrators that run our energy facilities, water treatment stations, and other industrial control systems (ICS, also sometimes referred to as SCADA systems) don’t employ even basic antivirus software to help mitigate the threat from malware like Flame, Stuxnet, and the multitude of other bits of mean-spirited code hitchhiking around the world on even the nicest-looking packets of data.

At issue is the fact that many industrial control systems are custom-built to perform a specific set of tasks, and they often also require precise timing. This means traditional antivirus tools can’t always just be laid on top of a SCADA system with the ease of an iPhone sliding into a new zebra-print case. Moreover, operators can be loathe to give up precious (and sometimes limited and/or outdated) system resources to a virus scan or other security-based processes. The result is that systems that control some of the machinery we depend on each day for basic necessities are often exposed to all sorts of nasty threats.

SCADA security expert and Tofino Security CTO Eric Byres says “99.99 percent of the control devices and protocols used today offer no robust authentication, integrity or confidentiality capabilities. They can be completely controlled by any individual or worm that gets a foothold on the network.”

Enter Norman and our mysterious box.

Norm!

Actually, the man I talked to is named Øivind. Good luck shouting that name across a Boston bar.

Øivind Barbo is Norman’s product director for a new offering called Norman SCADAProtection (NSP), which Barbo says it will be launched initially with a major multinational client in the energy sector in the coming weeks. Barbo explained to me that the idea behind NSP is to neutralize the two main vehicles that malware likes to hitch rides on — networks and external storage devices like USB sticks.

Norman’s box is essentially a terminal that’s set up in line along the network to scan all the data coming in and out of the downstream industrial control system.

“It’s an antivirus on a cable,” Barbo says.

Think of it like one of those creepy new X-ray vision scanners at airport security. Unlike a firewall — or a TSA agent — that simply stops traffic to see where you’ve been and where you’re going, the new and improved solution does a thorough (and sometimes uncomfortable, in the case of airport security) scan of the contents of everything passing through.

NSP plugs in behind the SCADA firewall to scan all data and portable storage destined for industrial controls.

The terminal appears to be about the size of a desktop PC, and Barbo says it’s fully plug and play — simply plug in your network cables and it starts scanning and stopping any threats that might unintentionally wander near, or directly target, an industrial controller. But Norman’s cybersecurity bouncer-in-a-box does more than just actively scan network traffic. Just as your friendly TSA agent will kindly ask you to part with your shoes and belt buckle for a few minutes for a brief scan, the NSP in-line terminal also serves as a checkpoint for USB sticks and other external storage destined for any computer connected to a SCADA system.

The external devices are scanned for threats and either stamped with a clean bill of health in the form of a tiny encrypted file or they are rejected, much like your annoying friend who forgot to take the pocket knife off his keychain when you were already running late for your flight to Miami.

A small driver installed on the SCADA system console then looks for that encrypted file whenever a USB storage device is inserted to verify that it isn’t infected by Flame, Stuxnet or some lesser digital cooties. Barbo explains that because the only thing running on the SCADA system is a small verification driver, two layers of security are added without giving up any significant system resources.

Last line of defense between Malware and the computer that might be controlling your neighborhood nuke plant.

Similar SCADA security appliances exist, but the simplicity behind NSP is compelling — if it works. Barbo answers matter of factly with a “yes” when I ask if NSP would have stopped Stuxnet, but like most anti-malware products, it relies on prior identification of all threats. The NSP in-line scanner uses a secure connection for updates to its threat registry, so — as with would-be underwear bombers — it’s always possible for something malicious to get past security.

Nonetheless, NSP could offer new protection for some pretty critical infrastructure. Norman’s Barbo says a big name in the global energy industry will be the first to plug NSP into its operation soon. Norman estimates that typical SCADA installations could cost utilities and other industrial facilities between $40,000 and $50,000.

Not a bad deal for a little box from your new friend Norm. Especially, when you consider a typical airport scanner can cost up to four times as much, and your absent-minded buddy with the pocket knife isn’t nearly as scary as Stuxnet.