Comment: Let’s bust the myth of the operational technology air gap
Image credit: Dreamstime
Isolating critical systems from all other networks is a popular solution to security threats, but is unlikely to be the most effective approach.
Solutions based on operational technology (OT) – where computerised systems control a physical output or detect a physical effect – have become an area of increased focus for cyber attacks. This trend has become a real concern for enterprises whose production systems, manufacturing plants, industrial control systems and processing infrastructure are under constant threat.
Cyber attacks are a very real risk. Criminals have identified OT systems as prime targets as they’re often connected to poorly secured networks, the compromise of which could result in substantial monetary returns for criminal activity such as ransom, intellectual property theft and espionage.
The ‘retro’ approach to addressing this risk consists of completely disconnecting critical systems not only from the public network, but also from closed internal networks. This approach has gained traction recently, with some politicians demanding that critical systems be air-gapped or physically disconnected to defend them from potential attacks.
Unfortunately, this might not be the most effective way to protect operational technology from motivated attackers. It might, in fact, have the counterproductive effect of creating a sense of false security in cyber-security teams.
A motivated attacker will find creative ways around most preventative controls, including air gaps. Even without being attached to a wider network, connections abound, and systems light up with data flows often without the company knowing about it. There are many ways in which cyber criminals can achieve this, some more creative than others, some not far-fetched at all.
The underestimated, humble USB is an example of how an attacker could bridge OT air gaps. Often seen openly accessible on industrial workstations or process engineering systems, USB sticks can carry malware or be a route out for corporate intellectual property. The now infamous Stuxnet worm that was first revealed to the public in 2010 is believed to have made its way into a secure facility by a USB. All it takes is an attacker to convince an employee to plug a USB stick into a computer by labelling it with the right words, such as ‘payslip info’ or ‘HR’. We humans are, after all, curious creatures.
Smartphones are another convenient mechanism to cross air gaps, as they have become portable computers with the capability of carrying malicious software. If switched into Wi-Fi hotspot mode, they can serve as an attack vector. Their cameras, if compromised, can be exploited to exfiltrate visual data and screen shots that can be useful to an adversary. There have certainly been instances where bored operators have fired up a hotspot and streamed dubious movies overnight, effectively compromising the security of the facility.
Through insecure Wi-Fi hotspots, large amounts of OT data can be leaked in short spans of connection time. This is often down to bad configuration, or maybe a desire by the OT team to take advantage of an existing internet connection. Certainly, this is not always malicious, as more and more OT equipment manufacturers need access to their hardware for predictive maintenance and similar reasonable business needs. But has the connection been risk-assessed?
More dangerous than Wi-Fi, but increasing in popularity, is the practice of adding cellular connections to equipment so that it can ‘phone home’. In many cases, these connections are never spotted due to their small form factor and the difficulty in spotting their transmissions. In many cases they have only been found following an unconnected site technical surveillance countermeasures assessment or bug sweep.
More creative proofs of concepts have shown that a motivated attacker could, in theory, modulate LEDs or light sources to transmit data, use power source analysis to detect data flows or even system noise as a transmission medium. Although certainly complicated to carry out, an attack like this is not implausible.
Accepting that air-gapping critical systems is rarely an efficient security control, the first step to tackle an OT cyber-security risk is to conduct some form of proportionate assessment. This will provide a broader view of the system business risk and enable appropriate controls to be put in place – and in many cases air-gapping is unlikely to be high on the list of things to do.
Nigel Stanley is CTO of TUV Rheinland.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.