By Gregory Hale
Security is all about creating a solid defense in depth position and one of those lines of protection cannot be an air gap.
“I have heard upper management and control engineers say we have to air gap the plant floor,” said Eric Byres, chief technology officer and vice president of engineering at Tofino Security during his session Tuesday on Unicorns and Air Gaps – Do they Really Exist, during the Yokogawa 2012 Users Group in New Orleans. “That is very attractive, but who really thinks that exists? Air gaps are a dangerous illusion.”
An air gap is a physical gap between a control system and the rest of the world, which means it has no connections coming in or going out.
There are documents from vendors that talk about the use of air gaps, but when you look at the diagrams for their systems, they don’t show any air gaps at all.
Even the U.S. government does not believe air gaps exist as the Industrial Control System Cyber Emergency Response Team (ICS-CERT) talks about data flow and using firewalls and no air gaps.
Even if there was an air gapped system, Byres said there would still be ways for viruses to get in and wreak havoc on an ICS.
“Stuxnet didn’t care if there was an air gap,” he said. “There were plenty of secondary ways for Stuxnet to get in. If you try to completely isolate yourself it is like stepping on a tube of toothpaste, it will come out someplace.”
With the growing complexity of control systems it has become abundantly clear, they need data. That is where the defense in depth model comes to the rescue.
Manufacturers have new data coming in from consulting engineers, or patches coming in from companies like Adobe, or maybe the lab sends over a new recipe to download. All of that information, or data, is coming from an external source that needs to get in.
If there was a true air gap, that would mean the way to input data would most likely come from sneakernet, where people run over to the machine and input the data from a CD, USB stick or something else.
The systems need data and not allowing data to flow in will slow down the implementation of a process.
The catch is one report from security company Industrial Defender said communication to and from ICSes will increase in the coming years, not decrease. That means the idea of air gaps is not viable. Then what do manufacturers do?
With more data coming in to the system, it means users must manage their system much better. They have to truly understand what is coming in and, just as importantly, what is going out. “Most malware wants to call out,” Byres said.
In addition, the user should subdivide systems into zones so issues don’t spread.
“You want to detect unusual behaviors,” he said. “You want to reduce the probability of attacker access as they get further into your system.”
That is where the zones and conduits model comes into play.
Zones are the logical grouping of assets that have similar operating characteristics. Zones have boundaries that end up bracketed off.
Conduits are simply the pathways between the zones.
“It is really important to understand all the conduits and not just the obvious ones,” Byres said. “You have to look at all pathways and don’t just focus on a single one.”
The user also has to understand what the most critical asset is they have to protect. Byres said in most cases in the critical infrastructure, it would be the safety system.
One of those technologies is deep packet inspection that only a few firewall providers provide today.
“Make sure the technologies match what you want to secure,” Byres said.