Reposted with permission from ISS Source
There is a beauty in today’s movement toward digitalization where users can install patches, fixes and updates all online to keep systems up and running in peak efficiency with increased productivity and profitability.
However, there is another component where a critical network remains shut off (or close to being shut off) from the outside environment – or air-gapped. The goal of an air gap network is to remain free and clear of any outside malicious activity where there are no outside connections for attackers to get in and muck up the network.
To generate fixes and updates in those networks, alternative methods need to come into play to keep things operating. Those methods, among others, include inserting USB drives loaded with the latest version of software into systems to allow personnel to update and fix outdated programs.
The catch is while USB drives are a solid way to update an air-gapped system, they can also carry malware that can bring down a system.
Take the 2010 Stuxnet attack for a perfect case in point. The attack genesis came from an USB drive loaded with software capable of infiltrating the system and then wreaking havoc while operators at the air-gapped Iranian nuclear facility in Natanz thought everything was running as normal. That attack damaged hundreds of centrifuges and set back the country’s nuclear program for years.
While Stuxnet may appear to be an extreme case of an attack on an air-gapped system, there are other smaller cases where modems and wireless networks are set up by contractors, maintenance, or control engineers to make their lives easier to transfer data in or out. Also, using devices such as laptops, tablets and smart phones can cause issues.
Eliminate Avenues of Entry
In this era of digitalization, whether it is an USB, smart phone or a tablet, all those devices can boost productivity and keep a system updated, but the reality is no network is truly air gapped. There is always a way an attacker could get in. The goal is to eliminate as many or all avenues of entry.
“If you think of the various critical infrastructure markets, air-gapped networks are being used in power generation, water and wastewater, and a number of other critical industries as a way of isolating their critical assets in the OT operational network from any outside threats,” said Sal Morlando, senior director of products at security provider OPSWAT. “Air gaps will continue to be deployed in a number of critical markets. I don’t see air gaps moving away. It’s the opposite. More industries will adopt air gaps as a means to protect from outside network-born threats.”
For years industry wags have said air gaps just don’t exist, and technically they are correct, but organizations still implement them, and they are not truly airtight from attacks.
“You still have systems that are operating within the air-gapped network that need to be monitored for their health, need to be updated and kept current, and need to exchange data with systems residing outside of the air gap,” Morlando said. “The challenges really stem from the use of secure technologies that can move data securely into and out of an air-gapped network. A number of technologies have emerged to address that while maintaining isolation between the air-gapped network and outside networks.”
Unidirectional gateways are one choice for moving data from an air-gapped network.
“That technology is an enforced one-way transfer of data across a protocol break, so the source network and destination network, essentially the air gap network and the outside network, are not connected over a routable connection,” Morlando said. “That’s an approved technology that’s used by, say, the nuclear power generation industry and a number of other critical infrastructure markets for securely moving data out or moving data in, while preserving an air gap.”
Scanning USB Devices
“When it comes to bringing data into or out of these areas, whether you’re collecting logs or you’re going to apply an update, you’re often reliant on removable media or USB devices to apply those patches, or updates, or bring logs in and out.,” said Matt Wiseman, senior product manager at OPSWAT. And bringing in an un-scanned USB device poses a huge risk. So, we need to ensure there’s some type of scanning station or kiosk in place, so all data brought in has been checked and sanitized before it’s allowed into that protected network.
“All portable media really does pose quite a large threat. When you have these networks that are air-gapped, and they’re isolated from the broader Internet, we need to bring things in and out. It’s really a necessity in order to get data in and out of these environments to use some type of tool. It really comes down to three key areas to make sure that we’re as safe as possible.
“The first would be with our people. They tend to be our weakest link, and we need to make sure that everyone’s trained and understands how to bring USBs in and out of a protected network. We need to be sure they’re aware of the threat these devices can cause, and training everyone on a regular basis can be extremely effective. It can help to create more of a culture of cybersecurity within your organization, keeping cyber top of mind.
“I think the second piece would be policy; have a clear, defined, written policy around the use of any type of USB or removable media to ensure there are no gaps. We want to make sure when we go from one facility to another, these devices are being treated in the same way.
“The last piece would be through technology. To have strong cybersecurity technology in place designed for your environment is really a must. If your people are trained well, and they’re aware of the risks, you have policy about what they need to do, and then, technology that can actually scan these different USB devices, ensure that what’s being brought in is safe, and to have that physical presence of a kiosk,” Wiseman said.
Best Practices
In terms of best practices to employ in an air gapped environment, Morlando said there were plenty of options.
“Incorporating user controls around the use of portable media is important, he said. “And basically, user access to information removed from the OT environment is also an important part of the security policy. One other capability is data loss prevention, for example, where information that’s extracted from an environment that may be confidential is redacted, so information can’t compromise the organization going forward. There’s a wide range of security policies that can be wrapped around portable media security that should be adopted.”
Technology shifts are driving increased amount of data exchange between industrial control systems and the corporate environment. And as more manufacturers are embracing portable media, having a solid security plan will help provide what the organization wanted in an air-gapped environment in the first place – a secure working environment.
