Meet the little box that could stop Flame and Stuxnet

A new plug-and-play device for factories and power plants could stop malicious code from triggering a major malfunction, or worse.

Eric Mack Contributing Editor
Eric Mack has been a CNET contributor since 2011. Eric and his family live 100% energy and water independent on his off-grid compound in the New Mexico desert. Eric uses his passion for writing about energy, renewables, science and climate to bring educational content to life on topics around the solar panel and deregulated energy industries. Eric helps consumers by demystifying solar, battery, renewable energy, energy choice concepts, and also reviews solar installers. Previously, Eric covered space, science, climate change and all things futuristic. His encrypted email for tips is ericcmack@protonmail.com.
Expertise Solar, solar storage, space, science, climate change, deregulated energy, DIY solar panels, DIY off-grid life projects, and CNET's "Living off the Grid" series Credentials
  • Finalist for the Nesta Tipping Point prize and a degree in broadcast journalism from the University of Missouri-Columbia.
Eric Mack
4 min read
Norway's Norman says it has a simple solution to prevent big problems. Screenshot by Eric Mack/CNET

Let me introduce you to Norm.


No, not George Wendt. Norman is an IT security company based in Norway that's selling a box that just might save the world from the next nuclear disaster.

Perhaps you've heard of a beefy piece of malware dubbed "Flame" that's been getting some attention lately. This week it became the latest dark monarch to reign in the underworld kingdom of scary code. Norm -- sorry, Norman -- says its new box could douse Flame and stop destructive cousins like Stuxnet and Duqu in their tracks, too.

While Flame's reported ability to disable security software, turn on a system's microphone, and take screen captures is scary enough, a more disturbing issue concerns our new friend Norman: Many of the networks and administrators that run our energy facilities, water treatment stations, and other industrial control systems (ICS, also sometimes referred to as SCADA systems) don't employ even basic antivirus software to help mitigate the threat from malware like Flame, Stuxnet, and the multitude of other bits of mean-spirited code hitchhiking around the world on even the nicest-looking packets of data.

At issue is the fact that many industrial control systems are custom-built to perform a specific set of tasks, and they often also require precise timing. This means traditional antivirus tools can't always just be laid on top of a SCADA system with the ease of an iPhone sliding into a new zebra-print case. Moreover, operators can be loathe to give up precious (and sometimes limited and/or outdated) system resources to a virus scan or other security-based processes. The result is that systems that control some of the machinery we depend on each day for basic necessities are often exposed to all sorts of nasty threats.

SCADA security expert and Tofino Security CTO Eric Byres says "99.99 percent of the control devices and protocols used today offer no robust authentication, integrity or confidentiality capabilities. They can be completely controlled by any individual or worm that gets a foothold on the network."

Enter Norman and our mysterious box.


Actually, the man I talked to is named Øivind. Good luck shouting that name across a Boston bar.

Øivind Barbo is Norman's product director for a new offering called Norman SCADA Protection (NSP), which Barbo tells CNET will be launched initially with a major multinational client in the energy sector in the coming weeks. Barbo explained to me that the idea behind NSP is to neutralize the two main vehicles that malware likes to hitch rides on -- networks and external storage devices like USB sticks.

Norman's box is essentially a terminal that's set up in line along the network to scan all the data coming in and out of the downstream industrial control system.

"It's an antivirus on a cable," Barbo says.

Think of it like one of those creepy new X-ray vision scanners at airport security. Unlike a firewall -- or a TSA agent -- that simply stops traffic to see where you've been and where you're going, the new and improved solution does a thorough (and sometimes uncomfortable, in the case of airport security) scan of the contents of everything passing through.

NSP plugs in behind the SCADA firewall to scan all data and portable storage destined for industrial controls. Screenshot by Eric Mack/CNET

The terminal appears to be about the size of a desktop PC, and Barbo says it's fully plug and play -- simply plug in your network cables and it starts scanning and stopping any threats that might unintentionally wander near, or directly target, an industrial controller. But Norman's cybersecurity bouncer-in-a-box does more than just actively scan network traffic. Just as your friendly TSA agent will kindly ask you to part with your shoes and belt buckle for a few minutes for a brief scan, the NSP in-line terminal also serves as a checkpoint for USB sticks and other external storage destined for any computer connected to a SCADA system.

The external devices are scanned for threats and either stamped with a clean bill of health in the form of a tiny encrypted file or they are rejected, much like your annoying friend who forgot to take the pocket knife off his keychain when you were already running late for your flight to Miami.

A small driver installed on the SCADA system console then looks for that encrypted file whenever a USB storage device is inserted to verify that it isn't infected by Flame, Stuxnet or some lesser digital cooties. Barbo explains that because the only thing running on the SCADA system is a small verification driver, two layers of security are added without giving up any significant system resources.

Last line of defense between Malware and the computer that might be controlling your neighborhood nuke plant. Screenshot by Eric Mack/CNET

Similar SCADA security appliances exist, but the simplicity behind NSP is compelling -- if it works. Barbo answers matter of factly with a "yes" when I ask if NSP would have stopped Stuxnet, but like most anti-malware products, it relies on prior identification of all threats. The NSP in-line scanner uses a secure connection for updates to its threat registry, so -- as with would-be underwear bombers -- it's always possible for something malicious to get past security.

Nonetheless, NSP could offer new protection for some pretty critical infrastructure. Norman's Barbo says a big name in the global energy industry will be the first to plug NSP into its operation soon. Norman estimates that typical SCADA installations could cost utilities and other industrial facilities between $40,000 and $50,000.

Not a bad deal for a little box from your new friend Norm. Especially, when you consider a typical airport scanner can cost up to four times as much, and your absent-minded buddy with the pocket knife isn't nearly as scary as Stuxnet.