In theory, an air gap sounds like a good strategy—but it’s not that simple. A common misnomer is to assume that air gapping means that your network has no connections to another network. Assessments often prove that most assumed air gaps aren’t really air gapped.
You can—maybe—one day ensure that your network is truly air gapped. But what will you do when there needs to be an adjustment to the industrial process to improve quality or efficiency by an engineering consultant? Especially if it is to fix a design fault saving millions without causing downtime? What about updates and fixes to software? Remote support? Below are some reasons to consider mitigations or moving away from air gapped networks.
Compromised Personal Devices
Most employees will attempt to connect their devices and peripherals to the network, to charge a mobile phone or transfer files using a USB drive. Some studies show that 60% of employees will insert USB drives even when found on the floor in the car park. If the drive has an official logo on it, it rose to 90 percent. Shockingly, these results are from organizations where ICS operators and staff are trained regularly on cybersecurity awareness.
The Legitimate Need To Exchange Files
Even official company devices can be compromised when they are connected to the company network—this is how Stuxnet compromised Iran’s air gapped nuclear facilities. Usually and for various reasons, files need to be exchanged with the outside world to get patches and files from vendors or third parties, etc.
Also ICS staff being tricked into installing malware and compromising the ICS network is a very real and continuous threat. For example, ‘Allenbradleyupdate.zip’ was a ransomware file that was a fake update pretending to be from Rockwell Automation.
Temporary Remote Access
Temporary remote access solutions create a hole through your network which introduces a serious security risk if you’re relying in any way on the air gap for security—and this is usually legitimate and approved access. Unless you do have mitigations in place in your network including firewalls enforcing the right architecture, sandboxing, deception technology, and GRC, this could be a serious threat.
Workaround Remote Access
Often employees need access remotely to ICS networks, but are denied due to Air Gap dogma. This often results in “workaround” tactical solutions like mobile wi-fi hotspots to get their work done. These can end up as serious holes in your network. Assessments typically find unauthorized workaround connections in air gapped networks, and without mitigations, these can be serious holes. Control engineers don’t make these connections with malicious intent, it’s typically for operational reasons, but they certainly can be exploited for malicious reasons.
Insider Threats
Critical infrastructure is not only at risk from nation state sponsored attacks, via espionage or malicious insiders—disgruntled, lazy, or fatigued employees can also pose a serious risk. An Air Gap can’t protect against spies, criminals, disgruntled, tired, or lazy staff carrying out dangerous or malicious activities.
Physical Compromise
A malicious individual with physical access to the air gapped network (external person or internal employee) can insert malicious unseen devices into equipment. Mobile SIM cards and other communication equipment, key loggers, a preloaded RJ45 connected device so small that it is undetected can run a payload through the switch with POE (power over ethernet), or even simply by plugging a malicious laptop into a switch will pose a serious risk.
Physical intrusion is usually short, so the attackers will need to deploy or change some physical equipment and introduce malicious file quickly before being caught. Sandboxing and deception technology will mitigate against any malware introduced, while firewalls enforcing network segmentation, application control, and micro-segmentation will limit lateral or horizontal movement of attacker actions.
IIoT and Connected Technology
By default, connected technologies are increasingly being deployed to ICS networks. Attackers or innocent employees may mistakenly access and enable communication interfaces.
Supply Chain Attacks
If a OEM/vendor suffers an attack through their supply chain, ICS customers that purchase their equipment will be compromised, too. We have seen such an attack with widespread consequences in the USA in 2021. Again, Sandboxing and Deception technology can help mitigate this kind of attack.
Air Gap Covert Channels Jump OTA (Over The Air)
It has now been proven that you can convert ram,and other hardware devices including PLCs into AM Radios to send or receive data. This was proven years ago with ICS equipment at Black-Hat Europe. In 2014, researchers demonstrated "Air Hopper" data exfiltration from an isolated computer without a modem or communications equipment to a nearby mobile phone using FM frequency. In 2015, researchers introduced GSMem, doing the same over cellular frequencies generated by a standard internal bus converting the computer into an antenna. There are now multiple Air Gap covert channels. Below are some examples:
- Electromagnetic: The electromagnetic field in electric current emissions in a wire can eb adjusted for example to the FM radio band or the GSM, UMTS and LTE frequency bands
- Acoustic: Computer speakers, microphones, the computer fan or the hard drive can transmit data. E.g. in 2013 BadBIOS was used
- Optical: Light indicators on any device can be re-purposed as a communication channel
- Electric: Processor regulation and modulating, encoding, can eb used for transmitting data on top of the current flow fluctuations.