SCADA Security's Air Gap Fairy Tale

August 2011

 

By Eric Byres - P. Eng., ISA Fellow, CTO of Byres Security

(www.tofinosecurity.com)

 

Everyone loves a good fairy tale. Even the most cynical engineer will crack a smile when the lost slipper fits Cinderella’s foot or when the ugly beast is transformed by the princess’s love back into the charming prince. Central to most fairy tales is a magical element that leads to a happy ending.

 

Unfortunately, the fairy tale approach to life is a very risky one. What if the magic doesn’t happen?

 

In this article I am going to talk about a fairy tale. This tale doesn’t have princes or frogs in it, but instead it deals with SCADA and industrial control system security. It is the myth of the “air gap” between control systems and the rest of the world. Believing in it leads to a false sense of complacency by both end users and vendors, making it a very dangerous fairy tale indeed.

 

The theory behind the air gap is that in a well-designed system, there is a physical gap preventing any communications between the control network and the business network. Since digital information cannot cross such a gap, bad things like hackers and worms can never get into critical control systems. From this, a corollary flows: “Companies that get worms in their systems (like this unfortunate Brazilian Power Company), obviously have not created the proper air gap and deserved to be infected.”

 

Just to be clear, some people refer to technologies such as unidirectional gateways (also known as data-diodes) as air gaps. To me these are not true air gaps, as electronic information is still passing between the control system and the corporate network, albeit in only one direction. I see a use for these technologies, but as I will discuss later in this article, I also see some limitations. For now, let’s assume an air gap is exactly what it sounds like – a true gap in information flow between systems.

 

Many vendors talk about the air gap as if it really exists. For example, every week a new SCADA and ICS vulnerability notice comes out and end users get to read statements like this:

 

"In addition, it is important to ensure your automation network is protected from unauthorized access using the strategies suggested in this document or isolate the automation network from all other networks using an air gap.” (Source: SIEMENS-SSA-625789: Security Vulnerabilities in Siemens SIMATIC S7-1200 CPU, June 2011)

 

Interestingly, the very same companies who mention air gaps in security notices will also be the first ones to boast about the "total plant integration" of their solution suite. They will talk about how their MES, MIS, and ERP enterprise components "seamlessly integrate" with their control systems products on the plant floor. It is hard to imagine how such "seamless integration" occurs over an air gap!

 

Now while PR departments love to hide behind “air gap” when discussing product vulnerabilities, no vendor engineer or manager really believes the air gap fantasy. For example, at the Siemens Summit in June 2011 (the same week the above security notice was published), Stefan Woronka, Siemens Director of Industrial Security Services, stated:

 

Alternatively, check out the diagram of a high security architecture taken directly from Siemens’ Security Concept manual (pg 42).

 

 

Can you spot the air gap in the drawing? Funny, neither can I.

 

Let’s try another vendor - download the security manual from Rockwell, and search for the term “Air Gap”. Scan the diagrams for an air gap. No matter where you look, you won’t find the air gap in a vendor’s design or product manual, no matter which ICS vendor you consult.

 

There is a good reason why you won’t find the air gap mentioned in vendor engineering manuals. As a theory, it is wonderful. In real life, it doesn’t work.

 

Sure you can simply unplug the connection between the control system and the business network and presto, you have an "air gap”. Then one day you get new logic from your engineering consultant – perhaps it addresses a design flaw that has been causing your company considerable downtime.

 

A little while later Adobe sends you a software update – perhaps it is for a critical vulnerability in the PDF Reader software your staff uses to view operational manuals. Next, your lab group sends a process recipe that will improve product quality. The list keeps growing – patches for your computer operating systems, anti-virus signatures, remote support and system software – you can’t ignore them all.

 

So what do you do? Maybe you load some files onto a USB drive and carry that onto the plant floor. But isn’t that how Stuxnet spread? Or maybe putting everything onto a laptop is the solution, but what if the laptop is infected? A serial line and a modem – sorry, the Slammer worm got into a number of control systems that way. Even the trusty CD can be turned into the carrier of evil bits.

 

As much as we want to pretend otherwise, modern control systems need a steady diet of electronic information from the outside world. Severing the network connection with an air gap simply spawns new pathways – pathways like the mobile laptop and the USB key, which are more difficult to manage and just as easy to infect.

 

So are there air gaps in any control systems? Sure – in trivial systems. For example, the digital thermostat controlling the heat pump in my home probably has a true air gap. And maybe in very very high risk systems – for example, I am led to believe that reactor control systems in nuclear plants are truly air gapped.

 

But do air gaps exist for all the control systems that manage our power grid, our pipeline infrastructure, our transportation systems, our water and our factories? I will let Mr. Sean McGurk, the Director, National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security answer that:

 

The real problem with the air gap concept is not the technology. The issue is that the air gap misleads companies into a false sense of security. As Chris Blask so clearly put it "None of the vulnerabilities [uncovered at the NESCOR summit] pose as great a risk as the belief that your system is isolated."

 

When companies say they are secure because they have an air gap, they are fooling themselves. All they have done is diverted the flows from over the network (which has a chance of being monitored and managed) to unregulated “sneakernet” channels like USB keys, CDs and laptops.

 

Most companies lack the appropriate controls that address transfer of digital information in this. Furthermore, the technology to manage these channels is still evolving. For example, consider the Wikileaks case of Bradley Manning and his reported carrying of sensitive U.S. military and diplomatic data out on a CD.

 

His transfer of 251,287 documents over the network to his personal computer would have created a far more detectable signature than his carrying of a music CD out of a facility. By relying on these “sneakernet” channels for getting critical patches and information into the control system, companies are actually less secure with their so-called air gap.

 

Some people have proposed that the problem with the air gap is just a people problem. Their line of reasoning is that if we stop people from doing dumb things like moving files and patches on USB key, then air gaps work fine.

 

The trouble with this argument is that any technology that requires the user to act in ways that are counter to human nature is a recipe for failure. This has been studied in many academic papers (for great summary see http://www.computer.org/portal/web/csdl/doi/10.1109/MSP.2011.30) but Adams and Sasse say it clearly in their paper “Users are Not the Enemy”:

 

Air gaps are a perfect example of this conflict. Engineers’ and operators’ primary goal is the safe reliable and efficient operation of their factory or facility. If they have patches, recipes or new logic that makes their process either safer or more efficient they will want to bring them onto the plant floor. If the plant is down and letting an expert remotely troubleshoot it will bring it on line sooner, then 99% of the time the expert will somehow be given access.

 

Expecting engineers to act in ways that are counter to their job goals because of a security policy is asking for trouble. Air gaps might work if the company also has clearly documented and demonstrated procedures that manage the transfer of electronic data in the form such as USB drives, CD/DVDs, and external documents.

 

Note that I said “manage” and not “prevent” the transfer. As we discussed earlier some electronic information inevitably has to move onto the plant floor, so an outright ban will not work. Viable techniques and policies for securely monitoring and controlling these “sneakernet” flows are not trivial. They might exist in highly secure environments such as the safety control system on nuclear reactors, but they are rare in most industries. As Bradley Manning showed us, they don’t seem to exist in the US army, so I have little hope they exist in most power plants, refineries or manufacturing facilities.

 

But even if a company does have a way of managing “sneakernet” flows, what have they gained with severing the network connection with an “air gap”? Do they really have an air gap? No – as we noted earlier, all that the air gap does is move the flow of data to a different channel.

 

Government, vendors and industry need to accept that the dream of an air gap is dead.

 

Certainly vendors must stop hiding behind the air gap fantasy in their security notices, especially when even their own engineers don’t believe it. But the vendors aren’t the only ones that need to stop the air gap myth. Too many end users still tell management security risks are under control because their systems are isolated.

 

For effective ICS and SCADA security, the entire industry needs to move past the myth of air gaps and learn to deal with the reality: control systems are connected to the outside world – they may not be directly connected to the outside world, but they are certainly connected to networks that are. You can cut the network connection, but the bits and bytes will still move to and from the control system. Cyber security countermeasures must face up to this fact.