The air gap is low-tech but still has value as a barrier against cyber attacks.
Yes, devices and systems are connected wirelessly all the time, but if industrial control systems (ICS) are segregated from enterprise networks, it’s a lot harder for malware to jump from one to the other.
As Security Week put it earlier this month, the historical use of the air gap meant that “factories and shipyards were more or less immune to cyber-attack … it didn’t matter how pernicious or effective the cyber-threat became, we felt confident that these virtual concerns couldn’t impact our physical infrastructure.”
Not so much anymore, because the use of air gaps has eroded or disappeared altogether, thanks to increasingly intertwined OT (operational technology) and IT (information technology).
The results in just one industry—shipping—are predictable. One of the most high-profile examples is the NotPetya ransomware attack that took down the computer network of the Danish container firm Maersk, affecting its shipping, tugboat, and oil tanker operations and costing it an estimated $300 million.
More recently, in just the past several months, three international ports—Long Beach, Barcelona, and San Diego—were hit with major security breaches between July and September.
Also, Mfame reported that this past summer, a team of white hat hackers from Pen Test Partners (PTP) conducted a mock attack on a vessel “and found three different ways to intercept and modify serial data—which control steering, engine control and more—on a ship’s network.”
As in, hackers could change the heading of the ship—a real-world physical effect that could have catastrophic consequences. And even if the damage is not something like a collision, such attacks could cause economic havoc, disrupting global trade.
Could the rigorous use of air gaps have prevented all those attacks from succeeding? Not necessarily. Evgeny Gervis, managing consultant with Synopsys, notes that an air gap “is just one perimeter control. At the end of the day, the OT has to be secure. One cannot rely on air gapping to compensate for broken security in the OT environment.”
And Adam Brown, associate managing consultant at Synopsys, said that the reality of the impending “smart shipping” environment will soon mean that much of the time, air gapping won’t be feasible anyway.
“Smart ports using smart contracts for delivery simply won’t be able operate within an air gap,” he said. “In those cases very careful attention must be given to the security of the software running that technology.”
That is still in the future. “For now we do still rely on ship load plans and cargo information being transferred manually by USB—so there is still an air gap,” he said. “But there is no message integrity checking, so that vulnerability can still be exploited through malware or phishing.”
He also noted that air gaps can’t protect against “an ill-informed person’s actions,” as was the case with the notorious 2010 Stuxnet attack on Iran’s nuclear facilities. In that attack, the malware was delivered physically, via a thumb drive.
But that doesn’t mean the air gap is worthless either.
“It would be more effective if there was actual air gapping,” Gervis said. “In reality, business use cases often require that OT and IT become more intertwined. It’s not that air gapping is not feasible technically; it’s that we choose to intentionally break it to support these business use cases. The decision of whether the risk is worth the reward comes down to risk management.”
With use of the air gap declining, some ICS organizations are turning to AI (artificial intelligence) to “learn” what is normal behavior and detect when there are anomalies. But that is not a magic bullet either.
Brown said monitoring is important, but “reliance on monitoring to intercept threats is very far right in the SDLC [software development life cycle]. It’s more important to build secure software in the first place.”
And to keep it up-to-date as well. As numerous experts have noted, a lot of the vulnerabilities in ICS are due to the use of outdated (and unsupported) operating systems like Windows XP and failure to install patches and updates—the kinds of things frequently called “basic security hygiene.”
But Brown notes that the more fundamental problem is the use of broken software—software that has been broken for a very long time.
He said research by cyber security firms has shown that there are “some super-basic design flaws in the software running that technology—things that I was surprised to see still in the wild today.”
“Basically the technology is created broken, and without total overhaul of the software, it will stay broken.”
So for the shipping industry and other ICS operators, Brown said there needs to be another gap—this one in how data are stored and managed.
If technology can’t be patched, updated, or replaced, “it really must have a plan put around its use,” he said. “It should address what data [are] allowed to be stored on those devices, how information coming from those devices should be treated, and whether it can be trusted.”
“And where possible, many of these devices should be kept well away from the standard ship network, which is normally internet-connected, and, if possible, run in isolation,” he said.