This is an excerpt from the Practical SCADA Security blog at Tofino Security.
Last week I discussed how security experts and ICS / SCADA vendors are giving up on the dream of the air gap as a viable security solution for the modern control system. Unfortunately, it is still all too easy to believe your control system is isolated.
Recently I had a very enlightening conversation with a control engineer who thought his system was air gapped.
Engineer: Interesting talk you just gave on Stuxnet, but our turbomachinery equipment is completely isolated, so we don’t need to worry.
Eric: You mean you have no electronic transfers from the turbomachinery control network to the rest of the corporate network?
Engineer: Yes, it is completely isolated
Eric: How do you apply patches?
Engineer: We don’t – we don’t need to because the entire system is isolated.
Eric: Interesting… And the operating system on the computers on the control network is?
Engineer: Windows NT SP4
Eric: Never patched or updated?
Engineer: No – still the way it was when it was installed.
Eric: Anti-virus signatures on the control system computer – how do you update the signatures?
Engineer: We don’t have to – because the system is isolated, we decided not to install AV software. Plus the version of HMI software is from before the vendor supported AV on their system, so we don’t know if we can install it.
Eric: Uhmm… And electronic manuals on the system – you use Adobe Reader?
Engineer: Sure – is that a problem?
Eric: Could be - Adobe has released nearly 30 critical security patches for Reader in the past three years. I guess none of them are installed?
Engineer: No, but since the system is isolated, it isn’t an issue.
Isolated systems (like this small house) typically connect with other systems to keep functioning, despite the air gap.
Eric: I wouldn’t be so sure, but let’s move on. The PLCs controlling the turbomachinery?
Engineer: Siemens S7-300
Eric: Ever patched? Especially after the recent vulnerability announcements?
Engineer: What announcements?
Eric: I guess the answer is “No”. What about operation data logging? I assume that you do that. How do you move the logs out to the systems like asset management and maintenance?
Engineer: We have a laptop we use – we plug it into the control network every week to collect the logs.
Eric: And then?
Engineer: We connect it to the corporate network to transfer the logs to the servers.
Eric: Ever worried about the laptop being infected with a worm?
Engineer: No – we have AV software running on it.
Eric: I guess you missed the part in my talk where Stuxnet was in the wild for a year before it was detected.
Eric: Let’s move on. What about remote monitoring?
Engineer: We have modems for that, but they communicate over the phone lines, so they aren’t an issue.
Eric: You might want to reconsider. The Slammer worm infected several control systems over modems.
The Risks of a Single Method of Defense
The conversation went on from there, but as you can see, this company was running a very critical control system with software, hardware and operating systems that had not been patched in a decade. They also had no means of detecting a problem if the system did get infected.
Certainly some of their isolation practices did help. However, the day that the engineering laptop gets a worm or the day an infected PDF document is carried in on CD; things are going to get very ugly.
When you drill down, the flaw in the security strategy this company used was that it depended on a single defense – complete electronic isolation of the turbomachinery control system. All other defenses like anti-virus, patch management, white listing, and traffic monitoring were completely missing. They could not be used because as soon as the company deployed these security techniques, the complete isolation assumption no longer held.
With a single defense comes a single point of failure, as I discussed in a blog article about the Bastion Model. As long as the complete isolation (and I mean “complete”) defense can be maintained, everything will appear to be secure. Unfortunately designs with a single point of failure are not robust over the long term.
It will be like the remote tribe that has never been exposed to the common cold and thus has no immunity. Life is good until the day an outsider with an infection arrives. Then the lack of immunity becomes a life threatening liability.
For a system as critical as a turbomachinery control system, this is an understandable but flawed strategy.
If your control system is defended by a single method today, such as an air gap, please start educating yourself on the risks and on alternative approaches. Below is a presentation on using the ANSI/ISA-99 Standards (now called ISA IEC 62443) that provides a start on segmenting your network for better cyber security. The Related Links section provides links to further information that will be of help.
- Blog Comment: [The] Air gap that wasn’t (A reader describes a system that had an air gap, except….)
- Blog: #1 ICS and SCADA Security Myth: Protection by Air Gap
- Blog: Air Gaps won’t Stop Stuxnet’s Children
- Blog: Defense in Depth is Key to SCADA Security - Part 1 of 2
- Blog: Defense in Depth: Layering Multiple Defenses - Part 2 of 2