The Airgap Is Not Enough: The Failed Security Perimeter Paradigm in OT Networks

Operational technology (OT) electronics and networks for manufacturing, energy production, and virtually every other industrial application, are targets for cyberattacks. For infrastructure-related companies, such as power producers, transportation, and water plants, the OT networks are not only the revenue producers, but also important targets for destabilizing national security. Successful attacks can be destructive and costly, but the cost of the tools, training, and rigor to secure systems is also high.

What Is an Airgap?

An inexpensive perimeter defense solution to secure OT networks has become prevalent: Isolate the network from the internet with an “airgap” or a unidirectional communication device that blocks incoming communication and thus cyberattacks. With an airgap in place, other cybersecurity measures, such as the application of security patches, are no longer perceived to be necessary, reducing costs. In practice, the airgap solution is insufficient.

The airgap defense is not a new or revolutionary idea. Because it is so simple, its application is common and well-known to attackers. The airgap removes one possible route to attack the system, the internet. However, the prize of compromising the OT network is enough to spur the use of other methods of attack.

Malicious cyber criminals, such as hacker groups called APTs (Advanced Persistent Threats), are motivated and well-funded. Many are suspected to be controlled by established criminal organizations and/or hostile nation states. Motivated not by financial gain, but destabilization and disruption, well-funded and tenacious hackers have developed a suite of attack methods and tools that allow them to compromise air-gapped networks.

Bypassing Airgaps

The airgap relies on people and processes to be effective. One of the most powerful tools in the cyber attacker’s arsenal is manipulation of those people and processes using social engineering. This can be as simple as making a malicious phone call to their target. The attacker does their homework in advance, learning as much as possible about the company. They use this information to masquerade as employees of the company with the authority to make changes to the system. Using this social pressure, they persuade the target to circumvent the processes in place. This could be installation of malicious software, or hardware, compromising the system. This method has been well-documented by one of the world’s most infamous hackers turned good, Kevin Mitnick, in his book The Art of Deception: Controlling the Human Element of Security.

The dynamic nature of operations opens the door to other insider threats. In the ideal airgap world, nothing changes, nothing fails, and nothing is added or removed. However, airgap-isolated OT systems are not static. Therefore, users should have a procedure to check for viruses and malware before introducing anything new to an islanded system. A mistake where an employee forgets to perform the procedure, or perhaps scans the wrong files, could allow malicious code to propagate past the airgap. Just as likely is the employee that intentionally circumvents the burdensome process, not understanding its importance. Even worse, a disgruntled employee could purposely compromise the network.

Supply Chain Risks

Sometimes attacks are not targeted directly at a facility, but instead at an entire industry by compromising that industry’s supply chain. In this case, the trusted relationship between the company and its suppliers is used to infiltrate the network.

Consider the watering hole attack detailed in ICS-ALERT-14-176-02A. Multiple industrial control system (ICS) vendor websites became the targets of hackers. The vendors’ installer software packages were compromised, and the infected software was posted to the vendor websites. Unsuspecting technicians looking to download manufacturer’s files were unwittingly redirected to download infected files that appeared to be legitimate. Once the configuration software was compromised, techs could unsuspectingly install the compromised but trusted files on the OT network, circumventing the airgap.

Supply chain attacks can start even deeper. Manufacturers of OT systems often build their devices using sourced components such as third-party software, chips, and network interfaces. One method for infiltration into secure networks is to build backdoors into those components. There is a very real possibility that nation states force companies under their control to build clandestine malicious code into their components. These could get past the airgap as part of a legitimate device and result in system compromise.

Sub-contractors that work with target companies offer another indirect path for attacks. Trusted subcontractors could be allowed to set up temporary bridges across the airgap or connect their laptops directly to devices in the system to simplify their work. Infecting the computer systems and configurations of subcontractor computers provides a conduit to deliver malicious software to the OT network. This was in part the way that the powerful Stuxnet attack was perpetrated on the Iranian nuclear program. An infected USB key was deposited in the contractor’s parking lot; it was then inserted into the sub-contractor’s computer, which was used to infect the target organization.

Previously Undetected Code

The Stuxnet attack used another important methodology that can circumvent even the most sophisticated malware detection software, the zero-day attack. Malware and antivirus scanners are used to identify malicious software that uses known defects (vulnerabilities) to attack systems. The zero-day attack uses new, previously undiscovered vulnerabilities to perpetrate attacks so there are no signatures to check against.

To perpetrate such an attack, hackers invest time and energy into finding a new way to compromise a device or software. Using the newly discovered vulnerabilities, the attackers use one of the above methods to get past the airgap.

Once the malicious code has been inserted into the OT network, the attacker has many options. While the airgap does negate some of the preferred tools hackers like to use, such as opening a discrete internet connection to steal information or gain real-time control of the system, there are nefarious outcomes. The attacker could seek to destroy configurations, tamper with backups, or alter the behavior of machines. The attack could be subtle, altering system performance to frustrate operators. It could be blunt, locking systems while demanding ransoms or causing destruction.

Once an attacker has gained access to a network that is entirely reliant on a perimeter security, the system is at the mercy of the skill and creativity of the attacker. Companies must employ a risk management approach to understand the impact of a cyberattack and the likelihood of its occurrence. In some cases, companies may justify to themselves that they are not likely targets for an attack and that the perimeter defense, while imperfect, provides enough mitigation for their business needs. They can accept the risk. Should this argument be presented, a real understanding of the impact of compromised operations, including wasted time in troubleshooting, disaster recovery, and damaged equipment, should be included in the analysis.

Action Required to Secure OT Networks

It is also important to understand that attacks on OT networks are becoming more prevalent. The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint alert in 2020 imploring asset owners to take immediate action to secure their OT networks. OT cybersecurity is also not just for large corporations. Cyber attackers have also shown a trend in attacking small- and medium-sized facilities, understanding that they are often insufficiently staffed and prepared for a cyberattack.

Companies clearly need ways to defend against cyberattacks that get past the perimeter. Unfortunately, there is no silver bullet that solves this predicament. Owners need a way to understand the assets in their system, identify and contain malware, and patch systems appropriately. Investment in tools for detection and forensic analysis of an attack should also be considered, particularly for high-value OT networks. Because there is always a risk that even the most sophisticated defense could be compromised, an incident response plan and well-practiced disaster recovery plan are essential investments.

Any investment in cybersecurity should be done after a real examination of a company’s own cybersecurity competence. There are industrial companies that implement a perimeter-based security paradigm with a clear understanding of the risks they are taking. There are others that implement the airgap and believe they have secured their system. Unfortunately, the perimeter defense paradigm is not robust enough to truly secure a system on its own. Supply chain compromise, zero-day attacks, and social engineering are simple, well-proven methods for overcoming the airgap defense.

Cyber attackers continue to innovate and create new methods for compromising systems. It is naïve to think they have not and will not find further methods of attack. Knowing that the airgap is insufficient, companies that employ these solutions should consider more robust methods for securing their valuable networks.

—Eric MacDonald, P.Eng. is Business Development Manager, Cyber Security and Digitalization with Siemens Energy Canada, and Jonathan Tubb, PE is Lead Cyber Business Developer North America with Siemens Energy.