What is air-gapping, and why do we air-gap networks?What camp are you in? In the camp that believes in air-gaps, or the other set that says they truly do not exist? Air-gap networks are networks that are physically and logically isolated from other networks where communication between these networks is not physically or logically possible. Over the years, many networks in many different verticals from governments, military, financial services, nuclear power plants and industrial manufacturing, to name a few, have been so-called “air-gapped.” In the industrial vertical, these air-gapped networks were the networks that supported the industrial control systems within the plant or factory where communication was physically or logically isolated between the plant and the enterprise networks. In today’s Industry 4.0 revolution where the network is the control system, analyzing data from the industrial process is key to drive optimization and efficiency, and where more and more field devices are “smart” (connected and managed through the network), is the notion of air-gapped industrial networks practical for the future or is there really an air-gapped network today?
Is it effective? False sense of security?In theory, air-gapped networks seem like a good idea. In practice, that is another story. Do they really guarantee isolation from the Internet or from the corporate business network? It has been proved in a number of different scenarios that air-gapped networks can be infiltrated. The most famous of these examples is Stuxnet, the worm that was able to target and disrupt the process of enriching uranium that could be used to manufacture nuclear warheads in Iran’s Natanz nuclear facility. There are many other non-threatening examples like modems and wireless networks being set up by contractors, maintenance, or control engineers to make their lives easier to transfer data in or out of the air-gapped networks. What about transient devices such as laptops, tablets and smart phones? Don’t forget about removable media (USB, cdrom, etc), remote access and data coming via sneakernet (any means of transferring data without it traversing a network). Are these environments truly air-gapped? All of these examples prove that nothing is truly air-gapped or that it can't stay 100% air-gapped over time. Do air-gaps give us a false sense of security? How many times do cybersecurity professionals hear, “Oh, we are air-gapped. We do not need to worry about cyber security”? If that is the case, how does someone know if they are air-gapped if they do not assess or monitor their networks for 1) new data coming in from removable media/transient devices or 2) external network connections being set up with modems or VPN’s. At the end of the day, new data is coming into these so-called “air-gapped” environments. How do we manage it?
The Million Dollar QuestionHow do you know? How do you know if data is coming in or going out of your network? How do you know if there are external connections being set up for ease of use for employees, contractors or vendors? To be able to answer the variety of "how do you know" questions, it comes down to knowing your network and placing preventative controls around it to be able to continuously answer questions like these:
- What devices are on it?
- What are those devices communicating?
- Who are those devices communicating to?
- What is normal communication between those devices?
- Are any external connections being set up?
Where do you start?If you have not started your industrial cybersecurity journey, a good place to start is with an industrial cybersecurity vulnerability or risk assessment. Cybersecurity vulnerability assessments typically find that an environment is never completely air-gapped. Assessments usually find evidence of unsanctioned external connections created by control engineers, most often for non-threatening, non-malicious reasons. These undocumented, unapproved network connections are usually created to ease an engineer’s system maintenance and/or troubleshooting responsibilities to avoid from having to sneakernet a file or program to the control environment. Most of the time, these are only set up to provide short term relief, but what happens is that connections forget to be torn down, leaving the air-gapped network wide open to other communication channels where behavior tends to lend itself to the malicious kind. Tripwire’s professional services team performs cybersecurity vulnerably assessments and will review your environment for weaknesses that could impact your industrial process and make remediation recommendations. One of the areas we will review is if you have any external network connections where data could be coming in or going out of your environment. For more information, check have a look here.
What else do you need to do?Concentrate on foundational cybersecurity controls. Do not try and boil the ocean with advanced techniques. Three key foundational cybersecurity controls that will mitigate the most risk from both internal and external threats are the following:
- Understand and manage data flows, aka network communication.
- Maintain an accurate asset inventory (vendor, make, model, firmware version, etc)
- Monitor device data flows, what is expected and what is abnormal.
- Enforce expected communication patterns or data flows with network segmentation
- Monitor and manage configuration changes of all devices within the control network
- File transfers – FTP, SFTP/SCP, etc.
- Transient devices – laptops, tablets, mobile phones, etc.
- Removable media – i.e. USB keys
- Internal network connections – intra cell or zone as well as inter cell or zone
- External connections – all connections to/from business or corporate network, suppliers, vendors, etc.
- Wireless networks – especially those set up on the fly for ease of use.