Communications of the ACM

˲Download the security manual from Rockwell.d

˲ Search for the term “Air Gap.” You won’t find it.

˲ Search the diagrams for an air gap. You won’t find it.

˲ In fact, while you are at it, why not check out all the major SCADA vendors’ engineering guides. You won’t find the air gap mentioned anywhere (if you do find an example of an industrial vendor recommending air gaps, please send it to me).

air Gaps Do not Work
in the Real World

There is a good reason why you will not find the air gap mentioned in vendor engineering manuals and why it is disappearing from security advisories. As a theory, the air gap is wonderful. In real life, it just does not work.

Sure, you can simply unplug the connection between the control system and the business network and presto, you have an “air gap.” Excellent! Job done!

Then one day the bubble bursts. Your control system team gets new logic from the engineering consultant—perhaps it addresses a design flaw that has been causing your company considerable downtime… A little while later Adobe sends your team a software update—perhaps it is for a critical vulnerability in the PDF reader the staff uses to view operational manuals…Next the lab group sends a process recipe that will improve product quality. Are you starting to get the picture?

The list just keeps growing and growing—patches for critical computer operating systems, anti-virus signatures, remote support from vendors— no company can ignore them all.

So what does the average controls engineer do? Just load some files onto a USB flash drive and carry that onto the plant floor. But wait a minute— isn’t that how Stuxnet spread?

Hmmm, let’s see…maybe putting everything onto a laptop is the solution? Yes, that’s the ticket! Oh, but what if the laptop is infected?

Eureka! A serial line and a modem! But wait a minute—the Slammer d See http://literature.rockwellautomation.com/ idc/groups/literature/documents/wp/enet- wp005_-en-e.pdf.

clearly, it is time
for the media,
consultants,
and end users
to give up on
the air gap myth.

worm got into a number of control systems that way. Yes, even the trusty old CD can be turned into the carrier of evil bits.

As much as we want to pretend otherwise, modern industrial control systems need a steady diet of electronic information from the outside world. Severing the network connection with an air gap simply spawns new pathways like the mobile laptop and the USB flash drive, which are more difficult to manage and just as easy to infect.

air Gaps Do Exist in trivial and
Very high Risk control systems

So are there air gaps in any control systems? Sure: one example appears in the photograph on the first page of this column. For another, more real-world, example: the digital thermostat controlling the heat pump in my home probably has a true air gap. And maybe in extremely high-risk systems—I am led to believe reactor control systems in nuclear plants are truly air gapped.

But do air gaps exist for all the con-
trol systems that manage our power
grid, our transportation systems,
our water systems, and our factories?
Consider how Sean McGurk, the for-
mer director of National Cybersecu-
rity and Communications Integration
Center (NCCIC) at the U.S. Department
of Homeland Security answered that
question: “In our experience in con-
ducting hundreds of vulnerability
assessments in the private sector, in
no case have we ever found the opera-
tions network, the SCADA system, or
energy management system separat-
ed from the enterprise network. On
average, we see 11 direct connections
between those networks. In some ex-
treme cases, we have identified up to
250 connections between the actual
producing network and the enter-
prise network.”e

the End of the fairy tale—
time for industry to Grow up

For many years, control system vendors have believed (or wanted to believe) in the fairy tale of the air gap. Now they have grown up and have come to realize this security strategy is finished. The government agencies like ICS-CERT have also accepted that a true air gap is impossible.

All control systems are connected to the outside world in some fashion. It might be a network connection, a serial line, or USB flash drive “sneakernet,” but it is a pathway that can be exploited by modern malware like Stuxnet and Flame. Cyber security countermeasures must face up to this fact.

Clearly, it is time for the media,
consultants, and end users to give up
on the air gap myth. Believing a criti-
cal SCADA system’s security is under
control because it is “isolated” is just a
dangerous illusion. As stated by Chris
Blask, CEO of ICS Cybersecurity, Inc.:
“None of the vulnerabilities [uncov-
ered at the NESCOR summit] pose as
great a risk as the belief that your sys-
tem is isolated.”
Any company defending its critical
SCADA systems with an air gap is mak-
ing a serious mistake. Any security
consultant recommending air gaps
as a strategy is doing their client a se-
rious disservice. And any vendor sug-
gesting air gaps as a solution to their
product vulnerabilities is being irre-
sponsible. It is time we put the air gap
on the shelf with other fairy tales and
started designing real-world solutions
to protect the critical SCADA systems
running our world.

e Source: The Subcommittee on National Security, Homeland Defense, and Foreign Operations May 25, 2011 hearing.

Eric Byres ( eric.byres@belden.com) is the chief technology officer at tofino Security in british columbia, canada, and a member of the ISa and Iec committees for control system security.