#1 ICS and SCADA Security Myth: Protection by Air Gap
Editor's Note: This is an updated version of this article, which was first published on June 30, 2011
Recently I gave a talk focused on air gaps as a security strategy in control systems. The talk was at the AusCERT 2012 conference and to my amazement, it generated a large amount of discussion in the media both inside and outside Australia. Here are a few examples: While all this interest is very heartening, a number of the people commenting seem to have misunderstood my message. Today I am writing to make my views on air gaps a bit clearer. |
Eric Byres presenting "Unicorns and Air Gaps" at AusCERT 2012 |
Supporters of Air Gaps Do Exist
The theory of the air gap sounds great; by creating a physical gap between the control network and the business network, bad things like hackers and worms can never get into critical control systems. But as you can probably guess from the title of my blog, I don’t believe that true air gaps actually exist in the ICS and SCADA world.
Certainly, there are many people that disagree with me outright. For example, Paul Ferguson, an Internet Security Intelligence blogger at Trend Micro recently wrote:
“I’ve written about SCADA issues in the past, but one issue that I’ve consistently tried to emphasize is that critical control systems should never, ever interact nor interconnect with Internet systems in any way, shape, or form. There’s a good reason for this, and it’s always been referred to as the “Air Gap” Principle.” 1
(Ed. Note from Eric Byres July 12, 2012: Paul has informed me that this is an old opinion (circa 2008) and he has since changed his views on the feasibility of air gaps. Sorry Paul! For more on this, see my subsequent blog article.)
Similarly, last year there was a flood of SCADA and ICS vulnerability notices with advice on addressing the issue by using an air gap. One example I gave in the past came from the original Siemens Security Advisory addressing the vulnerabilities in Siemens SIMATIC S7-1200 PLC line:
"In addition, it is important to ensure your automation network is protected from unauthorized access using the strategies suggested in this document or isolate the automation network from all other networks using an air gap.” 2
Vendors are Moving Away from the “Air Gap Principle”
Now the interesting thing (and a real credit to Siemens) is that they removed this recommendation from this advisory (and all other advisories) a few months later.
I suspect that Stefan Woronka, Siemens Director of Industrial Security Services, had something to do with this when he publically stated:
“Forget the myth of the air gap – the control system that is completely isolated is history.”
Similarly, all the Schneider Electric and Rockwell security advisories make no mention of air gaps. Rockwell’s mitigation guidance is very clear:
“Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance)." Source: KB Article 470154 - EtherNet/IP™ Product Vulnerabilities
I think that all of the PLC and DCS vendors have come to realize that air gaps conflict with their architectures. For example, check out the diagram of a high security architecture taken directly from the Siemens’ Security Concept manual (pg 42). (Note: you can click on the image to enlarge it.)
Can you spot the air gap in the drawing? I can’t! Or try another vendor - download the security manual from Rockwell, search for the term “Air Gap”. You won’t find it. Search the diagrams for an air gap. You won’t find it. Check out all the major vendors engineering guides and you won’t find the air gap mentioned anywhere (if you do find an example of a PLC or DCS vendor recommending air gaps, please send it to me).
Air Gaps Don’t Work in the Real World
There is a good reason why you won’t find the air gap mentioned in vendor engineering manuals and why it is disappearing from security advisories. As a theory, the air gap is wonderful. In real life, it doesn’t work.
Sure you can simply unplug the connection between the control system and the business network and presto, you have an "air gap”. Then one day you get new logic from your engineering consultant – perhaps it addresses a design flaw that has been causing your company considerable downtime. A little while later Adobe sends you a software update – perhaps it is for a critical vulnerability in the PDF Reader your staff uses to view operational manuals. Next your lab group sends a process recipe that will improve product quality. The list keeps growing – patches for your computer operating systems, anti-virus signatures, remote support and system software – you can’t ignore them all.
So what do you do? Maybe you load some files onto a USB drive and carry that onto the plant floor. But isn’t that how Stuxnet spread? Or maybe putting everything onto a laptop is the solution, but what if the laptop is infected? A serial line and a modem – sorry, the Slammer worm got into a number of control systems that way. Even the trusty CD can be turned into the carrier of evil bits.
As much as we want to pretend otherwise, modern control systems need a steady diet of electronic information from the outside world. Severing the network connection with an air gap simply spawns new pathways – pathways like the mobile laptop and the USB key, which are more difficult to manage and just as easy to infect.
Anyone Who Has Ever Seen an Air Gap, Please Raise Your Hand
So are there air gaps in any control systems? Sure – in trivial systems. For example, the digital thermostat controlling the heat pump in my home probably has a true air gap. And maybe in very very high risk systems – for example, I am led to believe that reactor control systems in nuclear plants are truly air gapped.
But do air gaps exist for all the control systems that manage our power grid, our transportation systems, our water and our factories? I will let Mr. Sean McGurk, the Director, National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security answer that:
"In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks. In some extreme cases, we have identified up to 250 connections between the actual producing network and the enterprise network.”3
A control system protected by a real air gap. Photo courtesy of Computing at Chilton: 1961-2003
Time to Grow Up and End the Fairy Tale
The control system vendors have accepted that the dream of the air gap as a security strategy is finished. The government agencies like ICS-CERT have also accepted that a true air gap is impossible. Now it is time for the consultants and end-users to give up on the air gap myth. Believing that your plant’s security is under control because the control systems are “isolated” is just a dangerous illusion:
"None of the vulnerabilities [uncovered at the NESCOR summit] pose as great a risk as the belief that your system is isolated."
Chris Blask, CEO, ICS Cybersecurity Inc.
For effective ICS and SCADA security, the entire industry needs to move past the myth of air gaps and learn to deal with the reality:
All control systems are connected to the outside world in some fashion. It might be a network connection, a serial line or USB “sneakernet”, but it is a pathway that can be exploited by modern malware like Stuxnet and Flame. Cyber security countermeasures must face up to this fact.
1 Source: Paul Ferguson, Internet Security Intelligence, Advanced Threats Research, Trend Micro, Apr 8, 2008 Ed. Note: This source reference was updated from 2012 to 2008 on July 6, 2012 as per Paul Ferguson's comment below.
2 Source: SIEMENS-SSA-625789: Security Vulnerabilities in Siemens SIMATIC S7-1200 CPU
3 Source: The Subcommittee on National Security, Homeland Defense, and Foreign Operations May 25, 2011 hearing. 58:30 -- 59:00
Related Content to Download
Presentation - "Unicorns and Air Gaps - Do They Really Exist?" |
Related Links
- Blog: SCADA Security: Is the Air Gap Debate Over?
- Blog: Air Gaps won’t Stop Stuxnet’s Children
- Blog: Cyber Attacks on U.S. Critical Infrastructure will Intensify
- Blog: Flame Malware and SCADA Security: What are the Impacts?
Comments
MES / ERP and airgaps
The same vendor rep who will hide behind the airgap fantasy will likely also be the first one to boast about the "total plant integration" of their solution suite - MES, MIS, and ERP components that "seamlessly integrate" with their Control Systems products. Hard to imagine such "seamless integration" over an airgap...
Preach it, Eric.
It is time for a full-court press against this myth.
Finding even notional comfort in the concept of an Air Gap is the most dangerous factor in industrial cybersecurity. Even after spending two days dreaming up new and interesting ways to attack power systems at the NESCOR summit here in Washington (we ran out of time before we ran out of ideas) I am going to summarize this morning with this point:
"None of these vulnerabilities pose as great a risk as the belief that your system is isolated."
If someone tries real hard to attack your system and you have a technical vulnerability in your system (and you do) you may just get compromised despite your best efforts.
However, if you *believe you are immune to attack* then they don't have to try at all...
...and the impact will in all cases be the worst case scenario.
...and you will realize you are doomed when it is far too late to do anything about it.
...and you will have no ability to respond.
...and your shareholders/customers/constituents will suffer the maximum possible harm.
...and the most people will be killed.
It would be best for all of us if saying "...but I'm not connected..." became a firing and public-mocking offense in every single instance immediately.
It isn't just an incorrect statement, it is foolish, negligent, reckless, literally ignorant and it risks the lives and welfare of innocent people all around you.
>> Severing the network
>> Severing the network connection with an air gap simply spawns new pathways
Good argument!
ICS operators' role, responsibility
While embracing technologies such as air-gaps, as part of ICS defending layers –
we should remember that the operators' experience and sensitivity is the most reliable trigger for alerts. In an ideal Man-Machine system the operator is supported by a heuristic intelligent computerized tool which uses history and on-line operational data to predict the behavior of the control system. The modern operator will not be exempted from glancing at the security event manager (SIEM – mandatory tool!) screen to watch, together with his IT person - for suspicious correlations; thus using his skills to discriminate the security events from the process events.
Until this utopian world is materialized we should put more effort in giving variety to our protection layers and correspondingly endorse the emerging field of early warning predictive systems for ICS.
Ne'er a Gap in Air
Right on Eric! The danger in the mythical air gap is, of course, in the belief that it is real and, therefore, reliance on it as an industrial security strategy. The uranium enrichment facilities at Natanz in Iran were protected by an air gap. So much for that.
The sound strategy is, of course, to identify the connections that inevitably bridge the gap so they become known vulnerabilities, to be eliminated in some cases and managed in others, to be protected by both technological fixes and enhanced vigilance. You cannot monitor or mend what you don't know is a problem.
--Larry Constantine (novelist, Lior Samson)
Thoughts
Hi Eric,
I wrote that reference blog post in April 2008, not 2012 as referenced in your footnote.
Also, Ironically, I stand by what I said then -- an air gap may not provide 100% security, but it sure does remove a vast amount of the threat.
Also, in my white paper on Industrial Control Systems Security Architecture [1], I also mentioned yous and the fact that air gaps aren't really workable in the real world, for various reasons, so that this is all a matter of constantly trying to raise the bar and constantly improve your security posture.
In a world where there is no such thing as 100% security, instituting an air gap -- real physical isolation -- goes a long way to remove the majority of threats. I understand that there are various reasons why businesses, utilities, and other organizations cannot (or will not)physically separate their ICS plant networks from enterprise networks and/or the Internet, but saying it cannot be done is disingenuous.
- ferg
[1] http://blog.trendmicro.com/towards-more-secure-industrial-control-system...
Can we create an air gap that protects
I immediately support Paul's point that an air gap does contribute to security. However it is only one layer of defense and this layer can easily be bypassed. If we realize that we still need to patch an air-gapped system, we should immediately realize that true air gaps are an illusion.
The lesson from Flame is that even signed Microsoft security patches could contain malicious code when retrieved over Internet with for example WSUS. Creating an ISO image and using this for installation in an air-gapped system would not have solved this. So the conclusion can be that an air-gapped system being patched has maybe reduced the attack surface but never to nill.
Since the introduction of client side attacks we should realize that many of our traditional network perimeter layers of defense are bypassed. We need today security zone based layers of protection, this improves protection and improves containment of security breaches. Air gaps, perimeter firewalls, DMZs they are all fine but do not provide much protection if the attacker easily jumps over these hurdles.
Sorry Paul Ferguson
Hi Paul,
Thanks very much for the correction. I don’t know why I thought was April 2012 was the publish date – boy was I wrong. Sorry to not have read more deeply and realized that you had changed your mind. I think changing your mind based on evolving evidence, is not only allowed, but smart and honorable.
With you, Siemens and others moving to the “No Air Gap” camp, I am running out of examples of public figures in “Pro Air Gap” camp. Makes it harder to write a blog , but it is great news for the industry.
Unfortunately, there are many engineers in the end-user community that still believe in air gaps. And I think we need to help educate them. Thanks for your help on this front!
Readers, watch for more discussion of air gaps in upcoming blog posts.
Airgaps and datadiodes
The most expensive air gap of all is the data diode, which suggests similar protection while still allowing one-way communication. The same protection flaws that apply to the air gap apply to the data diode, it reduces attack surface but doesn't remove the threat of Stuxnet / Flame like attacks.
Still companies spend their seurity budgets on these costly "one way air gaps". True security seems to be the emotion of feeling secure while all know that we are in a fully reactive mode, the time to repair a hole in our defense takes longer than the time to create a new one. Our systems are so diverse and complex that full security will probalby never be reached, certainly if we consider that all our new security counter measures themselves can become a new target for attacks.
Why is there such a stern
Why is there such a stern belief in air gaps? Probably because of the assumption-chain: air gap = no wires, and then on to no wires = no communication, no communication = no data transfer, no data transfer = can't get any malware thus: protection! So, with some mathematics :-), it follows that air gap = protection.
If any of these 4 four fails, the protection is lost.
no air gap? sure there is no wire somewhere?.
no wires? how about wireless networks.
no communication? even one-way communication can harm, as the recent GPS hacks show.
no datatransfer? never heard about USB probably.
Turning on ourselves?
I really enjoyed the article and agree that an air-gap only solution can give a false sense of security but I am concerned at the tone of some of the conversation here. I would be very surprised if anyone relying on an air-gap only did not honestly and fully believe that they were doing the right thing for their situation. Rare (likely non-existent) is the controls person who would knowingly and willingly leave themselves open for an attack. Dependence on an air gap does not call for public mockery but for education and proving that connections can be made securely. I have personally found that this is the best way to work with and move past an air-gap only stance. The concerns are legitimate and can be addressed reasonably but we will never make great strides in this area if we insist on turning on each other and infighting.
Off my soapbox now...sorry.
Pat Russell
Turning on ourselves?
Excellent point Pat - the whole issue with the air gap as I see it is that it is so seductive that the underlying strategy issues get missed. Based on your suggestion I think I will be writing another blog about how the well-meaning controls engineer thinks he or she is doing the right thing, but doesn't understand the full ramifications.
I too wanted to know about
I too wanted to know about air gaps in detail. It was really surprising to know that air gaps still exist in the ICS and SCADA world. The whole description and the image illustration have made the topic clear to me. Thanks a lot for taking effort to post this.
Straw Man Arugument
Air-Gapped networks are part of a layered defense. Given the costs of building and maintaining such an environment, it is reserved for only the most sensitive information - the kind to which few people will be granted access. Subsequently, it is something that few security people will ever encounter.
Physical Security for a network is only one small aspect of information security.
I've never heard anyone in Security suggest their environment is free from vulnerabilities; Especially not due to the implementation of just one aspect of security. That foolhardy person would be real unicorn in the room.
Add new comment