The start of a new year is often the time we make decisions to do things differently than in the past. Today I would like to suggest that one of the 2016 decisions you make is to toss out invalid ICS security assumptions and hone in on meaningful improvement for your cyber security defenses.

To make the point I am going to look at an “old” security approach – air gaps. Those at the forefront of security may have dismissed air gap approaches, but many engineers in the field still consider them valid defense measures.

Let’s look at air gaps as a security control and see why, for anyone concerned about automation network reliability and availability, it’s time to forget them as a method of defense

 Even-the-Space-Station-had-an-ICS-Security-IncidentProving there are multiple pathways to control systems, in 2013 the International Space Station was infected by a virus introduced via a USB storage device.

The ICS Security Air Gap Myth

An air gap is a physical gap between the control network and other networks such as business networks or the Internet. The concept is that a physical gap can stop hackers and their tools, such as malware or unauthorized remote access software.

Before LANs and the Internet came along, functional air gaps did exist – see the black and white photo shown on this page for an example.

Modern control networks, however, require a steady flow of electronic information with both enterprise and third party networks that can open up vulnerabilities or exploitable weaknesses.  If you think you have an isolated system, read this conversation between a control engineer and SCADA security expert Eric Byres.

Therefore, a common prescription from vendors as recently as a few years ago included mitigations such as:

“It is important to isolate the automation network from all other networks using an air gap.”

In today’s competitive world, the demand for real-time data and continuous improvement has meant that links between control networks and business networks are inevitable:

"In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks. In some extreme cases, we have identified up to 250 connections between the actual producing network and the enterprise network.

- Sean McGurk, former Director, National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security

Whether it is production data, remote support, supply chain integration, engineering enhancements or even simple PDF reader updates for manual reading, connecting with other networks is a defacto requirement.

Early-Control-System-Protected-by-Real-Air-GapThe first control systems really were protected by air gaps. Today, demands for real-time data and connectivity with third party systems have made them obsolete.

Multiple Pathways to Control Systems

Maybe you accept my argument that automation networks are connected to enterprise networks. But you still believe it’s possible to isolate control networks from third party systems using a “no-Internet” air gap.

A major change in thinking in this regard occurred after Stuxnet was discovered and its infection methods analyzed. Our white paper How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems showed how a high security “air gapped” nuclear enrichment plant was breached using an infected USB device. Among its conclusions:

  • A modern ICS or SCADA system is highly complex and interconnected, resulting in multiple potential pathways from the outside world to the process controllers.
  • Assuming an air gap between ICS and corporate networks is unrealistic, as information exchanges are essential for process and business operations to function effectively.
  • All mechanisms for transfer of electronic information (in any form) to or from an ICS must to be evaluated for security risk. Focusing security efforts on only a few obvious pathways (such as USB storage drives or the Enterprise/ICS firewall) is a flawed defense.

Another example that disproves the notion that air gaps are an effective defense is the Dragonfly malware campaign. Discovered in 2014, it targeted the pharmaceutical industry. One way it obtained access to ICS networks was via malicious payloads inserted into legitimate software updates provided on vendor websites.

Industry expert Joel Langill states in our white paper on this cyberattack:

“Equipment, like PLCs and SCADA RTUs, that are typically ‘unconnected’ from the Internet are often believed to be immune from attacks that use more common social engineering vectors. This attack showed the potential of using tactics involving trusted supply-chain vendors to deliver malicious payloads directly to difficult-to-reach endpoints, such as ICS equipment.”

  Air-Gap-is-a-Myth-Robustness-Resilience-is-NeededIn his presentation “Why Control System Cyber-Security SucksDr. Stefan Lüders, Computer Security Officer, CERN, declares “the air gap is a myth”.

Current Example of Air Gap Myth Busting Cyberattack – BlackEnergy

To further kill the myth of air gaps as a valid security measure, let’s look at the milestone cyberattack that occurred recently, just before Christmas 2015 in the Ukraine. Here are the key details:

  • A Western Ukrainian power company reported a power outage on Dec. 23, 2015.
  • The investigation into the incident revealed that malware called “BlackEnergy” or “DarkEnergy” disrupted systems which led to the outage.
  • Infection occurred when someone in the target organization received a “spear phishing” email with a malicious attachment and clicked on it.
  • The event is notable and important because it is the first known cyberattack to cause an electricity blackout.

For more details on the BlackEnergy attack, see this article by our sister company Tripwire.

This type of technique, known as social engineering, is another pathway into control networks. While a simpler infection technique than those used for Stuxnet and Dragonfly, its impact was very significant.   

How well are the employees in your organization trained to identify and disregard dubious emails?

Most Security Incidents Occur Inside the Control Network

Besides the reality that there are multiple routes into the control system, another major flaw with the air gap approach is that most industrial cyber security incidents originate INSIDE the control network.   

Belden’s experience with clients around the world indicates that causes such as these are common:

  • Misconfigured firewalls or switches
  • Unpatched computers or systems
  • Poorly segmented networks
  • Device or software error
  • Accidental introductions of malware

Industry data in this area is scarce, but RISI figures from 2011 also indicate that events within the control network account for the majority of control network cyber incidents.

Thus, even if air gaps did work, they would not protect your ICS from downtime and performance risk from the majority of cyber occurrences.

Instead of relying of the air gap crutch, take a hard look at the cyber risks facing your organization and the security controls you have in place to deal with them. An overview of the most important ICS security threats and controls are summarized in this article. 

Time to Discard Air Gaps and Take Action on Cyber Security

I hope I have convinced you that it’s time to forget about air gaps as a security measure and to give other cyber security measures a higher priority in 2016. After all, it isn’t just about keeping data secure – it’s about keeping your systems operational. 

I can’t stress this enough – 90% of industrial cyber security is not about blocking hackers – it’s about ensuring high availability and reliability through hardened, resilient systems.

To help you get started or improve your cyber defenses, I have provided a number of educational and training links below. 

This article was written with expertise from Jeff Lund. Jeff is a senior director in product line management in Belden’s Industrial IT group.

1Source: The Subcommittee on National Security, Homeland Defense, and Foreign Operations May 25, 2011 hearing. 58:30 -- 59:00 

Related Links

Resources for Getting Started on Cyber Security

Cyber Security Training

Air Gap Resources