As a security practitioner and a controls engineer, I am often asked my views on air gaps as a security strategy for supervisory control and data acquisition (SCADA) and industrial control systems (ICS). Air gaps have long been a focus of discussion in industry, and they still continue to generate a lot of interest in the media. In theory, the air gap strategy certainly sounds great. By creating a physical gap between the control network and the business network, the bad guyscriminals, hackers, and wormsare kept out of critical systems.
Before I go any further, I must clarify what I mean when I use the term "air gap": What I am referring to in this column is the philosophy that says we can truly isolate our critical systems from the outside world. And this is where the mythand the dangerlies. To begin, I do not believe true air gaps actually exist in the ICS and SCADA world. Moreover, many SCADA security experts have even stronger opinions than me on the subjectfor example, see Craig Wright's blog.a However, I do acknowledge (albeit reluctantly) that not everyone agrees with me on this.
In 2011, for example, we saw a deluge of SCADA and ICS vulnerability notices with advice on addressing the issue by using an air gap. One example I have referred to in the past comes from the original Siemens Security Advisory addressing the vulnerabilities in Siemens' SIMATIC S7-1200 PLC line: "In addition, it is important to ensure your automation network is protected from unauthorized access using the strategies suggested in this document or isolate the automation network from all other networks using an air gap."
To give credit where credit is due: Siemens removed this recommendation from the advisory (and all other advisories) a few months later. I strongly suspect that Stefan Woronka, Siemens' director of Industrial Security Services, had something to do with this when he publicly stated: "Forget the myth of the air gapthe control system that is completely isolated is history."
Similarly, all the security advisories from two other leading vendors (Schneider Electric and Rockwell) make no mention of air gaps. Rockwell's mitigation guidance is very clear: "Block all traffic to the EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port#2222 and Port#44818 using appropriate security technology (for example, a firewall, UTM devices, or other security appliance)."b
Could this be an indication that control system vendors are beginning to realize air gaps conflict with their architectures? For example, consider the accompanying figure diagramming a high-security architecture derived from the Siemens' Security Concept manual.c Can you spot the air gap in the figure? I can't!
Are you ready for another challenge? Try this exercise:
There is a good reason why you will not find the air gap mentioned in vendor engineering manuals and why it is disappearing from security advisories. As a theory, the air gap is wonderful. In real life, it just does not work.
Sure, you can simply unplug the connection between the control system and the business network and presto, you have an "air gap." Excellent! Job done!
Then one day the bubble bursts. Your control system team gets new logic from the engineering consultantperhaps it addresses a design flaw that has been causing your company considerable downtime... A little while later Adobe sends your team a software updateperhaps it is for a critical vulnerability in the PDF reader the staff uses to view operational manuals...Next the lab group sends a process recipe that will improve product quality. Are you starting to get the picture?
The list just keeps growing and growingpatches for critical computer operating systems, anti-virus signatures, remote support from vendorsno company can ignore them all.
So what does the average controls engineer do? Just load some files onto a USB flash drive and carry that onto the plant floor. But wait a minuteisn't that how Stuxnet spread?
Hmmm, let's see...maybe putting everything onto a laptop is the solution? Yes, that's the ticket! Oh, but what if the laptop is infected?
Eureka! A serial line and a modem! But wait a minutethe Slammer worm got into a number of control systems that way. Yes, even the trusty old CD can be turned into the carrier of evil bits.
Clearly, it is time for the media, consultants, and end users to give up on the air gap myth.
As much as we want to pretend otherwise, modern industrial control systems need a steady diet of electronic information from the outside world. Severing the network connection with an air gap simply spawns new pathways like the mobile laptop and the USB flash drive, which are more difficult to manage and just as easy to infect.
So are there air gaps in any control systems? Sure: one example appears in the photograph on the first page of this column. For another, more real-world, example: the digital thermostat controlling the heat pump in my home probably has a true air gap. And maybe in extremely high-risk systemsI am led to believe reactor control systems in nuclear plants are truly air gapped.
But do air gaps exist for all the control systems that manage our power grid, our transportation systems, our water systems, and our factories? Consider how Sean McGurk, the former director of National Cybersecurity and Communications Integration Center (NCCIC) at the U.S. Department of Homeland Security answered that question: "In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system, or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks. In some extreme cases, we have identified up to 250 connections between the actual producing network and the enterprise network."e
For many years, control system vendors have believed (or wanted to believe) in the fairy tale of the air gap. Now they have grown up and have come to realize this security strategy is finished. The government agencies like ICS-CERT have also accepted that a true air gap is impossible.
All control systems are connected to the outside world in some fashion. It might be a network connection, a serial line, or USB flash drive "sneakernet," but it is a pathway that can be exploited by modern malware like Stuxnet and Flame. Cyber security countermeasures must face up to this fact.
Clearly, it is time for the media, consultants, and end users to give up on the air gap myth. Believing a critical SCADA system's security is under control because it is "isolated" is just a dangerous illusion. As stated by Chris Blask, CEO of ICS Cybersecurity, Inc.: "None of the vulnerabilities [uncovered at the NESCOR summit] pose as great a risk as the belief that your system is isolated."
Any company defending its critical SCADA systems with an air gap is making a serious mistake. Any security consultant recommending air gaps as a strategy is doing their client a serious disservice. And any vendor suggesting air gaps as a solution to their product vulnerabilities is being irresponsible. It is time we put the air gap on the shelf with other fairy tales and started designing real-world solutions to protect the critical SCADA systems running our world.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2013 ACM, Inc.
No entries found