December 20, 2016

Never mind the air gap?

Tomi Behm

Lead Security Services Product Manager, Tieto

Traditionally, industrial control systems (ICSs) are often considered protected from security breaches by default. Why? It's because they have been air gapped; that is, they lack internet connectivity. But air gaps may lull one into a false sense of security.

Air gaps are widely used and trusted as a way to secure computers on a factory floor. Theoretically, air gaps are a smart thing to do – and they still work, to a certain extent. But real life is more complex. The idea of a complete separation of ICSs or other operational technology (OT) and IT is a myth

Ralph Langner, the man who first realized what Stuxnet was all about, has emphasized that industrial control systems are very easy to manipulate for those in the know. He has also remarked that the Iranian victims of Stuxnet were smart, too – they had air gapped their critical systems. In the end, it did not save them. The malware was probably planted on a USB stick that someone plugged into an air gapped computer.

Like Langner, I'm afraid many ICS installations have very weak security. Air gapping may cause neglect of even basic security configurations. After installation, nobody cares about changing default admin passwords and so forth.

IoT blows away the air gaps

There are several publicised cases of cyber attacks against industrial control systems. But in case descriptions, the actual path of the attacker usually remains obscure.

However, a small American company called ERPScan has demonstrated in detail, how a cyber terrorist could bypass air gaps in the oil and gas industry.

The trick is to use some of the hundreds of vulnerabilities found in enterprise software interfacing OT. Through these, an attacker can intrude OT devices and ICS networks. As a consequence, it’s then possible to perform simple tampering of oil tank metering data, for example. A tank will explode if it is overfilled – and if data is falsified, plant operators won’t be alarmed before it's too late.

This teaches us an important lesson: IT and OT tend to be interconnected despite the plant owners’ belief that air gaps protect their critical assets. In oil and gas – and most other industries – OT must constantly feed data into IT, such as enterprise resource planning software. A company simply must get the readings automatically to run their business.

Industrial internet and other new business requirements create a growing pressure to connect OT.

Prepare for an intrusion

One valid reason to continue the practice of air gapping is that many industrial control systems are such easy prey for cyber intruders. Especially a bit older ICSs were never designed to be connected to IT and the internet. That’s why they lack important security features or have unpatched, or hard-to-patch, vulnerabilities.

Additionally, direct internet connectivity would provide a path for attacks that may cause massive damage to factory equipment.

When you connect any industrial system to the internet, first check, whether it’s really necessary to do so, and understand the role and nature of the system. If you seriously intend to make and maintain an air gap, prepare for the possibility that one day a hostile intruder WILL acquire access to the system.

Take proactive measures to limit the severity of a breach. Harden the system and its operating environment as much as possible, mitigate possible consequences. An intruder should have a hard time figuring out how to first penetrate the system, then manipulate it and perhaps steal data.

Ultimately, monitoring is your best friend. This means first mapping the OT and then starting anomaly detection. There are limited possibilities to monitor ICS directly, but you can do it in the IT environment facing OT and create triggers just like in normal IT.

Whatever you do, make sure that air gaps are treated only as imaginary air gaps. They never provide 100 per cent protection from intrusions. I’d also prepare for the day, when air gaps are declared to be a thing from the past.

Read more how Tieto Security Services can help you manage your online security.

Stay up-to-date

Get all the latest blogs sent you now!