Drop Security Assumptions: No Air Gaps

Wednesday, January 13, 2016 @ 02:01 PM gHale

By Heather MacKenzie and Jeff Lund
The start of a new year is often the time we make decisions to do things differently than in the past. One of the 2016 decisions you could make is to toss out ICS security assumptions and hone in on meaningful improvement for cyber security defenses.

To make the point I am going to look at an “old” security approach – air gaps. Those at the forefront of security may have dismissed air gap approaches, but engineers in the field still consider them valid defense measures.

Let’s look at air gaps as a security control and see why, for anyone concerned about automation network reliability and availability, it’s time to forget them as a method of defense

Evolving Physical Security
ICS Security Trends
Detection Strategies for Securing Wireless
Securing a Wireless Application

An air gap is a physical gap between the control network and other networks such as business networks or the Internet. The concept is a physical gap can stop hackers and their tools, such as malware or unauthorized remote access software.

Before LANs and the Internet came along, functional air gaps did exist.

But that was yesterday, today’s modern control networks, however, require a steady flow of electronic information with enterprise and third party networks that can open up vulnerabilities or exploitable weaknesses.

Therefore, a common prescription from vendors as recently as a few years ago included mitigations such as:

“It is important to isolate the automation network from all other networks using an air gap.”

In today’s competitive world, the demand for real-time data and continuous improvement has meant that links between control networks and business networks are inevitable:

“In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks. In some extreme cases, we have identified up to 250 connections between the actual producing network and the enterprise network,” said Sean McGurk, former director, National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security

Whether it is production data, remote support, supply chain integration, engineering enhancements or even simple PDF reader updates for manual reading, connecting with other networks is a defacto requirement.

Abundant Pathways
Maybe you accept my argument that automation networks are connected to enterprise networks. But you still believe it’s possible to isolate control networks from third party systems using a “no-Internet” air gap.

A major change in thinking in this regard occurred after Stuxnet was discovered and its infection methods analyzed. Our white paper “How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems” showed how a high security “air gapped” nuclear enrichment plant ended up breached using an infected USB device. Among its conclusions:

A modern ICS or SCADA system is highly complex and interconnected, resulting in multiple potential pathways from the outside world to the process controllers.

Assuming an air gap between ICS and corporate networks is unrealistic, as information exchanges are essential for process and business operations to function effectively.

All mechanisms for transfer of electronic information (in any form) to or from an ICS must be evaluated for security risk. Focusing security efforts on only a few obvious pathways (such as USB storage drives or the Enterprise/ICS firewall) is a flawed defense.

Another example that disproves air gaps are an effective defense is the Dragonfly malware campaign. Discovered in 2014, it targeted the pharmaceutical industry. One way it obtained access to ICS networks was via malicious payloads inserted into legitimate software updates provided on vendor websites.

Industry expert Joel Langill states in our white paper on this attack:

“Equipment, like PLCs and SCADA RTUs, that are typically ‘unconnected’ from the Internet are often believed to be immune from attacks that use more common social engineering vectors. This attack showed the potential of using tactics involving trusted supply-chain vendors to deliver malicious payloads directly to difficult-to-reach endpoints, such as ICS equipment.”

‘Air Gapped’ Attacks Continue
To further kill the myth of air gaps as a valid security measure, let’s look at the milestone attack that occurred just before Christmas 2015 in the Ukraine. Here are the details:

A Western Ukrainian power company reported a power outage on Dec. 23, 2015.

The investigation into the incident revealed malware called “BlackEnergy” or “DarkEnergy” disrupted systems which led to the outage.

Infection occurred when someone in the target organization received a “spear phishing” email with a malicious attachment and clicked on it.

The event is notable and important because it is the first known cyber attack to cause an electricity blackout.

For more details on the BlackEnergy attack, see this article by our sister company Tripwire.

This type of technique, known as social engineering, is another pathway into control networks. While a simpler infection technique than those used for Stuxnet and Dragonfly, its impact was very significant.

In the end, it comes down to how well employees in your organization are trained to identify and disregard dubious emails?

Inside Attacks
Besides the reality there are multiple routes into the control system, another major flaw with the air gap approach is that most industrial cyber security incidents originate inside the control network.

Our experience indicates that causes such as these are common:
• Misconfigured firewalls or switches
• Unpatched computers or systems
• Poorly segmented networks
• Device or software error
• Accidental introductions of malware

Industry data in this area are scarce, but RISI figures from 2011 show events within the control network account for the majority of control network cyber incidents.

Thus, even if air gaps did work, they would not protect your ICS from downtime and performance risk from the majority of cyber occurrences.

Instead of relying air gaps, take a hard look at the cyber risks facing your organization and the security controls you have in place to deal with them.

It is time to forget about air gaps as a security measure and to give other cyber security measures a higher priority in 2016. After all, it isn’t just about keeping data secure – it’s about keeping your systems operational.

When you really look at it, 90 percent of industrial cyber security is not about blocking hackers – it’s about ensuring high availability and reliability through hardened, resilient systems.
Heather MacKenzie is with Tofino Security, a Belden company. Jeff Lund is senior director in product line management in Belden’s Industrial IT group. Click here to view Heather’s blog.