Air Gaps Dead, Network Isolation Making a Comeback

SCADA Data Diode Guest Blogger Andrew Ginter is the Director of Industrial Security for Waterfall Security Solutions. Prior to joining Waterfall he wrote the popular Control System Security blog.

Eric Byres recent post claiming the #1 ICS and SCADA Security Myth is protection by air gaps struck a cord with me. I have been thoroughly distracted of late with my new role at Waterfall Security Solutions but even so I could not let this one go by. Old-school air gaps are still used occasionally, in the most sensitive control systems. The rest of the time, technologies like data diodes or unidirectional gateways provide the the most important benefits of truly air gapped control systems, while still permitting businesses to profit from access to the real-time data produced by their control systems. (FD: Waterfall Security Solutions makes and sells unidirectional gateways tailored for the ICS market)

True Air Gaps

Old-school air gaps are still used routinely, in very sensitive installations, in classified government installations, and in very cautious installations. For example, the water sector still uses air gaps routinely, and many sectors use true air gaps to isolate safety systems. The benefits of true air gaps are clear – absolute protection from certain classes of network-based threats. If you have a true air gap – complete disconnection of some or all of your control network from any external network – then that system is invulnerable to distributed denial of service attacks, remote control attacks, worms and any other network-based attack originating on an external network, including the Internet.

The cost of true air gaps are clear as well – limited access to real-time data. I remember the mid 1990′s when most process industries were connecting their real time systems to Enterprise Resource Planning (ERP) systems like SAP. Simple applications with fancy names were being installed, which took advantage of real-time access to raw material inventories, finished goods inventories, product quality data and equipment usage data. The motive was clear – generally 3-8% cost savings at a large facility. By now most sites have deployed this kind of applications and are seeing cost savings as a result, and sometimes revenue benefits as well. No site is willing to give up these benefits.

Access to real-time data has real value. If you “pull the plug” on the connection(s) to the corporate network, control systems generally continue to run safely, indefinitely — but few of those sites can make money any more. Access to real-time data is essential to profitability.

Most Important Benefits

The good news: it is possible to enjoy both the most important security benefits of true air-gaps, and the most important business benefits of access to real-time data. Many sites, both air-gapped and not, are turning to unidirectional technologies for these benefits.

The gateways are simple in concept – a transmitting (TX) appliance in the control system network contains a laser, and a receiving (RX) appliance in the corporate network contains a light sensor. The TX can send to the RX, but not vice-versa. The gateways push real-time data to corporate networks where business functions can use the data, but no attacks, no worms, nothing at all in fact, can get back through the gateway hardware to influence or threaten the control system.

Contrast this with firewalls, which are software systems. The software in firewalls looks at every message trying to pass through, and decides whether to let it pass. Every software has vulnerabilities, and conventional firewalls are large, complex software systems. Advanced threats exploit those vulnerabilities and even simple errors and omissions in the configuration of complex firewalls can lead to exposure to attack where you thought you were safe. Unidirectional gateways are not vulnerable to such risks – the security the gateways provide is at the physical level. There are no return channels in the hardware to threaten the protected network.

Eric asks – “anyone who has ever seen an air gap, please raise your hand.” Air gaps are still used routinely in many industries. Standards and regulations are waking up to this fact. The latest nuclear security rules give two choices: either air-gap the most sensitive control networks, or use unidirectional technologies to let data out of those networks, but let nothing back in. Other industries are taking note. No one wants to put at risk a power grid, a water treatment plant, or a chemical plant.

No Silver Bullet

Eric is right in one respect though – neither air gaps nor Unidirectional Gateways are silver bullets. This was one of Dale Peterson’s points in his original posting as well. Even sites with the gateways deployed face risks from insiders with physical access to protected networks and from whatever process is used to install patches, anti-virus signatures and other information originating on external networks. Just like sites using conventional firewalls, sites using either air gaps or gateways must also be vigilant to the deliberate or accidental introduction of new connections through security perimeters which might reduce the strength of those perimeters.

In addition, some communications needs are inherently bi-directional. A unidirectional link between control system computers and a network of PLCs might make no sense, or might need to be augmented in ways that are not truly unidirectional. If the PLCs must continuously report data to the control computers, and the control computers must send commands to the PLCs every few seconds, a truly unidirectional link cannot be used. In this circumstance, specialized firewalls like the Tofino products are a good solution.

Where the gateways can be used though, they eliminate entirely several important classes of threat:

  • advanced threats which use remote-control tools to move through their target networks and extract industrial intelligence from them,
  • disgruntled insiders on corporate networks who launch denial-of-service or other “script kiddie” attacks on critical control systems, and
  • opportunistic threats – worms and botnets which propagate through networks, often via email or compromised websites in search of credit card numbers and other easily-monetized personal information.

Surprising Applicability

Having learned about unidirectional gateways, many people immediately ask how they can work at all. Are most industrial communications protocols not bi-directional? Are most protocols not built on top of TCP/IP which is itself fundamentally bi-directional?

The answer is of course yes, almost all industrial protocols are bi-directional. The secret of the gateways is not some magic formula which lets them emulate bi-directional protocols over a unidirectional medium. Instead, the gateways replicate servers. For example, an OSIsoft PI replication solution populates a replica historian on an external network with data from a process historian on a protected network. Only the data is moved across the unidirectional link. Clients on each network interact with their historian using the historian’s native, bi-directional protocols.

Looking Forward

True air gaps are hard to implement in modern systems — too many business processes require access to real-time data from these segregated production environments. However, the argument that security updates and virus signature updates must still make their way through to control systems, and so you may as well connect your networks with a firewall, is misleading. Would you rather be 99% protected 100% of the time, or 100% protected 99% of the time? Strong network protection in the form of network isolation via Unidirectional Gateways provide is here to stay. That protection becomes increasingly attractive with every new advanced threat to control systems.

Image by limaoscarjuliet

6 comments to Air Gaps Dead, Network Isolation Making a Comeback

  • I agree for the most part with Andrew, however I believe that he is overstating the use of “true air gap” just slightly. In many cases, systems with such air gaps actually have less effective security because they lack appropriate controls required to address procedural flaws that result from the introduction of a “sneaker net”. When performing an assessment, I only rank the air gap as highly secure when there are also documented and demonstrated procedures that address introduction of foreign media in the form of USB drives, CD/DVDs, and external documents. This is quite common in highly secure environments such as nuclear power, but typically not found in industries such as water/wastewater.

  • bryan owen

    Nukes also highlight segmentation (zones & conduits), white listing and monitoring as essential security controls even with a strong perimeter. See Gibson & Yeates ICSJWG presentation.

    http://www.us-cert.gov/control_systems/icsjwg/presentations/spring2011/ag_19c_ICSJWG_Spring_2011_Conf_Gibson_Yeates.pdf

    A segemented safety zone is no surprise but this is one of the few industrial architectures also highlighting segments for VoIP, emergency response, and system management.

    There is plenty to like (and dislike) about the NRC cyber security high assurance mandate. Is anyone doing a better job with network isolation and segmentation?

  • Dale G Peterson

    This blog entry was on the verge of advertorial, and we stripped out some of the additional references to Waterfall products. We do like to see advocates of a technology make their case and equally welcome opposing view guest blog entries. Plus Andrew is such a good writer.

    Personally, I have warmed to the uni-directional solution for specific types of data transfer after being an early skeptic. This was discussed a bit in a recent podcast, http://www.digitalbond.com/2011/04/29/april-tmicss-future-security-product-trends-in-ics/.

    I’d add a few pro and con points:

    1. Many asset owners have a lot of holes / two-way traffic through their security perimeters, and most asset owners would maximize efficient risk reduction by cleaning up their firewall rulesets and what is allowed through the perimeter first.

    2. Unidirectional gateways are ideal for pushing historian data, files, and other ICS originated data out of the control center zone to a DMZ or corporate zone. Similarly they are ideally for pushing Safety data to the ICS zone.

    3. I would still say air gapped networks are a myth. We can say that a particular information flow is restricted to one-way, but as some have already pointed out in the comments and tweets there is a need to get product updates, security patches, AV updates, … into the ICS. We should not fool ourselves that sneakernet is not a communication path. Data is entering the ICS zone from outside.

    4. I would want to insure a secure emergency remote access capability is available for my ICS wizards and the vendor to get in to address emergencies. This should be used rarely, but a true one-way would not allow this. The alternative is to have sufficient staffing so there is always a wizard onsite and potentially a lot of wizard to vendor sneakernet in emergencies. Waterfall seems to have recognized this as they actually have a product designed for emergency remote access — defaults to disconnected/air gap, manual connect, time-out to disconnect.

    Dale Peterson

  • MarvinK

    I agree with Joel–people really need to control the other endpoints. In many environments the sneakernet gets left unattended. There are plenty of technologies to complement the documentation, too.

  • Thank you all for your interest in this topic. A couple of points:

    - Air gapped networks are alive and well – there are lots of examples of them in use today. Like Joel says, it is clear that some such networks are more secure than others, but this is no surprise. Air gaps and unidirectional gateways are perimeter protection technologies after all, and perimeter protections are only one aspect of modern security programs.

    - I agree with Dale and Joel when they argue that neither air-gaps nor unidirectional gateways are silver bullets. See the “…only one aspect…” comment above.

    - I agree that when you consider software updates and other contingencies, from time to time you will see information moving into “isolated” networks. Take an extreme case – say the only way external information is permitted into a secure network is in the brains of authorized personnel. For every such transport, there is an attack vector. With people’s brains, the attack vector is social engineering. Again, there are no silver bullets.

    However, I do want to point out that a great many people I talk to find discussions like the above very confusing. At the simplest level, discussions of anti-virus signatures, software updates and other needs suggest to many people that technology like our gateways are not REALLY unidirectional. They suggest the equipment we provide somehow really does let information flow in both directions.

    This is untrue. Unlike some of our competitors, Waterfall gateways allow absolutely no signal through from external networks to protected networks. If you allow something through in your head, or on a USB stick, or on a CD-ROM, that is a matter for your overall security program. As Dale indicated, Waterfall has other products available if you choose to use them, which can allow temporary firewall-protected bi-directional connections in emergencies and for other purposes, but the Unidirectional Gateway products are strictly one-way in the hardware.

    At a deeper level, “silver bullet” criticisms are confusing to many people, because they come across as criticism of the technology, not of the security program. Firewalls and routers are less secure than are air gaps or unidirectional gateways. Should sites use less-secure perimeter technologies in order to remind themselves to put more security into the rest of their program? Of course not.

    When we criticize “silver bullet” fallacies, we also need to point out that air gaps and unidirectional communications are the strongest available perimeter protection technologies – but they still need to be embedded as part of a comprehensive security program. We should be encouraging the use of the strongest feasible security technologies and practises at all levels of our security programs.

  • To Bryan’s comment – the Nuclear regs are the strongest I’ve seen. That said, there are lots of regulations and standards I haven’t seen.

    For example – I understand that US Food and Drug Administration regulations are based on a constantly-updated stream of “best practices.” I am not familiar with what current best-practices are in, for example, pharmaceutical manufacturing, where there are both serious public safety concerns and serious intellectual property confidentiality concerns. Pointers are welcome.

    I hope to write more about various standards as time permits.

Leave a Reply