SCADA security expert Eric Byres of Tofino Security had harsh words for the proponents of "air gapping" networks that control critical infrastructure and production at the recent AusCERT conference.
Byres said those that do believe air gaps are a sufficient security measure believe "bad things will never happen to the control systems.”
“The whole concept of trying to protect SCADA systems with air gaps is a myth,” Byres stated to AusCERT delegates.
Industrial Control Systems (ICS), which include supervisory control and data acquisition (SCADA) networks, administer operations for critical infrastructure and production including manufacturing facilities, refineries, hydroelectric and nuclear power plants.
One of the main challenges in protecting these networks is the fact that these systems were not necessarily designed with cybersecurity in mind. Rather, the security solutions have been layered on in a piecemeal fashion after the networks were operational, leaving ample room for attackers to compromise their functionality.
Byres believes that the notion of air gaps are little more than a myth, mainly because SCADA systems inherently need to be networked to function properly due to their demand for large quantities of monitoring information.
“I have occasionally seen air gaps… some of the core control systems in the nuclear industry might have real air gaps," Byres said.
Byres advocates abandoning the idea that air gaps will protect critical systems, and instead advocates the increased application of traditional network security defense, such as IDS/IPS and other real-time monitoring mechanisms, but acknowledges that there is no simple answer.
“There have been a lot of silver bullets and red herrings in the IT industry. Deep packet inspection and intrusion detection systems apply very well to control systems... [But] any change you see in the IDS logs, you already know is bad,” Byres said.
One of the central challenges in security critical networks Byres believes is that engineers administering industrial control systems are mandated to a degree to make sure those systems remain operational, regardless of inbound threats to the system.
“That guy’s not going to say, ‘the security policy says I should let the lights go out’. He’ll break the security policy if he has to. He has to keep the sewage flowing – and it has to flow through the pipes, not through the parks,” Byres noted.
Eugene Kaspersky, who also addressed the AusCERT attendees, warned that these systems that control critical infrastructure are beyond vulnerable to cyber attacks.
“It’s not possible to protect. Stuxnet told us that modern systems are not protected at all. SCADA could be very easy victims – the result of an attack could be like Stuxnet but everywhere,” Kaspersky said at an AusCERT event.
Stuxnet is the highly sophisticated designer-virus that infected systems which which targeted Siemens Programmable Logic Controllers (PLCs), and leading theories indicate that the malware was probably specifically produced to stifle Iran's nuclear weapons ambitions.
“The only way to protect critical infrastructure – is to redesign SCADA systems based on a secure operating system. It is possible to do, but it requires a redesign of all the software for industrial systems,” Kaspersky said.