Guest Blogger Andrew Ginter is the Director of Industrial Security for Waterfall Security Solutions. Prior to joining Waterfall he wrote the popular Control System Security blog.
Eric Byres recent post claiming the #1 ICS and SCADA Security Myth is protection by air gaps struck a cord with me. I have been thoroughly distracted of late with my new role at Waterfall Security Solutions but even so I could not let this one go by. Old-school air gaps are still used occasionally, in the most sensitive control systems. The rest of the time, technologies like data diodes or unidirectional gateways provide the the most important benefits of truly air gapped control systems, while still permitting businesses to profit from access to the real-time data produced by their control systems. (FD: Waterfall Security Solutions makes and sells unidirectional gateways tailored for the ICS market)
True Air Gaps
Old-school air gaps are still used routinely, in very sensitive installations, in classified government installations, and in very cautious installations. For example, the water sector still uses air gaps routinely, and many sectors use true air gaps to isolate safety systems. The benefits of true air gaps are clear – absolute protection from certain classes of network-based threats. If you have a true air gap – complete disconnection of some or all of your control network from any external network – then that system is invulnerable to distributed denial of service attacks, remote control attacks, worms and any other network-based attack originating on an external network, including the Internet.
The cost of true air gaps are clear as well – limited access to real-time data. I remember the mid 1990’s when most process industries were connecting their real time systems to Enterprise Resource Planning (ERP) systems like SAP. Simple applications with fancy names were being installed, which took advantage of real-time access to raw material inventories, finished goods inventories, product quality data and equipment usage data. The motive was clear – generally 3-8% cost savings at a large facility. By now most sites have deployed this kind of applications and are seeing cost savings as a result, and sometimes revenue benefits as well. No site is willing to give up these benefits.
Access to real-time data has real value. If you “pull the plug” on the connection(s) to the corporate network, control systems generally continue to run safely, indefinitely — but few of those sites can make money any more. Access to real-time data is essential to profitability.
Most Important Benefits
The good news: it is possible to enjoy both the most important security benefits of true air-gaps, and the most important business benefits of access to real-time data. Many sites, both air-gapped and not, are turning to unidirectional technologies for these benefits.
The gateways are simple in concept – a transmitting (TX) appliance in the control system network contains a laser, and a receiving (RX) appliance in the corporate network contains a light sensor. The TX can send to the RX, but not vice-versa. The gateways push real-time data to corporate networks where business functions can use the data, but no attacks, no worms, nothing at all in fact, can get back through the gateway hardware to influence or threaten the control system.
Contrast this with firewalls, which are software systems. The software in firewalls looks at every message trying to pass through, and decides whether to let it pass. Every software has vulnerabilities, and conventional firewalls are large, complex software systems. Advanced threats exploit those vulnerabilities and even simple errors and omissions in the configuration of complex firewalls can lead to exposure to attack where you thought you were safe. Unidirectional gateways are not vulnerable to such risks – the security the gateways provide is at the physical level. There are no return channels in the hardware to threaten the protected network.
Eric asks – “anyone who has ever seen an air gap, please raise your hand.” Air gaps are still used routinely in many industries. Standards and regulations are waking up to this fact. The latest nuclear security rules give two choices: either air-gap the most sensitive control networks, or use unidirectional technologies to let data out of those networks, but let nothing back in. Other industries are taking note. No one wants to put at risk a power grid, a water treatment plant, or a chemical plant.
No Silver Bullet
Eric is right in one respect though – neither air gaps nor Unidirectional Gateways are silver bullets. This was one of Dale Peterson’s points in his original posting as well. Even sites with the gateways deployed face risks from insiders with physical access to protected networks and from whatever process is used to install patches, anti-virus signatures and other information originating on external networks. Just like sites using conventional firewalls, sites using either air gaps or gateways must also be vigilant to the deliberate or accidental introduction of new connections through security perimeters which might reduce the strength of those perimeters.
In addition, some communications needs are inherently bi-directional. A unidirectional link between control system computers and a network of PLCs might make no sense, or might need to be augmented in ways that are not truly unidirectional. If the PLCs must continuously report data to the control computers, and the control computers must send commands to the PLCs every few seconds, a truly unidirectional link cannot be used. In this circumstance, specialized firewalls like the Tofino products are a good solution.
Where the gateways can be used though, they eliminate entirely several important classes of threat:
- advanced threats which use remote-control tools to move through their target networks and extract industrial intelligence from them,
- disgruntled insiders on corporate networks who launch denial-of-service or other “script kiddie” attacks on critical control systems, and
- opportunistic threats – worms and botnets which propagate through networks, often via email or compromised websites in search of credit card numbers and other easily-monetized personal information.
Having learned about unidirectional gateways, many people immediately ask how they can work at all. Are most industrial communications protocols not bi-directional? Are most protocols not built on top of TCP/IP which is itself fundamentally bi-directional?
The answer is of course yes, almost all industrial protocols are bi-directional. The secret of the gateways is not some magic formula which lets them emulate bi-directional protocols over a unidirectional medium. Instead, the gateways replicate servers. For example, an OSIsoft PI replication solution populates a replica historian on an external network with data from a process historian on a protected network. Only the data is moved across the unidirectional link. Clients on each network interact with their historian using the historian’s native, bi-directional protocols.
True air gaps are hard to implement in modern systems — too many business processes require access to real-time data from these segregated production environments. However, the argument that security updates and virus signature updates must still make their way through to control systems, and so you may as well connect your networks with a firewall, is misleading. Would you rather be 99% protected 100% of the time, or 100% protected 99% of the time? Strong network protection in the form of network isolation via Unidirectional Gateways provide is here to stay. That protection becomes increasingly attractive with every new advanced threat to control systems.
Image by limaoscarjuliet