To Air-Gap or Not Air-Gap Industrial Control Networks

What is air-gapping, and why do we air-gap networks?

What camp are you in? In the camp that believes in air-gaps, or the other set that says they truly do not exist? Air-gap networks are networks that are physically and logically isolated from other networks where communication between these networks is not physically or logically possible. Over the years, many networks in many different verticals from governments, military, financial services, nuclear power plants and industrial manufacturing, to name a few, have been so-called “air-gapped.” In the industrial vertical, these air-gapped networks were the networks that supported the industrial control systems within the plant or factory where communication was physically or logically isolated between the plant and the enterprise networks. In today’s Industry 4.0 revolution where the network is the control system, analyzing data from the industrial process is key to drive optimization and efficiency, and where more and more field devices are “smart” (connected and managed through the network), is the notion of air-gapped industrial networks practical for the future or is there really an air-gapped network today?

Is it effective? False sense of security?

In theory, air-gapped networks seem like a good idea. In practice, that is another story. Do they really guarantee isolation from the Internet or from the corporate business network? It has been proved in a number of different scenarios that air-gapped networks can be infiltrated. The most famous of these examples is Stuxnet, the worm that was able to target and disrupt the process of enriching uranium that could be used to manufacture nuclear warheads in Iran’s Natanz nuclear facility. There are many other non-threatening examples like modems and wireless networks being set up by contractors, maintenance, or control engineers to make their lives easier to transfer data in or out of the air-gapped networks. What about transient devices such as laptops, tablets and smart phones? Don’t forget about removable media (USB, cdrom, etc), remote access and data coming via sneakernet (any means of transferring data without it traversing a network). Are these environments truly air-gapped? All of these examples prove that nothing is truly air-gapped or that it can't stay 100% air-gapped over time. Do air-gaps give us a false sense of security? How many times do cybersecurity professionals hear, “Oh, we are air-gapped. We do not need to worry about cyber security”? If that is the case, how does someone know if they are air-gapped if they do not assess or monitor their networks for 1) new data coming in from removable media/transient devices or 2) external network connections being set up with modems or VPN’s. At the end of the day, new data is coming into these so-called “air-gapped” environments. How do we manage it?

The Million Dollar Question

How do you know? How do you know if data is coming in or going out of your network? How do you know if there are external connections being set up for ease of use for employees, contractors or vendors? To be able to answer the variety of "how do you know" questions, it comes down to knowing your network and placing preventative controls around it to be able to continuously answer questions like these:

• What devices are on it?
• What are those devices communicating?
• Who are those devices communicating to?
• What is normal communication between those devices?
• Are any external connections being set up?

Just like we monitor and measure quality characteristics of the output of our industrial processes (i.e. inventory, scrap, rework, physical dimensions, overall equipment effectiveness, accidents, etc), we need to monitor and measure our environments for abnormal behavior – configuration changes, communication pattern changes, exploitation of vulnerabilities and new or unexpected network connections, etc – which will help us recover from special causes that impact the operation of our process including but not limited to misconfiguration, human error, cybersecurity events, machine failure, etc.

Where do you start?

If you have not started your industrial cybersecurity journey, a good place to start is with an industrial cybersecurity vulnerability or risk assessment. Cybersecurity vulnerability assessments typically find that an environment is never completely air-gapped. Assessments usually find evidence of unsanctioned external connections created by control engineers, most often for non-threatening, non-malicious reasons. These undocumented, unapproved network connections are usually created to ease an engineer’s system maintenance and/or troubleshooting responsibilities to avoid from having to sneakernet a file or program to the control environment. Most of the time, these are only set up to provide short term relief, but what happens is that connections forget to be torn down, leaving the air-gapped network wide open to other communication channels where behavior tends to lend itself to the malicious kind. Tripwire’s professional services team performs cybersecurity vulnerably assessments and will review your environment for weaknesses that could impact your industrial process and make remediation recommendations. One of the areas we will review is if you have any external network connections where data could be coming in or going out of your environment. For more information, check have a look here.

What else do you need to do?

Concentrate on foundational cybersecurity controls. Do not try and boil the ocean with advanced techniques. Three key foundational cybersecurity controls that will mitigate the most risk from both internal and external threats are the following:

1. Understand and manage data flows, aka network communication.
   • Maintain an accurate asset inventory (vendor, make, model, firmware version, etc)
   • Monitor device data flows, what is expected and what is abnormal.
2. Enforce expected communication patterns or data flows with network segmentation
3. Monitor and manage configuration changes of all devices within the control network

With regards to managing data flows, it all starts with creating and maintaining an accurate asset inventory inclusive of hardware and software. Once an accurate asset inventory is complete, you can then begin to understand and manage all data flows (communication patterns) in and out of your control networks for things like:

1. File transfers – FTP, SFTP/SCP, etc.
2. Transient devices – laptops, tablets, mobile phones, etc.
3. Removable media – i.e. USB keys
4. Internal network connections – intra cell or zone as well as inter cell or zone
5. External connections – all connections to/from business or corporate network, suppliers, vendors, etc.
6. Wireless networks – especially those set up on the fly for ease of use.

How you gain visibility to data flows? You must know what is connected to your network (accurate asset inventory) and then monitor data flows from those devices traversing your network. Tripwire offers a passive monitoring solution, Tripwire Industrial Visibility, that has been developed from the ground up to understand industrial protocols and industrial control networks, to inventory devices, (vendor, make, model, firmware version, etc) as well as understand what protocols devices are using to communicate on the network. Tripwire Industrial Visibility has a learning mode where all assets and communication baselines are learned, and then once the solution is placed in operational mode, it will alert on any devices from those operational baselines. Once data flows are learned and understood, the next step is to put a preventative control in place to enforce those communication patterns. This is where an industrial security appliance such as the Tofino Xenon plays. It is able to perform deep packet inspection and sanity checking on the industrial protocol to enforce authorized communication between devices and/or networks. This appliance helps implement the zones and conduit approach outlined in IEC 62443 where zones are defined as assets of a similar function/risk model (aka HMI zone or PLC zone) and conduits outline the authorized or expected communication between devices in one zone to another zone (aka only allow Modbus TCP between HMI zone and PLC zone or only allow DNP3 between the substation zone and the control center zone). This is a recommended approach whether you have an air-gapped network or not, as it mitigates risk of propagation of malicious or unexpected traffic traversing east/west within the factory or plant floor. For more information on the Tofino Xenon, see here. Last but certainly not least is the ability to manage changes to device configurations. This includes all kinds of devices such as controllers, HMI’s, RTU’s, engineering workstations, routers, switches, databases and firewalls. What happens a lot of times when there is a production outage that is impacting the plant’s ability to make product? The result of this is that something changed – a configuration setting, firmware version, new port opened, new device connected to the network, etc. How long does it take to first understand something changed and then to revert that change back so that the process is back to operating at a functional, productive state? Managing changes and understanding if changes adhere to authorized work orders in ticketing systems is the core competency of Tripwire Enterprise. Tripwire Industrial Visibility can also be used to manage changes, particularly around changes in controllers, whether it be new ladder logic added to a program or whether it be a change to the controllers operating mode: run, program, test, etc. Don’t let changes manage your day-to-day operation. Manage changes through visibility so that a change management policy can be enforced.

Air-gap or not - Visibility, Preventative Controls and Continuous Monitoring are key behaviors

Monitoring solutions are needed irrespective of whether you air-gap to maintain full control of your industrial environment. Tripwire solutions can help provide visibility, protective controls and continuous monitoring to help provide visibility to and protection from cyber events that threaten safety, productivity and quality. Check out a prior blog to learn more.