SCADA Security: A Call-out to Control Engineers about Air Gaps

Last week I discussed how security experts and ICS / SCADA vendors are giving up on the dream of the air gap as a viable security solution for the modern control system. Unfortunately, it is still all too easy to believe your control system is isolated.

Recently I had a very enlightening conversation with a control engineer who thought his system was air gapped.

Engineer: Interesting talk you just gave on Stuxnet, but our turbomachinery equipment is completely isolated, so we don’t need to worry.
Eric: You mean you have no electronic transfers from the turbomachinery control network to the rest of the corporate network?
Engineer: Yes, it is completely isolated
Eric: How do you apply patches?
Engineer: We don’t – we don’t need to because the entire system is isolated.
Eric: Interesting… And the operating system on the computers on the control network is?

Engineer: Windows NT SP4
Eric: Never patched or updated?
Engineer: No – still the way it was when it was installed.
Eric: Anti-virus signatures on the control system computer – how do you update the signatures?
Engineer: We don’t have to – because the system is isolated, we decided not to install AV software. Plus the version of HMI software is from before the vendor supported AV on their system, so we don’t know if we can install it.
Eric: Uhmm… And electronic manuals on the system – you use Adobe Reader?
Engineer: Sure – is that a problem?
Eric: Could be - Adobe has released nearly 30 critical security patches for Reader in the past three years. I guess none of them are installed?
Engineer: No, but since the system is isolated, it isn’t an issue.

Isolated systems (like this small house) typically connect with other systems to keep functioning, despite the air gap.


Eric: I wouldn’t be so sure, but let’s move on. The PLCs controlling the turbomachinery?
Engineer: Siemens S7-300
Eric: Ever patched? Especially after the recent vulnerability announcements?
Engineer: What announcements?
Eric: I guess the answer is “No”. What about operation data logging? I assume that you do that. How do you move the logs out to the systems like asset management and maintenance?
Engineer: We have a laptop we use – we plug it into the control network every week to collect the logs.
Eric: And then?
Engineer: We connect it to the corporate network to transfer the logs to the servers.
Eric: Ever worried about the laptop being infected with a worm?
Engineer: No – we have AV software running on it.
Eric: I guess you missed the part in my talk where Stuxnet was in the wild for a year before it was detected.
Engineer: Oh.
Eric: Let’s move on. What about remote monitoring?
Engineer: We have modems for that, but they communicate over the phone lines, so they aren’t an issue.
Eric: You might want to reconsider. The Slammer worm infected several control systems over modems.
Engineer: Oh.

The Risks of a Single Method of Defense

The conversation went on from there, but as you can see, this company was running a very critical control system with software, hardware and operating systems that had not been patched in a decade. They also had no means of detecting a problem if the system did get infected.

Certainly some of their isolation practices did help. However, the day that the engineering laptop gets a worm or the day an infected PDF document is carried in on CD; things are going to get very ugly.

When you drill down, the flaw in the security strategy this company used was that it depended on a single defense – complete electronic isolation of the turbomachinery control system. All other defenses like anti-virus, patch management, white listing, and traffic monitoring were completely missing. They could not be used because as soon as the company deployed these security techniques, the complete isolation assumption no longer held.

With a single defense comes a single point of failure, as I discussed in a blog article about the Bastion Model. As long as the complete isolation (and I mean “complete”) defense can be maintained, everything will appear to be secure. Unfortunately designs with a single point of failure are not robust over the long term. 

 It will be like the remote tribe that has never been exposed to the common cold and thus has no immunity. Life is good until the day an outsider with an infection arrives. Then the lack of immunity becomes a life threatening liability.

For a system as critical as a turbomachinery control system, this is an understandable but flawed strategy.

If your control system is defended by a single method today, such as an air gap, please start educating yourself on the risks and on alternative approaches. Below is a presentation on using the ANSI/ISA-99 Standards (now called ISA/IEC 62443) that provides a start on segmenting your network for better cyber security. The Related Links section provides links to further information that will be of help.

 Related Content to Download

White Paper: "Using ANSI/ISA-99 Standards to Improve Control System Security"

Download this White Paper and learn about:

  • The ANSI/ISA-99 Zone and Security Model
  • A Real World Oil Refinery Example
  • Implementing Zones and Conduits with Industrial Security Appliances
  • Testing and Managing the Security Solution

 Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Author Eric Byres

Comments

7

Looks like the DoD needs educating, too:

"Businesses should 'air gap' servers and understand Chinese language"
http://www.scmagazineuk.com/businesses-should-air-gap-servers-and-unders...

*sigh*

- ferg

Paul, thanks for the link to the article on the retired U.S. DoD official encouraging companies to use air gaps and learn Chinese to protect their intellectual property.

You're right, now that industry cyber security experts like you know that air gaps are unrealistic, it is discouraging to see the DoD recommending them. What is needed is Defense in Depth, including secure ways to connect to the Internet.

Besides the company's problems with not really being isolated, they have other problems. Some day, their computers running NT4 will stop working. Finding equipment that has drivers that still supports NT4 will be a challenge (unless, of course, they are willing to use eBay as their hardware supplier).

The conversation is typical of legacy control systems in the wild. Current, up to date, systems are generally scanned and patched on a routine basis, usually during planned outages (which may only be once a year or so). You perfectly captured the conversation I've had many times with control engineers. The thinking is "I'm secure because I don't know I'm not secure."

Eric,

This is a great follow-up to the earlier article. Thank you for taking the time to address the issue of limited defense, it is much needed and appreciated.

Pat Russell

I am disappointed with the tone of the first part of this article and at least 1 of the comments. It is typical of some bad IT and security people to presume ignorance and assume superiority. There are good and bad in every profession even bankers and lawyers. Perhaps if we work together we might find practical and cost effective solutions to the problems we face.
I look forward to the return of more even handed posts and comments.

Thanks for the feed back. I am sad to hear that you don't think this blog article was even-handed. When I decided to report this conversation, my intention was simply to illustrate that what might seem to be a reasonable security strategy (complete isolation) can be hiding some big issues.

The engineer in the conversion was a skilled professional with an excellent knowledge of turbo-machinery control (certainly better than my understanding of these systems). Unfortunately like most engineers, he didn't have a security background. Helping him understand the risks he was exposing his system to was my intent during the actual conversation. Writing it up as a blog was simply a way to help all the other engineers that were not in the room at the time.

Like you said, if we work together we can find practical and cost effective solutions to the problems we face. Unfortunately, as long as people think there is no problem (or that there is a trivial solution based on isolation) the industry will remain insecure. My wish is to help everyone understand the risks they face, why security solutions are needed and what solutions might be possible. Hopefully my next blog will be closer to the mark for you.

Add new comment