Black Hat: Air Gap Myth Buster

Wednesday, July 25, 2012 @ 07:07 PM gHale

By Gregory Hale
There are plenty of myths when it comes to air gaps. But one thing is true. Air gaps themselves are myths.

First what are some of the myths? Myth one is they are the default in industrial systems. Myth two is they are easy to deploy. Myth three is they are inexpensive. Myth four is they don’t make attacks possible. All those myths are not true, said Eireann Leverett, industry consultant, during his talk at Black Hat USA 2012 in Las Vegas Wednesday.

RELATED STORIES
Black Hat: New Security Paradigm
ICS-CERT: Attacks on Rise
Cyber Secure Device Certification
Robustness Testing: Saves Lives, Money

With the idea that air gaps show there is no way there is a connection to the outside world, Leverett said “when you sit down and think about it, it just can be true.”

Just by doing some research and using Shodan, Leverett was able to go out and, without too much trouble, was able to find Internet facing control systems.

He then went out and took a video tour of all the sites are where they were located.

“Globally we are facing a problem. We are statistically failing,” Leverett said.

He was able to find 12,000 industrial control systems and UPSes, plus 22,000 building management systems.

While it may be popular to pick on one vendor or another as having vulnerable systems facing the Internet, Leverett showed just about all vendors had systems that were open to the Internet.

On a good note, “big companies are taking security more seriously,” he said. “We just need to improve things.”