a high-security architecture.
other advisories) a few months later.
I strongly suspect that Stefan Woron-
ka, Siemens’ director of Industrial
Security Services, had something to
do with this when he publicly stated:
“Forget the myth of the air gap—the
control system that is completely iso-
lated is history.”
Similarly, all the security adviso-
ries from two other leading vendors
(Schneider Electric and Rockwell)
make no mention of air gaps. Rock-
well’s mitigation guidance is very
clear: “Block all traffic to the Ether-
Net/IP or other CIP protocol-based
devices from outside the Manufactur-
ing Zone by restricting or blocking
access to TCP and UDP Port#2222
and Port#44818 using appropriate
security technology (for example, a
firewall, UTM devices, or other secu-
rity appliance).”b
Could this be an indication that
b Source: KB Article 470154-EtherNet/IP™
Product Vulnerabilities.
control system vendors are beginning
to realize air gaps conflict with their
architectures? For example, consider
the accompanying figure diagramming
a high-security architecture derived
from the Siemens’ Security Concept
manual.c Can you spot the air gap in
the figure? I can’t!
Are you ready for another challenge?
Try this exercise:
c See http://cache.automation.siemens.com/dnl/
jE/jE2MjIwNQAA_26462131_HB/wp_sec_b.pdf.