Over at the Tofino blog is a post, SCADA Security: A Call-out to Control Engineers about Air Gaps, which every process automation professional should read. Eric Byres opens the post:
Last week I discussed how security experts and ICS / SCADA vendors are giving up on the dream of the air gap as a viable security solution for the modern control system. Unfortunately, it is still all too easy to believe your control system is isolated.
He describes a conversation he had with a control engineer about the technique of “air gapping” his control system as a method of cyber-security protection. The system was based on a Windows NT operating system that was no longer patched, virus protected, or other means of hardening. Its means of defense relied upon being isolated from any network connection.
Here’s a portion of the conversation exchange:
Eric: …What about operation data logging? I assume that you do that. How do you move the logs out to the systems like asset management and maintenance?
Engineer: We have a laptop we use – we plug it into the control network every week to collect the logs.
Eric: And then?
Engineer: We connect it to the corporate network to transfer the logs to the servers.
Eric: Ever worried about the laptop being infected with a worm?
Engineer: No – we have AV [anti-virus] software running on it.
Eric: I guess you missed the part in my talk where Stuxnet was in the wild for a year before it was detected.
He shares another exchange about remote access to the system through a modem and notes that the Slammer worm infected several control systems over this method of access into the system.
Eric concludes the post with the hazards of relying on a single method of defense:
With a single defense comes a single point of failure, as I discussed in a blog article about the Bastion Model. As long as the complete isolation (and I mean “complete”) defense can be maintained, everything will appear to be secure. Unfortunately designs with a single point of failure are not robust over the long term.
We’ve discussed the importance of rings of protection and defense in depth for the technology side of cyber security. In an earlier post, In a Post-Stuxnet World, Emerson’s Randy Pratt shared this analogy:
Every connection out of the system to the outside should be scrutinized and eliminated if possible. I heard a good analogy that you should think of your system like a prison. In a prison, there are few entry/exit points, and the ones they do have are heavily fortified with multiple layers of security and are closely guarded.
The post links to a cybersecurity best practices whitepaper specifically developed for DeltaV system users with many concepts applicable more broadly. In a post, Like Plant Safety, Build a Culture of Security, Emerson’s Bob Huba highlights the importance not only of the technology side, but also of the people and processes side. It takes a security-minded culture much like the strong safety cultures in most plants.
Bob also mentioned that while air gaps can be a method of segmenting networks as one element of an overall security program, there needs to be continued and rigorous inspections to ensure the gap has not been breached by an unauthorized network or modem connection. Having an “air gap” does not relieve the asset owner from implementing the appropriate additional defense in depth strategies just as if a network connection had been made between systems.
Secure data movement between systems is a requirement regardless of whether an air gap is used or a network connection exists. What the exchange between Eric and the Engineer really points out is that the people element of security is important. If the engineer in question had sufficient security training he would have realized that there was “danger” in the data exchange method and taken additional measures to mitigate the problem.
It’s important to have a cyber-security strategy that involves technology and organizational support. Many automation suppliers have programs to assist, such as the SureService Security Assessment Service.