What is Air-gapping?
An air-gapped network is one that is physically isolated and is NOT connected to any other network. The only way data can be transferred into an air-gapped network is by physically inserting some sort of removable media, such as a USB or removable disk, or by connecting a transient device like a laptop.
Think of it this way: You and a few friends are on a deserted island. You have conversations and share information with each other, but those conversations can never be shared outside the group on the island. Similarly, information from other islands or from around the world will never reach the island – there is simply no physical way for information to get in or out.
This deserted island example illustrates what it means to be a part of an air-gapped network – physically isolated with no access to the outside world.
Over the years, networks in a variety of verticals, including government, military, financial services, nuclear power plants and industrial manufacturing, have been so-called “air-gapped.”
Why are Networks Air-gapped?
The simple answer is that isolation implies security.
By the end of 2019, it has been estimated that every 14 seconds a business will fall victim to a ransomware attack. Think of all the damage an attack could cause: loss of productivity, loss of assets such as data, plant shutdown and worse. Because of such threats, many organizations choose to have air-gapped networks. In the industrial world, these air-gapped networks have traditionally supported the industrial control systems within the plant or factory, where communication was physically or logically isolated from the corporate enterprise networks.
In today’s Industry 4.0 revolution, where the network is the control system, analyzing data from the industrial process is key to driving optimization and efficiency. Now that more and more field devices are “smart” (connected to and managed through the network), is air-gapping a reliable cybersecurity strategy for the future?
Is Air-gapping Effective or a False Sense of Security?
In theory, air-gapped networks seem like a great idea. In practice, it’s another story.
It has been proven in a number of scenarios that air-gapped networks can be infiltrated. The most famous example is Stuxnet, the worm that disrupted the process of enriching uranium in Iran’s Natanz nuclear facility – which was reportedly delivered via a thumb drive.
There are also non-malicious examples of unauthorized connections, like modems and wireless networks being set up by contractors, maintenance, or control engineers to make their lives easier by transferring data into or out of the air-gapped networks. What about transient devices such as laptops, tablets and smart phones? Don’t forget about removable media (USB, CD-ROM, etc.), remote access and data coming via sneakernet (any means of transferring data without it traversing a network). All of these examples prove that nothing is truly air-gapped – or that it can’t stay 100% air-gapped over time.
Air-gaps give us a false sense of security. How many times do cybersecurity professionals hear, “Oh, we are air-gapped, we do not need to worry about cybersecurity”? In that case, I would challenge with this: if they do not assess or monitor their network, how would they know if they are air-gapped? Monitoring includes looking for new data coming in from removable media, transient devices or external network connections being set up with modems or VPNs.
Network “How Do You Know” Questions to Ask
How do you know if data is coming into or going out of your network? How do you know if there are external connections being set up for ease of use for employees, contractors or vendors? It comes down to knowing your network and placing preventative controls around it. You should be able to continuously answer questions like these:
- What devices are on your network?
- What are those devices communicating?
- Who are those devices communicating to?
- What is normal communication between those devices?
- Are any external connections being set up?
Just like we monitor and measure our industrial processes, we need to monitor and measure our network environments for abnormal behavior – configuration changes, communication pattern changes, exploitation of vulnerabilities and new or unexpected network connections. This knowledge will help us recover from special cases that impact our operations, including misconfiguration, human error, cybersecurity events or machine failure.
Where to Start
If you have not started your industrial cybersecurity journey, a good place to begin is with an industrial cybersecurity vulnerability or risk assessment.
Cybersecurity vulnerability assessments typically find that an environment is never completely air-gapped. Assessments usually find evidence of unsanctioned external connections created by control engineers, most often for benign reasons.
These undocumented, unapproved network connections are usually created to ease an engineer’s system maintenance and/or troubleshooting responsibilities or to avoid from having to sneakernet a file or program to the control environment. Most of the time, these are only set up to provide short-term relief, but then engineers forget to tear down these connections, leaving the “air-gapped” network wide open to potential malicious activity.
Cybersecurity professional service teams can perform vulnerability assessments, review your environment for weaknesses and make remediation recommendations. One area they will review is whether you have any external network connections allowing data into or out of your environment.
3 Foundational Cybersecurity Controls
Do not try to boil the ocean with advanced techniques. Concentrate on three foundational cybersecurity controls that will mitigate the most risk:
- Understand and manage data flows, aka network communication
- Maintain an accurate asset inventory (vendor, make, model, firmware version, etc.)
- Monitor device data flows, what is expected and what is abnormal
- Enforce expected communication patterns or data flows with network segmentation
- Monitor and manage configuration changes of all devices within the control network
Visibility, Preventative Controls and Continuous Monitoring are Key
Regardless of whether you air-gap, monitoring solutions are needed to maintain full control of your industrial environment. Belden solutions can help provide visibility, preventative controls and continuous monitoring to ensure protection from cyber events that threaten safety, productivity and quality.
Gary DiFazio is the Strategic Marketing Director for Industry Cybersecurity at Tripwire. He has been in the technology space for over 26 years, spanning experience with systems, applications, networking, and cybersecurity through a number of industry verticals including telecommunications, manufacturing, retail, federal government, financial services, electric utilities, and logistics/distribution. Gary comes to the Belden family through the acquisition of Tripwire. After Belden acquired Tripwire in January 2015, Gary was part of the team to help drive Industrial cybersecurity solutions to both Tripwire customers and Belden Industrial Networking customers. Gary holds a bachelor of science in Industrial Engineering from Clemson University.