#1 ICS and SCADA Security Myth: Protection by Air Gap

In his blog article, Fix the Problem, Stop Bailing out Vendors, Dale Peterson made a brief comment about “fantasy of the air gap”. It was an important comment, but one I think got lost in the other messages Dale offered. So today, I am going to focus on the topic of air gaps.

The existence of an “air gap” between control system networks and the rest of the world has been one of the most enduring fairy tales in the field of SCADA / ICS security. The idea is that in a properly designed system, there is a physical gap between the control network and the business network. Since digital information cannot cross such a gap, bad things like hackers and worms can never get into critical control systems. From this, a corollary flows: “Companies that get worms in their systems obviously have not created the proper air gap and deserved to be infected.”

Now there are many materials supporting the idea of the air gap. Every week a new SCADA and ICS vulnerability notice comes out and every week end users get to read statements like this:

"In addition, it is important to ensure your automation network is protected from unauthorized access using the strategies suggested in this document or isolate the automation network from all other networks using an air gap.”

(Source: SIEMENS-SSA-625789: Security Vulnerabilities in Siemens SIMATIC S7-1200 CPU)

Now while PR departments love to hide behind “air gap” when discussing their product vulnerabilities, no vendor engineer or manager really believes the air gap fantasy. For example, this week at the Siemens Summit, Stefan Woronka, Siemens Director of Industrial Security Services, stated:

“Forget the myth of the air gap – the control system that is completely isolated is history.”

Next check out the diagram of a high security architecture taken directly from Siemens’ Security Concept manual (pg 42). (Note: you can click on the image to enlarge it.)

Can you spot the air gap in the drawing? Funny, neither can I.

Let’s try another vendor - download the security manual from Rockwell, search for the term “Air Gap”. You won’t find it. Search the diagrams for an air gap. You won’t find it.

Air Gaps Don’t Work in the Real World

There is a good reason why you won’t find the air gap mentioned in vendor engineering manuals. As a theory, it is wonderful. In real life, it doesn’t work.

Sure you can simply unplug the connection between the control system and the business network and presto, you have an "air gap”. Then one day you get new logic from your engineering consultant – perhaps it addresses a design flaw that has been causing your company considerable downtime. A little while later Adobe sends you a software update – perhaps it is for a critical vulnerability in the PDF Reader your staff uses to view operational manuals. Next your lab group sends a process recipe that will improve product quality. The list keeps growing – patches for your computer operating systems, anti-virus signatures, remote support and system software – you can’t ignore them all.

So what do you do? Maybe you load some files onto a USB drive and carry that onto the plant floor. But isn’t that how Stuxnet spread? Or maybe putting everything onto a laptop is the solution, but what if the laptop is infected? A serial line and a modem – sorry, the Slammer worm got into a number of control systems that way. Even the trusty CD can be turned into the carrier of evil bits.

As much as we want to pretend otherwise, modern control systems need a steady diet of electronic information from the outside world. Severing the network connection with an air gap simply spawns new pathways – pathways like the mobile laptop and the USB key, which are more difficult to manage and just as easy to infect.

Anyone Who Has Ever Seen an Air Gap, Please Raise Your Hand

So are there air gaps in any control systems? Sure – in trivial systems. For example, the digital thermostat controlling the heat pump in my home probably has a true air gap. And maybe in very very high risk systems – for example, I am led to believe that reactor control systems in nuclear plants are truly air gapped.

But do air gaps exist for all the control systems that manage our power grid, our transportation systems, our water and our factories?  I will let Mr. Sean McGurk, the Director, National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security answer that:

"In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks. In some extreme cases, we have identified up to 250 connections between the actual producing network and the enterprise network.” Source: The Subcommittee on National Security, Homeland Defense, and Foreign Operations May 25, 2011 hearing. 58:30 -- 59:00

A control system protected by a real air gap

Time to Grow Up and End the Fairy Tale

Government, vendors and industry need to accept that the dream of an air gap is dead. As I noted last week, vendors must stop hiding behind the air gap fantasy in their security notices, especially when even their own engineers don’t believe it. But the vendors aren’t the only ones that need to stop the air gap myth. Too many end users still tell management security risks are under control because their systems are isolated.

For effective ICS and SCADA security the entire industry needs to move past the myth of air gaps and learn to deal with the reality: control systems are connected to the outside world.  Cyber security countermeasures must face up to this fact.

Related Links

Dale Peterson's blog - Fix the Problem, Stop Bailing out Vendors

Subscribe to the "Practical SCADA Security" news feed