Is Air Gapping Really a Solution?

by Nigel Stanley, CTO at TUV Rheinland

Operational technology (OT) based solutions – where computerised systems control a physical output or detect a physical effect – have become an area of increased focus for cyber-attacks. This has now become a real concern for enterprises whose production systems, manufacturing plants, industrial control systems and processing infrastructure are under constant threat.

Cyberattacks are a very real risk. Criminals have identified these OT systems as prime targets as they’re often connected to poorly secured networks, the compromise of which could result in substantial monetary returns for cyber criminals thanks to ransoms, intellectual property theft and espionage.

The ‘retro’ approach to addressing this risk consists of completely disconnecting critical systems not only from the public network, but also from closed internal networks. This approach has gained traction recently with some politicians demanding that critical systems be air-gapped or physically disconnected to defend them from potential attacks.

Unfortunately, this might not be the most effective way to protect operational technology from motivated attackers. It might, in fact, have the counterproductive effect of creating a sense of false security in cybersecurity teams.

Attackers are resourceful

A motivated attacker will find creative ways around most preventative controls, including air-gaps. Even without being attached to a wider network, connections abound, and systems light up with data flows often without the company knowing about it. There are many ways in which cybercriminals can achieve this, some more creative than others, some not farfetched at all.

The underestimated, humble USB is an example of how an attacker could bridge OT air gaps. Often seen openly accessible on industrial workstations or process engineering systems, USB sticks can carry malware or be a route out for corporate intellectual property (IP). The now infamous Stuxnet worm that was first revealed to the public in 2010 is believed to have made its way into a secure facility by a USB. All it takes is an attacker to convince an employee to plug a USB stick into a computer labelling it with the right words, such as “payslip info” or “HR”. We humans are, after all, curious creatures.

Smartphones are another convenient mechanism to cross air gaps, as they have become portable computers with the capability of carrying malicious software. If switched into WiFi hotspot mode, they can serve as an attack vector. Their cameras, if compromised, can be exploited to exfiltrate visual data and screen shots that can be useful to an adversary. There have certainly been instances where bored operators have fired up a hotspot and streamed dubious movies overnight, effectively compromising the security of the facility.

Through insecure Wi-Fi hotspots, large amounts of OT data can be leaked in short spans of connection time. This is often down to bad configuration, or maybe a desire by the OT team to take advantage of an existing internet connection. Certainly, this is not always malicious as more and more OT equipment manufacturers need access to their hardware for predictive maintenance and similar reasonable business needs. But has the connection been risk assessed?

More dangerous than Wi-Fi, but increasing in popularity, is the practice of adding cellular connections to equipment so that it can “phone home”. In many cases, these connections are never spotted due to their small form factor and the difficulty in spotting their transmissions. In many cases these have only been found following an unconnected site technical surveillance counter measures assessment or bug sweep.

More creative proofs of concepts have shown that a motivated attacker could, in theory, modulate LEDs or light sources to transmit data, use power source analysis to detect data flows or even system noise as a transmission medium. Although certainly complicated to carry out, an attack like this is not implausible.

How to tackle the problem

Accepting that air gapping critical systems is rarely an efficient security control, the first step to tackle an OT cybersecurity risk is to conduct some form of proportionate assessment. This will provide a broader view of the system business risk and enable appropriate controls to be put in place – and in many cases air gapping is unlikely to figure high on the list of things to do.

This article was originally published on the E&T Magazine: https://eandt.theiet.org/content/articles/2019/10/comment-busting-the-myth-of-the-operational-technology-air-gap/