Protecting SCADA Systems with Air Gaps is a Myth

Monday, May 21, 2012



SCADA security expert Eric Byres of Tofino Security had harsh words for the proponents of "air gapping" networks that control critical infrastructure and production at the recent AusCERT conference.

Byres said those that do believe air gaps are a sufficient security measure believe "bad things will never happen to the control systems.”

“The whole concept of trying to protect SCADA systems with air gaps is a myth,” Byres stated to AusCERT delegates.

Industrial Control Systems (ICS), which include supervisory control and data acquisition (SCADA) networks, administer operations for critical infrastructure and production including manufacturing facilities, refineries, hydroelectric and nuclear power plants.

One of the main challenges in protecting these networks is the fact that these systems were not necessarily designed with cybersecurity in mind. Rather, the security solutions have been layered on in a piecemeal fashion after the networks were operational, leaving ample room for attackers to compromise their functionality.

Byres believes that the notion of air gaps are little more than a myth, mainly because SCADA systems inherently need to be networked to function properly due to their demand for large quantities of monitoring information.

“I have occasionally seen air gaps… some of the core control systems in the nuclear industry might have real air gaps," Byres said.

Byres advocates abandoning the idea that air gaps will protect critical systems, and instead advocates the increased application of traditional network security defense, such as IDS/IPS and other real-time monitoring mechanisms, but acknowledges that there is no simple answer.

“There have been a lot of silver bullets and red herrings in the IT industry. Deep packet inspection and intrusion detection systems apply very well to control systems... [But] any change you see in the IDS logs, you already know is bad,” Byres said.

One of the central challenges in security critical networks Byres believes is that engineers administering industrial control systems are mandated to a degree to make sure those systems remain operational, regardless of inbound threats to the system.

“That guy’s not going to say, ‘the security policy says I should let the lights go out’. He’ll break the security policy if he has to. He has to keep the sewage flowing – and it has to flow through the pipes, not through the parks,” Byres noted.

Eugene Kaspersky, who also addressed the AusCERT attendees, warned that these systems that control critical infrastructure are beyond vulnerable to cyber attacks.

“It’s not possible to protect. Stuxnet told us that modern systems are not protected at all. SCADA could be very easy victims – the result of an attack could be like Stuxnet but everywhere,” Kaspersky said at an AusCERT event.

Stuxnet is the highly sophisticated designer-virus that infected systems which which targeted Siemens Programmable Logic Controllers (PLCs), and leading theories indicate that the malware was probably specifically produced to stifle Iran's nuclear weapons ambitions.

“The only way to protect critical infrastructure – is to redesign SCADA systems based on a secure operating system. It is possible to do, but it requires a redesign of all the software for industrial systems,” Kaspersky said.


Possibly Related Articles:
SCADA Headlines Network Security Infrastructure IDS/IPS AusCERT Deep Packet Inspection Air Gap Industrial Control Systems
Post Rating I Like this!
Marc Quibell The security must be based upon the risk associated with the assets. Whether it is physical or techincal controls. First, I ask the so-called experts - Why are you focusing only on technical controls? Secondly, focus on the gaps that are addressed by gaps in a real risk analysis. What I'm saying is that it's easy for people on the outside to be critical of whoever's security controls. I would challenge them to become more involved with the risk analysis process in a professional capacity, study the processes and controls, and then provide comprehensive mitigation controls that address the risks, keeping in mind that the assets and function/operation of those assets are part of the risk analysis and resulting score that needs to be mitigated. And not overly mitigated to the point of over-protection. IOW, you don't call in the military to secure a power plant when the risks are low. People and places MUST operate with associated risks!
Marc Quibell Also, am I understanding this properly? Is this Eric Byres suggesting air gap security is a myth because of the fact that the network becomes non-air-gaped at some point? So, air gap works, but when you remove the air gap (ie..add Internet, other networks, wireless...etc)'re no longer an air gap network. I have no further words for this revelation.
Darrell Pitzer Marc, that's not what he is suggesting. What he's saying is: Air gap will not protect you. Look at Stuxnet ... the targeted systems were air-gapped and yet they were infected. The message is that an air gap is no longer 100% effective.
Marc Quibell Unless someone physically placed stuxnet on the device, the device at some point violated Air-gap.
Darrell Pitzer Exactly. The computers targeted by Stuxnet were not internet connected. They were infected by a USB device. That's the point of Eric's article ... a system not connected to any network is still at risk of being infected if any type of removable media is used.
Marc Quibell It's not air-gap that is not secure, it's the other layers that allowed an infected device, whether it be USB, DVD, computer, hard drive...etc into the other-wise clean environment. Air-gap is but one layer of security. In the case of the USB, I would suggest that policies and procedures, as well as physical, controlled security, were violated. The point is, lol, since air-gap worked in this situation (the devices were infected by other means), why say that air-gap is insecure? Of course air-gap, by itself, is insecure! It's not meant to be the only mitigating control...
Bob Radvanovsky Many feel that utilizing an "air gap" means utilizing one-way communications devices that will prevent an access blackflow from occurring. This is not entirely true. It can be compromised utilizing something on the inside.

As pointed in previous comments of this article, inside threats are increasing in number, and realistically, anyone who states that there is "no threat" because they're "air gapped" has definitely "drank the Kool-Aid". Everyone has a price, a motive, a reason for doing something "against the system". Placing a inconspicuous device *behind* a firewall or "air gap device", will allow those who are intend on breaking that barrier, to create a "drawbridge effect".

Even if you make policies that indicate that there will be NO EXTERNAL ELECTRONIC DEVICES allowed within a plant, you're still not going to prevent human ingenuity. Eventually, someone will figure out a method, maybe not immediately, but eventually, of how to bypass security controls -- and get in.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.