HUG: Myth of air gaps

In case anyone was wondering, air gaps don’t exist.

By Greg Hale, ISSSource.com June 29, 2012

In case anyone was wondering, air gaps don’t exist.

They may have at one time, but in today’s modern manufacturing automation environment, they are not viable. An air gap is a physical gap between a network in the enterprise and a control system where digital information cannot cross that line. Yes, vendors and experts talk about air gaps as being a supreme security measure, but if you listened to Eric Byres, chief technology officer and vice president of Tofino Security, during his session entitled “Air Gaps and Unicorns: Do they really Exist?” at Honeywell Users Group (HUG) 2012 in Phoenix, Ariz., a super worm, like Stuxnet, didn’t even care if there was an air gap or not. It had quite a few different attack vectors and it knew how to use them.

“Stuxnet was assuming there was always another pathway in,” Byres said. “Stuxnet played on the human nature of control systems.”

If everyone is fine with the idea an air gap does not really play into the security equation, then the next step is to understand what you really have to protect and then work on a plan that involves solid technology and also fit in the human factor.

“If you want security to work, you have to have it work with the way a human works,” Byres said. “If you design security that runs counter to human nature, then that will be a design flaw.”
Some of the areas Byres said a user should do are:

  • Manage all flows into the industrial control system (ICS)
  • Manage all flows out of the ICS
  • Subdivide the ICS system employing the zones and conduits approach
  • Detect unusual behaviors on the ICS system
  • Don’t focus on protecting your system, focus on knowing your system.

One of the areas Byres talks about frequently is companies should not get caught up in the hype of the latest huge potential attack, but rather understand what you really have to protect.

“Have strategies for looking at all pathways,” he said. “Always protect the crown jewels. Start with what really matters.”

One of the ways to protect those key assets is to understand the system.

“Control systems are usually pretty steady. Knowing that, you can really find out and understand when there is some anomaly on the system. That is something to look at.”

There is no one way to protect systems, instead there is a multitude of options a user must employ to keep the system up and running.

“You have to remember air gaps are a dangerous illusion,” Byres said. “Defense in depth is the only real defense.”