Sign In

Communications of the ACM

Privacy and security

The Air Gap: SCADA's Enduring Security Myth


View as: Print Mobile App ACM Digital Library Full Text (PDF) In the Digital Edition Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
IBM 360/195 playing chess

A control system protected by a real air gap: IBM 360/195 playing chess, November 1974.

Credit: Rutherford Appleton Laboratory; Science &Technology Facilities Council

As a security practitioner and a controls engineer, I am often asked my views on air gaps as a security strategy for supervisory control and data acquisition (SCADA) and industrial control systems (ICS). Air gaps have long been a focus of discussion in industry, and they still continue to generate a lot of interest in the media. In theory, the air gap strategy certainly sounds great. By creating a physical gap between the control network and the business network, the bad guyscriminals, hackers, and wormsare kept out of critical systems.

Before I go any further, I must clarify what I mean when I use the term "air gap": What I am referring to in this column is the philosophy that says we can truly isolate our critical systems from the outside world. And this is where the mythand the dangerlies. To begin, I do not believe true air gaps actually exist in the ICS and SCADA world. Moreover, many SCADA security experts have even stronger opinions than me on the subjectfor example, see Craig Wright's blog.a However, I do acknowledge (albeit reluctantly) that not everyone agrees with me on this.

In 2011, for example, we saw a deluge of SCADA and ICS vulnerability notices with advice on addressing the issue by using an air gap. One example I have referred to in the past comes from the original Siemens Security Advisory addressing the vulnerabilities in Siemens' SIMATIC S7-1200 PLC line: "In addition, it is important to ensure your automation network is protected from unauthorized access using the strategies suggested in this document or isolate the automation network from all other networks using an air gap."

Back to Top

The 'Air Gap Principle' Is History

To give credit where credit is due: Siemens removed this recommendation from the advisory (and all other advisories) a few months later. I strongly suspect that Stefan Woronka, Siemens' director of Industrial Security Services, had something to do with this when he publicly stated: "Forget the myth of the air gapthe control system that is completely isolated is history."

Similarly, all the security advisories from two other leading vendors (Schneider Electric and Rockwell) make no mention of air gaps. Rockwell's mitigation guidance is very clear: "Block all traffic to the EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port#2222 and Port#44818 using appropriate security technology (for example, a firewall, UTM devices, or other security appliance)."b

Could this be an indication that control system vendors are beginning to realize air gaps conflict with their architectures? For example, consider the accompanying figure diagramming a high-security architecture derived from the Siemens' Security Concept manual.c Can you spot the air gap in the figure? I can't!

Are you ready for another challenge? Try this exercise:

  • Download the security manual from Rockwell.d
  • Search for the term "Air Gap." You won't find it.
  • Search the diagrams for an air gap. You won't find it.
  • In fact, while you are at it, why not check out all the major SCADA vendors' engineering guides. You won't find the air gap mentioned anywhere (if you do find an example of an industrial vendor recommending air gaps, please send it to me).

Back to Top

Air Gaps Do Not Work in the Real World

There is a good reason why you will not find the air gap mentioned in vendor engineering manuals and why it is disappearing from security advisories. As a theory, the air gap is wonderful. In real life, it just does not work.

Sure, you can simply unplug the connection between the control system and the business network and presto, you have an "air gap." Excellent! Job done!

Then one day the bubble bursts. Your control system team gets new logic from the engineering consultantperhaps it addresses a design flaw that has been causing your company considerable downtime... A little while later Adobe sends your team a software updateperhaps it is for a critical vulnerability in the PDF reader the staff uses to view operational manuals...Next the lab group sends a process recipe that will improve product quality. Are you starting to get the picture?

The list just keeps growing and growingpatches for critical computer operating systems, anti-virus signatures, remote support from vendorsno company can ignore them all.

So what does the average controls engineer do? Just load some files onto a USB flash drive and carry that onto the plant floor. But wait a minuteisn't that how Stuxnet spread?

Hmmm, let's see...maybe putting everything onto a laptop is the solution? Yes, that's the ticket! Oh, but what if the laptop is infected?

Eureka! A serial line and a modem! But wait a minutethe Slammer worm got into a number of control systems that way. Yes, even the trusty old CD can be turned into the carrier of evil bits.


Clearly, it is time for the media, consultants, and end users to give up on the air gap myth.


As much as we want to pretend otherwise, modern industrial control systems need a steady diet of electronic information from the outside world. Severing the network connection with an air gap simply spawns new pathways like the mobile laptop and the USB flash drive, which are more difficult to manage and just as easy to infect.

Back to Top

Air Gaps Do Exist In Trivial and Very High Risk Control Systems

So are there air gaps in any control systems? Sure: one example appears in the photograph on the first page of this column. For another, more real-world, example: the digital thermostat controlling the heat pump in my home probably has a true air gap. And maybe in extremely high-risk systemsI am led to believe reactor control systems in nuclear plants are truly air gapped.

But do air gaps exist for all the control systems that manage our power grid, our transportation systems, our water systems, and our factories? Consider how Sean McGurk, the former director of National Cybersecurity and Communications Integration Center (NCCIC) at the U.S. Department of Homeland Security answered that question: "In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system, or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks. In some extreme cases, we have identified up to 250 connections between the actual producing network and the enterprise network."e

Back to Top

The End of the Fairy TaleTime for Industry to Grow Up

For many years, control system vendors have believed (or wanted to believe) in the fairy tale of the air gap. Now they have grown up and have come to realize this security strategy is finished. The government agencies like ICS-CERT have also accepted that a true air gap is impossible.

All control systems are connected to the outside world in some fashion. It might be a network connection, a serial line, or USB flash drive "sneakernet," but it is a pathway that can be exploited by modern malware like Stuxnet and Flame. Cyber security countermeasures must face up to this fact.

Clearly, it is time for the media, consultants, and end users to give up on the air gap myth. Believing a critical SCADA system's security is under control because it is "isolated" is just a dangerous illusion. As stated by Chris Blask, CEO of ICS Cybersecurity, Inc.: "None of the vulnerabilities [uncovered at the NESCOR summit] pose as great a risk as the belief that your system is isolated."

Any company defending its critical SCADA systems with an air gap is making a serious mistake. Any security consultant recommending air gaps as a strategy is doing their client a serious disservice. And any vendor suggesting air gaps as a solution to their product vulnerabilities is being irresponsible. It is time we put the air gap on the shelf with other fairy tales and started designing real-world solutions to protect the critical SCADA systems running our world.

Back to Top

Author

Eric Byres (eric.byres@belden.com) is the chief technology officer at Tofino Security in British Columbia, Canada, and a member of the ISA and IEC committees for control system security.

Back to Top

Footnotes

a. http://infosecisland.com/blogview/16770-SCADA-Air-Gaps-Do-Not-Exist.html

b. Source: KB Article 470154-EtherNet/IP Product Vulnerabilities.

c. See http://cache.automation.siemens.com/dnl/jE/jE2MjIwNQAA_26462131_HB/wp_sec_b.pdf.

d. See http://literature.rockwellautomation.com/idc/groups/literature/documents/wp/enet-wp005_-en-e.pdf.

e. Source: The Subcommittee on National Security, Homeland Defense, and Foreign Operations May 25, 2011 hearing.

Back to Top

Figures

UF1Figure. A control system protected by a real air gap: IBM 360/195 playing chess, November 1974.

UF2Figure. A high-security architecture.

Back to top


Copyright held by author.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2013 ACM, Inc.


 

No entries found