Yokogawa: Disavowing Air Gaps

Tuesday, October 30, 2012 @ 05:10 PM gHale


By Gregory Hale
Security is all about creating a solid defense in depth position and one of those lines of protection cannot be an air gap.

“I have heard upper management and control engineers say we have to air gap the plant floor,” said Eric Byres, chief technology officer and vice president of engineering at Tofino Security during his session Tuesday on Unicorns and Air Gaps – Do they Really Exist, during the Yokogawa 2012 Users Group in New Orleans. “That is very attractive, but who really thinks that exists? Air gaps are a dangerous illusion.”

RELATED STORIES
Yokogawa: U.S. Emerging
ISASecure Means More Security
Flaw in Air Gap Philosophy
ICS, SCADA Myth: Protection by Firewalls
Air Gap Shout Out
Air Gaps a True Myth

An air gap is a physical gap between a control system and the rest of the world, which means it has no connections coming in or going out.

There are documents from vendors that talk about the use of air gaps, but when you look at the diagrams for their systems, they don’t show any air gaps at all.

Even the U.S. government does not believe air gaps exist as the Industrial Control System Cyber Emergency Response Team (ICS-CERT) talks about data flow and using firewalls and no air gaps.

Even if there was an air gapped system, Byres said there would still be ways for viruses to get in and wreak havoc on an ICS.

“Stuxnet didn’t care if there was an air gap,” he said. “There were plenty of secondary ways for Stuxnet to get in. If you try to completely isolate yourself it is like stepping on a tube of toothpaste, it will come out someplace.”

With the growing complexity of control systems it has become abundantly clear, they need data. That is where the defense in depth model comes to the rescue.

Manufacturers have new data coming in from consulting engineers, or patches coming in from companies like Adobe, or maybe the lab sends over a new recipe to download. All of that information, or data, is coming from an external source that needs to get in.

If there was a true air gap, that would mean the way to input data would most likely come from sneakernet, where people run over to the machine and input the data from a CD, USB stick or something else.

The systems need data and not allowing data to flow in will slow down the implementation of a process.

The catch is one report from security company Industrial Defender said communication to and from ICSes will increase in the coming years, not decrease. That means the idea of air gaps is not viable. Then what do manufacturers do?

With more data coming in to the system, it means users must manage their system much better. They have to truly understand what is coming in and, just as importantly, what is going out. “Most malware wants to call out,” Byres said.

In addition, the user should subdivide systems into zones so issues don’t spread.

“You want to detect unusual behaviors,” he said. “You want to reduce the probability of attacker access as they get further into your system.”

That is where the zones and conduits model comes into play.

Zones are the logical grouping of assets that have similar operating characteristics. Zones have boundaries that end up bracketed off.

Conduits are simply the pathways between the zones.

“It is really important to understand all the conduits and not just the obvious ones,” Byres said. “You have to look at all pathways and don’t just focus on a single one.”

The user also has to understand what the most critical asset is they have to protect. Byres said in most cases in the critical infrastructure, it would be the safety system.

One of those technologies is deep packet inspection that only a few firewall providers provide today.

“Make sure the technologies match what you want to secure,” Byres said.



3 Responses to “Yokogawa: Disavowing Air Gaps”

  1. aginter says:

    Heavy sigh. More mis-information.

    Sure, poke holes at air gaps and imply firewalls are more secure. Play the Stuxnet card without mentioning that Stuxnet blew through firewalls like they weren’t there. Talk about zones and conduits without mentioning that devices have very different data movement needs than do entire plants. Rail against sneakernet when 99% of data movement is completely predictable and can be handled securely, without the use of either removable media or firewalls. Never mention secure data integration via unidirectional gateways.

    Would you connect your pacemaker to the cell network through a firewall? Or would you rather there were 2 CPUs in your pacemaker, and no compromise of the exposed CPU could affect your heartbeat?

    I’m not arguing against networking – that’s swimming against the tide. I’m arguing for more CPUs – and wiring your systems so that the compromise of network-exposed CPUs cannot cause unsafe conditions.

    Or maybe we could just rail against air gaps a bit more.

  2. […] Tuesday on “Unicorns and Air Gaps – Do they Really Exist” and reported in ISS Source (Disavowing Air Gaps) “That is very attractive, but who really thinks that exists? Air gaps are a dangerous […]

  3. […] Tuesday on &#8220Unicorns and Air Gaps – Do they Really Exist&#8221 and reported in ISS Source (Disavowing Air Gaps) “That is quite attractive, but who genuinely thinks that exists? Air gaps are a harmful […]


Leave a Reply

You must be logged in to post a comment.