Many networks across a variety of verticals including government, military, financial services, power plants, and industrial manufacturing have been so-called “air-gapped.” This means they are physically and logically isolated from other networks where communication between these networks is not physically or logically possible. This can be a good thing or bad thing depending on your network needs.
In the industrial vertical, these air-gapped networks were the networks that supported the industrial control systems within the plant or factory where communication was physically or logically isolated between the plant and the enterprise networks.
In today’s Industry 4.0 revolution—where the network is the control system—analyzing data from the industrial process is key to driving optimization and efficiency. With more and more “smart” field devices (connected and managed through the network), the notion of whether air-gapped industrial networks are practical for the future, or if there is really an air-gapped network today, is worth considering.
Are Air-Gapped Systems Really Secure and Effective?
In theory, air-gapped networks seem like a good idea. In practice, it is another story. Do they really guarantee isolation from the internet or from the corporate business network?
It has been proven in a number of different scenarios that air-gapped networks can be infiltrated. The most famous of these examples is Stuxnet, the worm that was able to target and disrupt the process of enriching uranium that could be used to manufacture nuclear warheads in Iran’s Natanz nuclear facility.
There are many other non-threatening examples like modems and wireless networks being set up by contractors, maintenance, or control engineers to make their lives easier to transfer data in or out of the air-gapped networks. What about transient devices such as laptops, tablets and smart phones? Don’t forget about removable media (USB, CD-ROM, et al.), remote access and data coming via sneakernet (any means of transferring data without it traversing a network). Are these environments truly air-gapped?
All of these examples prove that nothing is truly air-gapped or that it can’t stay 100% air-gapped over time. Do air-gaps give us a false sense of security? How many times do cybersecurity professionals hear, “Oh, we are air-gapped. We do not need to worry about cybersecurity”? If that is the case, how does someone know if they are air-gapped if they do not assess or monitor their networks for new data coming in from removable media/transient devices or external network connections being set up with modems or VPN’s?
At the end of the day, new data is coming into these so-called “air-gapped” environments. What’s the best management strategy?
Questions to Consider
How do you know if data is coming in or going out of your network? How do you know if there are external connections being set up for ease of use for employees, contractors, or vendors?
To be able to answer the variety of “how do you know” questions, it comes down to knowing your network and placing preventative controls around it to be able to continuously answer questions like these:
- What devices are on it?
- What are those devices communicating?
- Who are those devices communicating to?
- What is normal communication between those devices?
- Are any external connections being set up?
Just like we monitor and measure quality characteristics of the output of our industrial processes (such as inventory, scrap, rework, physical dimensions, overall equipment effectiveness, accidents, etc.), we need to monitor and measure our environments for abnormal behavior—configuration changes, communication pattern changes, exploitation of vulnerabilities, new or unexpected network connections, etc.—which will help us recover from special causes that impact the operation of our process including but not limited to misconfiguration, human error, cybersecurity events, machine failure, and the like.
If you have not started your industrial cybersecurity journey, a good place to start is with an industrial cybersecurity vulnerability or risk assessment. Cybersecurity vulnerability assessments typically find that an environment is never completely air-gapped. Assessments usually find evidence of unsanctioned external connections created by control engineers, most often for non-threatening, non-malicious reasons.
These undocumented, unapproved network connections are usually created to ease an engineer’s system maintenance and/or troubleshooting responsibilities to avoid having to sneakernet a file or program to the control environment. Most of the time, these are only set up to provide short-term relief, but what happens is workers forget to break connections, leaving the air-gapped network wide open to other communication channels where behavior tends to lend itself to the malicious kind.
Performing cybersecurity vulnerability assessments will provide a review of your environment for weaknesses that could impact your industrial process, and include remediation recommendations and a look into your external network connections where data could be coming in or going out of your environment.
Foundational Cybersecurity Controls: The Next Step
Concentrate on foundational cybersecurity controls. Do not try and boil the ocean with advanced techniques. Three key foundational cybersecurity controls that will mitigate the most risk from both internal and external threats are the following:
- Understand and manage data flows, that is, network communication. Maintain an accurate asset inventory (vendor, make, model, firmware version, etc.), and monitor device data flows (what is expected and what is abnormal).
- Enforce expected communication patterns or data flows with network segmentation.
- Monitor and manage configuration changes of all devices within the control network.
With regard to managing data flows, it all starts with creating and maintaining an accurate asset inventory inclusive of hardware and software. Once an accurate asset inventory is complete, you can then begin to understand and manage all data flows (communication patterns) in and out of your control networks for things such as:
- File transfers—FTP, SFTP/SCP, etc.
- Transient devices—laptops, tablets, mobile phones, etc.
- Removable media—including USB keys.
- Internal network connections—intra cell or zone as well as inter cell or zone.
- External connections—all connections to/from business or corporate network, suppliers, vendors, etc.
- Wireless networks—especially those set up on the fly for ease of use.
How do you gain visibility to data flows? You must know what is connected to your network (accurate asset inventory) and then monitor data flows from those devices traversing your network.
Consider implementing a passive monitoring solution, such as Tripwire Industrial Visibility, that has been developed from the ground up to help you understand industrial protocols and industrial control networks, inventory devices, (vendor, make, model, firmware version, etc.), and understand what protocols the devices are using to communicate on the network. There’s also a learning mode where all assets and communication baselines are learned, and then once the solution is placed in operational mode, it will alert on any devices from those operational baselines.
Adding Preventative Controls
Once data flows are learned and understood, the next step is to put a preventative control in place to enforce those communication patterns. This is where an industrial security appliance, such as the Tofino Xenon, can help. It is able to perform deep packet inspection and sanity checking on the industrial protocol to enforce authorized communication between devices and/or networks.
Managing Device Configuration Changes
Last but certainly not least is the ability to manage changes to device configurations. This includes all kinds of devices such as controllers, HMI’s, RTU’s, engineering workstations, routers, switches, databases, and firewalls.
Often, production outages are the result of system changes—a configuration setting, firmware version, new port opened, new device connected to the network, etc. How long does it take to first understand something changed and then revert that change so that the process is back to operating at a functional, productive state?
Managing changes and understanding if changes adhere to authorized work orders in ticketing systems is critical, particularly around changes in controllers, whether it be new ladder logic added to a program or whether it be a change to the controllers operating mode: run, program, test, etc. Don’t let changes manage your day-to-day operation. Manage changes through visibility via a change management policy. Monitoring solutions are needed irrespective of whether you air-gap to maintain full control of your industrial environment or not.
—Gary DiFazio is strategic marketing director at Tripwire, a leading global provider of security and compliance solutions for enterprises and industrial organizations.