Air gaps a true myth

A little bit ago I gave a talk focused on air gaps as a security strategy in control systems. The talk was at the AusCERT 2012 conference and to my amazement it generated a large amount of discussion.


ISS SourceEditor’s Note: This is Part II of an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.

A little bit ago I gave a talk focused on air gaps as a security strategy in control systems. The talk was at the AusCERT 2012 conference and to my amazement it generated a large amount of discussion.

While all this interest is very heartening, I think a few may have misunderstood the message.

The theory of the air gap sounds great; by creating a physical gap between the control network and the business network, bad things like hackers and worms can never get into critical control systems. But as you can probably guess, I don’t believe that true air gaps actually exist in the ICS and SCADA world.

Certainly, there are many people that disagree with me outright. For example, Paul Ferguson, an Internet Security Intelligence blogger at Trend Micro wrote: “I’ve written about SCADA issues in the past, but one issue that I’ve consistently tried to emphasize is that critical control systems should never, ever interact nor interconnect with Internet systems in any way, shape, or form. There’s a good reason for this, and it’s always been referred to as the ‘Air Gap’ Principle.”

Similarly, last year there was a flood of SCADA and ICS vulnerability notices with advice on addressing the issue by using an air gap. One example I gave in the past came from the original Siemens Security Advisory addressing the vulnerabilities in Siemens SIMATIC S7-1200 PLC line: “In addition, it is important to ensure your automation network is protected from unauthorized access using the strategies suggested in this document or isolate the automation network from all other networks using an air gap.”

Now the interesting thing (and a real credit to Siemens) is that they removed this recommendation from this advisory (and all other advisories) a few months later.

I suspect that Stefan Woronka, Siemens Director of Industrial Security Services, had something to do with this when he publically stated: “Forget the myth of the air gap – the control system that is completely isolated is history.”

Similarly, Schneider Electric and Rockwell security advisories make no mention of air gaps. Rockwell’s mitigation guidance is very clear:

“Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).”

I think that all of the PLC and DCS vendors have come to realize air gaps conflict with their architectures.

There is a good reason why you won’t find the air gap mentioned in vendor engineering manuals and why it is disappearing from security advisories. As a theory, the air gap is wonderful. In real life, it just doesn’t work.

Sure you can simply unplug the connection between the control system and the business network and presto, you have an “air gap”. Then one day you get new logic from your engineering consultant – perhaps it addresses a design flaw that has been causing your company considerable downtime. A little while later Adobe sends you a software update – perhaps it is for a critical vulnerability in the PDF Reader your staff uses to view operational manuals. Next your lab group sends a process recipe that will improve product quality. The list keeps growing – patches for your computer operating systems, anti-virus signatures, remote support and system software – you can’t ignore them all.

So what do you do? Maybe you load some files onto a USB drive and carry that onto the plant floor. But isn’t that how Stuxnet spread? Or maybe putting everything onto a laptop is the solution, but what if the laptop is infected? A serial line and a modem – sorry, the Slammer worm got into a number of control systems that way. Even the trusty CD can be a carrier of evil bits.

As much as we want to pretend, modern control systems need a steady diet of electronic information from the outside world. Severing the network connection with an air gap simply spawns new pathways – pathways like the mobile laptop and the USB key, which are more difficult to manage and just as easy to infect.

So are there air gaps in any control systems? Sure – in trivial systems. For example, the digital thermostat controlling the heat pump in my home probably has a true air gap. And maybe in very high risk systems – for example, I am led to believe reactor control systems in nuclear plants are truly air gapped.

But do air gaps exist for all the control systems that manage our power grid, our transportation systems, our water and our factories? I will let Sean McGurk, the Director, National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security answer that: “In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks. In some extreme cases, we have identified up to 250 connections between the actual producing network and the enterprise network.”

Control system vendors have accepted the dream of the air gap as a security strategy is finished. Government agencies like ICS-CERT have also accepted a true air gap is impossible. Now it is time for the consultants and end-users to give up on the air gap myth. Believing your plant’s security is under control because the control systems are “isolated” is just a dangerous illusion:

Chris Blask, chief executive, ICS Cybersecurity Inc, said: “None of the vulnerabilities [uncovered at the NESCOR summit] pose as great a risk as the belief that your system is isolated.”

For effective ICS and SCADA security, the entire industry needs to move past the myth of air gaps and learn to deal with the reality: All control systems connect to the outside world in some fashion. It might be a network connection, a serial line or USB “sneakernet,” but it is a pathway modern malware like Stuxnet and Flame can exploit. Cyber security countermeasures must face up to this fact.

Eric Byres is chief technology officer at Tofino Security.

The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
A new approach to the Skills Gap; Community colleges may hold the key for manufacturing; 2017 Engineering Leaders Under 40
Doubling down on digital manufacturing; Data driving predictive maintenance; Electric motors and generators; Rewarding operational improvement
2017 Lubrication Guide; Software tools; Microgrids and energy strategies; Use robots effectively
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Power system design for high-performance buildings; mitigating arc flash hazards
Research team developing Tesla coil designs; Implementing wireless process sensing
Commissioning electrical systems; Designing emergency and standby generator systems; Paralleling switchgear generator systems

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me