SCADA Security: Is the Air Gap Debate Over?

Submitted by Eric Byres on Thu, 2012-07-12 21:00

Last week I updated my air gap blog from 2011. I noted some companies (like Siemens) no longer mention air gaps. Then to keep things balanced, I added new examples of consultants that support the air gap theory. In particular, I selected this quote from Paul Ferguson at Trend Micro:

“I’ve written about SCADA issues in the past, but one issue that I’ve consistently tried to emphasize is that critical control systems should never, ever interact nor interconnect with Internet systems in any way, shape, or form. There’s a good reason for this, and it’s always been referred to as the “Air Gap” Principle.”

Paul Ferguson: "Real" Air Gaps Are Impractical

Well we had barely pressed the “publish” button when Paul wrote back:

“I changed my outlook in the 4 years between that initial 2008 blog post (which Eric mistakenly listed as 2012) and the time that I drafted the ICS Security Architecture white paper. I have spent a lot of time attending the ICSJWG workshops, talking with ICS vendors, asset owners & operators, and I completely understand the reality of the current situation.”

I checked Paul’s more recent publications and came upon his excellent white paper “Toward a More Secure Posture for Industrial Control System Networks”. On the first page I found:

In practical and operational terms, however, physically separating networks is not functionally nor operationally feasible in the real world.

Sorry Paul for dragging out such an old comment! I should have researched your work more deeply.

Eric Byres realizes the quote he used from Paul Ferguson was from 2008, not 2012!

I then spent the next few hours searching the Internet for security bloggers that are pro-air gap. I did not find even one!

SCADA Security Experts Do Not Support Air Gaps

What I did find were many experts with even stronger opinions than me on the subject. For example, check out Craig Wright’s blog.

With experts like Paul and vendors like Siemens switching to the “The Air Gap is Unrealistic” camp, I am running out of examples of “Air Gap” supporters. That makes it harder for me to write an entertaining blog, but it is great news for the ICS/SCADA industry.

So is that the end of the debate? Is this the last rant on the Practical SCADA Security blog about the myth of air gaps? Unfortunately the answer is “no”. There are still many well-meaning control engineers in the end-user community that believe in air gaps. That needs addressing.

The security experts have given up on the myth of the air gap.

Now they need to help the end-user understand how the air gap will fail in their control systems. An upcoming blog will be a summary of a conversation I had recently with an engineer who thought his system was air gapped. We explore how easy it is to forget some of the data needs and vulnerabilities of the average ICS / SCADA system.

In the meantime, let me know if you have a good “I thought it was air gapped but it wasn’t” story.  Or share a case history where there is a real air gap where no electronic information ever gets in.

Related Content to Download

Presentation - "Unicorns and Air Gaps - Do They Really Exist?"

 

Download this presentation and benefit from:

  • Knowing the current status of air gaps and industrial control systems
  • Understanding why air gaps are a challenge with today's infrastructure systems
  • Seeing an oil and gas refinery example for dealing with multiple pathways

Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Author Eric Byres

Comments

7
Submitted by ChrisM (not verified) on Thu, 2012-07-12 18:50

and yes Paul's article isvery good.

The end user needs education not criticism as per someother comments recently

Submitted by Stephan Lechner (not verified) on Fri, 2012-07-13 01:48

The air gap principle - IMHO - originated from the mainframe world where computing
centers were isolated number crunching islands.

It had been discussed in telecommunications,
but for practical reasons (outsourcing, remote
maintenance needs, pressure to cut IT costs)
never really made it.

Now it seems to have "disappeared" from
industrial automation likewise.

I wonder when it will also silently leave the
defense / military sector...

Security options are to either

- walk along with the trend to connect everything

or to

- fall behind due to the
choice of an outdated security approach
in a modern "always on" world.

So to stay competitive we need
smarter security approaches that allow to connect
in a secure way instead of dogmatically
cutting us off from gains in efficiency and
economic benefits by the air gap postulate.

I was happy to see that in industrial controls
the air gap is on the retreat.

Submitted by Iain Brownlie (not verified) on Fri, 2012-07-13 03:47

Eric,

I thought I had a fairly good example of a practical air gapped system, but have concluded that it really wasn't, albeit the attack surface was quite limited.

I am thinking of a legacy control system running on two Windows NT boxes which were networked together via an HMI netork, but not to any other systems. The NT boxes were connected to the controller hardware via a proprietary redundant control network with limited physical access points. The controller hardware is still supported by the vendor but the PC based HMI software and hardware platform is no longer supported. The application was stable and the only change in the last several years was to re-range one of the points where an instrument was changed.

The NT systems were backed up regularly onto a second disk and the resulting images copied to a blank CD. Going back some years I can remember laptops being connected into the HMI network and images transferred via the network but this practise is no longer acceptable, although a vulnerability clearly existed for anyone with physical access to the machines/network.

The NT PC systems have been replaced regularly, most recently in 2010. It was becoming difficult, but not impossible to source hardware which will still run NT. The new machines did have USB ports, but NT does not have any drivers so the system was perhaps protected against USB attack vectors, unless the attacker also rebooted the machine. The systems had CD drives so there was another vulnerability at that point, but the end user only ever used new blank CDs for writing the backups. Rebuilding the system was either by restoring these backup CDs, or installing on a new machine from the original OS and Applications media and then restoring the current configuration files from the backup image.

So, given adequate physical security and management procedures to control the known vulnerabilities, did we have an air gap here ?

There is one link I have not talked about. This is a serial modbus connection to collect key operating data from the plant which is sent into the site records systems. Interestingly, this link goes straight into the controllers and not into the PC systems. For convenience the end user used a serial device server on their corporate IT network infrastructure to simplify the connection between the centralised information systems and the plant control system.

I conclude that while there may have been a reasonably effective air gap to the PC systems, there was no air gap to the controllers.

Ouch !

Comments are my own and do not necessarily reflect the views of the company I work for.

Submitted by Eric Byres on Fri, 2012-07-13 14:01

This is a great example. In fact, it is scarily similar to a discussion I have a few months ago with a control engineer. I will blog about it next week.

Submitted by Riemer (not verified) on Sat, 2012-07-14 21:37

Hi Eric,

Great article and you are most certainly correct to state that true air gaps do not exist anymore, and it is doubtful they ever existed to start with.

That being said, the principle of keeping your ICS environment isolated *as much as feasible* from other networks, such as the Internet, and if there is a need to connect, then only do so in a controlled manner, is still valid.

Actually, this need is only increasing, especially now that we realize we can no longer rely on air gaps to keep us safe. So don't worry Eric, you have plenty to blog about:)

Submitted by William Gross (not verified) on Mon, 2012-07-16 20:09

An air gap is an arrow in a quiver. There must be many arrows, because you may need more than one to bring home dinner.

Air gaps are a good security capability in the right environment. But isolation is a single measure - not the only measure.

Security is hard - get over it and quit complaining. If I hit my prey with one arrow and it doesn't go down - I don't go home and decry to the world that arrows are broken. I get out another arrow and shoot again.

I'm eating steak tonight.

Bill

Submitted by Gordon Powell (not verified) on Wed, 2014-07-09 03:39

I agree that air gaps are one measure. But keeping everything out via air gaps tends to keep everything in. The project I became involved with had already established the paradigm that there shall be no connection between the business LAN/Internet and the Plant Data and Process Control Network. But they didn't think about the availability of Plant Information to the business unit... And what about updates?

Faced with an existing condition I had to look for solutions that met the need while complying with the paradigm. Data Diodes were the solution. An air gap that is not an air gap but more like a controlled atmosphere (can I take that metaphorical liberty?). The wind only blows one way (there I go again!).

Gordon

Add new comment