In November 2014, researchers from Ben-Gurion University unveiled "AirHopper," a type of malware which forces a computer to transmit sensitive information in the form of keystrokes to a mobile receiver via FM radio waves. The team went on to demonstrate that an AirHopper-based attack could succeed without the availability of a network, SIM, or Wi-Fi. This finding, in particular, added to a growing list of concerns regarding the security of air-gapped computers, or machines that are completely isolated (at least in theory) from the Internet and most other locally available networks. At the time, some observers still saw promise in air-gapped systems. For instance, Erika Chickowski of Dark Reading wrote that system administrators could protect against AirHopper and other novel threat vectors, including attacks that used sound and infrared light to send out malicious commands by turning off audio functionality on, limiting the peripheral use of, and banning mobile devices near air-gapped machines. But the wind has since left the sails of many air gap supporters. Today, a majority of personnel in the industry see air gaps as unfeasible by design. That is not to say that true air gaps don't exist. Eric Byres, a leading expert in the field of supervisory control and data acquisition (SCADA) security, discusses in an article published on Belden's blog how "trivial systems," such as a digital thermostat that controls a house's heat pump, are likely isolated from any network, although with the rise of connected thermostats, WiFi smart plugs and other devices in the home in these trivial systems are becoming increasingly connected. And, of course, air gaps vanished long ago in the systems that are responsible for protecting national critical infrastructure, including power grids and transportation systems:
"In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network," observes Mr. Sean McGurk, the Director, National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security, as quoted by Byres. "On average, we see 11 direct connections between those networks. In some extreme cases, we have identified up to 250 connections between the actual producing network and the enterprise network."
Simply put, most modern control systems are too reliant on information streams from outside sources for an air gap to work. There are always new patches to apply and new software versions to run, ongoing needs which open up new pathways – such as a USB key or a laptop – that could expose seemingly isolated systems to malicious SCADA-based software, including Stuxnet. And that applies to external threats only. As noted on Belden's blog in a separate post, most industrial security incidents originate from within the control network. This not only renders air gaps essentially useless, but it also reveals how critical systems can be compromised as a result of misconfigured firewalls, poorly segmented networks, unpatched software, device error, and malware, such as BlackEnergy, which was recently discovered to have caused the world's first malware-based power outage and to have infected a workstation at Ukraine's Boryspil International Airport. If air gaps are a thing of the past, how are system administrators and control engineers supposed to protect modern SCADA systems? The way forward rests with foundational network and operational security practices. Paul Ferguson, a senior threat researcher advisor at Trend Micro, explains in a report how personnel need to concentrate on minimizing risks and maintaining an adaptive, evolving security posture.
"The architecture of how ICS networks interface with the other components of an enterprise network is critical to providing a more heightened security posture," Ferguson comments. "To protect sensitive ICS networks, proper segmentation of traffic flow must be provided, restricted access control and authentication must be required, traffic and alert logs must be analyzed, and alert notifications must be appropriately addressed."
Personnel can further reap the benefits of a risk-based security posture by following a defense in depth design approach as described in IEC 62443. By segmenting systems into zones and securing the conduits of communication between them with specialized firewalls that understand the communications protocols used in industrial systems, systems can be both hardened and protected from within. This same defense in depth approach applies when the SCADA system is connected to the enterprise or outside world in what is now commonly referred to as the Industrial Internet or the Industrial Internet of Things (IIoT). In an article published on Computing, Harel Kodesh, VP and CTO of General Electric, describes how the industrial internet is made up of three layers: the edge, the middle layer, and the cloud. By protecting the edge devices and installing sensors in the gateway layer, companies can further protect the cloud, especially when it is powered by servers that are optimized for security and when it is configured to facilitate information sharing between edge devices and gateways.
"You can have situational awareness," Kodesh notes. "If you have an IP address that's trying to get into a power station in Poland and the same IP is connecting to a power station in the UK then you should check it out. If you were operating your own system then you wouldn't get that sort of intelligence. It's a bit counter-intuitive but cloud operations in our context are more secure not less secure than operating in isolation."
Manufacturing each IIoT device according to "security first, functionality later," not to mention requiring each of the three layers to authenticate itself on a continual basis, will also go a long way towards enhanced security, Kodesh points out. When it comes down to setting those processes in motion, folks from IT can help by embracing the need to learn from OT:
"For IT security pros that want to start to cooperate on security with OT, learning about how OT works is a great starting place," explains David Meltzer, chief research officer at Tripwire. He adds: "Whether that means buying a PLC training kit and learning what these devices actually look like in OT environments, or taking an Industrial Security Controls class, or just reading a book on the subject, it is beneficial for professionals to go in with an open mind and learn about that other side."
To read more about the Industrial Internet of Things, please click here. Title image courtesy of ShutterStock
