SCADA Air Gaps – Technology or Philosophy?

Submitted by Eric Byres on Wed, 2012-08-22 10:33

Over the past month, I have received a number of emails and seen a number of LinkedIn articles suggesting that I was attacking the concept of data diodes when I stated that Air Gaps are a myth. Unfortunately, this is a serious misunderstanding of my message to the SCADA/ICS community.

I am not writing about technology when I say Air Gaps are impossible. Whether you use a firewall, a data diode or tin cans and string to filter and control your information flow is not my point. These are all valuable technologies (well, maybe not the last one). They are also not silver bullets, but when used intelligently in a defense in depth strategy, they can all do a lot to secure a control system.

Eric Byres points out that technology is not a silver bullet, but when used in a defense in depth strategy, can improve control system security.

What I am writing about is the philosophy that says we can truly isolate our control systems from the outside world. I think anyone who says "my control system is completely isolated" is badly misguided. That person is only focusing on the obvious network flows and ignoring the other sneakernet flows that are every bit as dangerous. This is where the "myth" lies. It is not in “what is the correct technology for securing control systems”.

The flaw in the Isolation philosophy (I won’t call it an Air Gap philosophy to avoid any more confusion) is that it depends on a single defense – complete electronic isolation of a control system. With a single defense comes a single point of failure. From hard experience, we all know that designs with a single point of failure are not robust. Bottom line is that Isolation of the control network is not a viable long-term strategy.

Please send comments and suggestions on the technologies that you think will best control and manage information flows. And let me know what you do to manage information flows that are not over the network, such as mobile media (CD, USB keys, etc.), wireless, serial and personal electronic devices. A debate on the most effective technologies for securing SCADA and ICS would be a welcome change from Air Gaps.

Related Content to Download

Presentation - "Unicorns and Air Gaps - Do They Really Exist?"

 

Download this presentation and benefit from:

  • Knowing the current status of air gaps and industrial control systems
  • Understanding why air gaps are a challenge with today's infrastructure systems
  • Seeing an oil and gas refinery example for dealing with multiple pathways

Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Author Eric Byres

Comments

6
Submitted by Larry Constanti... (not verified) on Wed, 2012-08-22 10:22

Data diodes are mostly to be understood as the metaphorical successor to the mythical air gap: yet another attempt to find a simple, technological quick-fix for a perverse problem that defies solution. Just as the air gap is fine in principle but all but impossible in practice, true one-way only data flow is a clever idea that will almost be guaranteed to be compromised in application.

"Data diode" may be a better metaphor than the users of this term intend. Every engineer knows that there is no such thing as a perfect electronic diode. The reverse impedance may be very high, but it is not infinite, and there will always be a small reverse current.

--Larry Constantine

Submitted by Eric Byres on Thu, 2012-08-30 16:27

Great analogy! I wish I had thought of it. Thanks for putting it forward.
- Eric Byres

Submitted by Nathan Boeger (not verified) on Wed, 2012-08-22 13:45

I did briefly present my interpretation of your "Air Gap" article in my blog post from 2011. Basically, I discussed that other electronic vectors still exist (thanks Stuxnet and Flame) and the insider threat is real.

http://notanotherindustrialblog.blogspot.com/2011/09/interesting-article...

The key is to approach the protection of your SCADA system as you would with other vital information systems with a holistic approach. This includes risk analysis from both a business and technical consideration, and as you mention, typically Defense in Depth. It also likely requires active participation - someone patching and updating the system and actually running and "defending" it. On larger systems this might include things like: policy, user training, and change management in addition to the technical controls that usually come to mind ("air gap", firewalls, etc).

I tend to agree with your views about "air gaps". In addition, from a business perspective, isolated SCADA systems usually fail to align with an organizations mission. Secondly, from a technical perspective, said "air gapped" systems are significantly more difficult to maintain at the equivalent defensive level as their counterparts. Your point about "back channels" is dead-on. For example, even administrators need to regularly pass significant security updates through manual processes or complex guards, etc. Legitimate user requirements from "off network" become expensive or impractical to support, which leads to "sneakernetting" and other such practices. Do separate research on how the Defense Department maintains classified networks and you'll realize how many issues that your defense creates, creating significantly more layers to your "Defense in Depth" model that have to be secured.

I would argue that you're much better off by stepping back and looking at your requirements from a business perspective, considering security as a form of risk. My guess is that for many organizations, you'll end up with an "isolated" SCADA system that can be achieved, updated, and defended through normal IT technologies and processes that is not "air gapped". At the very least only a small subset of the system will probably need to remain physically isolated.

Submitted by Eric Byres on Fri, 2012-08-31 08:37

Nathan, thanks for linking to my post on Air Gaps in your blog.

Interesting perspective on the challenges faced by the DoD on maintaining classified networks. You and I are in synch on the problems of “sneakernetting”. And, I agree that Organization should be proactive in developing alternatives to Air Gaps, not relying on them as a crutch.

Submitted by bryansowen on Sat, 2012-08-25 09:24

Separation between threats and assets is one way to define security. OSSTMM is a good reference in this respect and includes a supporting measurement scheme (RAVS).
http://www.isecom.org/mirror/Why_use_ravs.OSSTMM3.pdf

The scheme is based assessment of Visibility, Access, and Trust.

In a nutshell, asset owners could use a measurement scheme like RAVS to determine if increasing electronic separation is a smart security investment or not.

It might be interesting to compare OSSTMM RAVS and ISA99 SALs. As an initial impression is these metrics have different and complementary intended uses.

Submitted by Eric Byres on Fri, 2012-08-31 08:26

I had not seen the RAVS measurement scheme before you brought it forward. It does look interesting and I like your idea of comparing it with ISA99 SALs… if only I had the time! But I will bring it forward at the next ISA-99 leadership meeting.

Add new comment