˲Download the security manual
from Rockwell.d
˲ Search for the term “Air Gap.” You
won’t find it.
˲ Search the diagrams for an air gap.
You won’t find it.
˲ In fact, while you are at it, why not
check out all the major SCADA vendors’ engineering guides. You won’t
find the air gap mentioned anywhere
(if you do find an example of an industrial vendor recommending air gaps,
please send it to me).
air Gaps Do not Work
in the Real World
There is a good reason why you will not
find the air gap mentioned in vendor
engineering manuals and why it is disappearing from security advisories. As
a theory, the air gap is wonderful. In
real life, it just does not work.
Sure, you can simply unplug the connection between the control system and
the business network and presto, you
have an “air gap.” Excellent! Job done!
Then one day the bubble bursts.
Your control system team gets new
logic from the engineering consultant—perhaps it addresses a design
flaw that has been causing your
company considerable downtime…
A little while later Adobe sends your
team a software update—perhaps it
is for a critical vulnerability in the
PDF reader the staff uses to view
operational manuals…Next the lab
group sends a process recipe that
will improve product quality. Are you
starting to get the picture?
The list just keeps growing and
growing—patches for critical computer operating systems, anti-virus signatures, remote support from vendors—
no company can ignore them all.
So what does the average controls
engineer do? Just load some files onto
a USB flash drive and carry that onto
the plant floor. But wait a minute—
isn’t that how Stuxnet spread?
Hmmm, let’s see…maybe putting
everything onto a laptop is the solution? Yes, that’s the ticket! Oh, but
what if the laptop is infected?
Eureka! A serial line and a modem!
But wait a minute—the Slammer
d See http://literature.rockwellautomation.com/
idc/groups/literature/documents/wp/enet-
wp005_-en-e.pdf.
clearly, it is time
for the media,
consultants,
and end users
to give up on
the air gap myth.
worm got into a number of control
systems that way. Yes, even the trusty
old CD can be turned into the carrier
of evil bits.
As much as we want to pretend otherwise, modern industrial control systems need a steady diet of electronic
information from the outside world.
Severing the network connection with
an air gap simply spawns new pathways
like the mobile laptop and the USB flash
drive, which are more difficult to manage and just as easy to infect.
air Gaps Do Exist in trivial and
Very high Risk control systems
So are there air gaps in any control
systems? Sure: one example appears
in the photograph on the first page
of this column. For another, more
real-world, example: the digital thermostat controlling the heat pump in
my home probably has a true air gap.
And maybe in extremely high-risk systems—I am led to believe reactor control systems in nuclear plants are truly
air gapped.
But do air gaps exist for all the con-
trol systems that manage our power
grid, our transportation systems,
our water systems, and our factories?
Consider how Sean McGurk, the for-
mer director of National Cybersecu-
rity and Communications Integration
Center (NCCIC) at the U.S. Department
of Homeland Security answered that
question: “In our experience in con-
ducting hundreds of vulnerability
assessments in the private sector, in
no case have we ever found the opera-
tions network, the SCADA system, or
energy management system separat-
ed from the enterprise network. On
average, we see 11 direct connections
between those networks. In some ex-
treme cases, we have identified up to
250 connections between the actual
producing network and the enter-
prise network.”e
the End of the fairy tale—
time for industry to Grow up
For many years, control system vendors have believed (or wanted to believe) in the fairy tale of the air gap.
Now they have grown up and have
come to realize this security strategy
is finished. The government agencies
like ICS-CERT have also accepted that
a true air gap is impossible.
All control systems are connected to
the outside world in some fashion. It
might be a network connection, a serial line, or USB flash drive “sneakernet,”
but it is a pathway that can be exploited
by modern malware like Stuxnet and
Flame. Cyber security countermeasures must face up to this fact.
Clearly, it is time for the media,
consultants, and end users to give up
on the air gap myth. Believing a criti-
cal SCADA system’s security is under
control because it is “isolated” is just a
dangerous illusion. As stated by Chris
Blask, CEO of ICS Cybersecurity, Inc.:
“None of the vulnerabilities [uncov-
ered at the NESCOR summit] pose as
great a risk as the belief that your sys-
tem is isolated.”
Any company defending its critical
SCADA systems with an air gap is mak-
ing a serious mistake. Any security
consultant recommending air gaps
as a strategy is doing their client a se-
rious disservice. And any vendor sug-
gesting air gaps as a solution to their
product vulnerabilities is being irre-
sponsible. It is time we put the air gap
on the shelf with other fairy tales and
started designing real-world solutions
to protect the critical SCADA systems
running our world.
e Source: The Subcommittee on National Security, Homeland Defense, and Foreign Operations May 25, 2011 hearing.
Eric Byres ( eric.byres@belden.com) is the chief
technology officer at tofino Security in british columbia,
canada, and a member of the ISa and Iec committees
for control system security.