Spanning the Air Gap: ICS Network Security

March 13, 2017
Though some experts advocate an air gap approach to industrial security, it can create a false sense of security and make troubleshooting more difficult.

An air gap is a network security measure used to ensure a computer network is physically isolated in order to prevent it from establishing an external connection, specifically to the Internet. The concept is that a physical gap can prevent unauthorized access, thwarting hackers and malware. In this post, we are most interested in this as a measure of security applied to industrial control systems (ICSs).

Properly implemented and maintained, air-gapped networks do offer security and can be found among some of the most secure global institutions, such as government intelligence agencies, financial institutions and others.

Writing about industrial security, Paul Ferguson, senior threat researcher for security provider Trend Micro, advocates the air gap principle. “One issue that I’ve consistently tried to emphasize is that critical control systems should never, ever interact nor interconnect with Internet systems in any way, shape or form,” Ferguson has written.

While the use of air-gapped networks for ICS does offer a measure of security, you will likely find that support even among respected authorities tends to be the exception.

“IT security could have ignored the OT network as it being disconnected, air gapped, proprietary and not subject to the same sort of threats and attacks in the past, but this mindset is no longer effective,” wrote David J. Meltzer, chief research officer at Tripwire, another security provider. “Cooperation on a consistent security strategy across both IT and OT is essential for the future.”

It is our observation that for the majority of ICS networks the implementation of an air gap largely leads to a false sense of security. Further, we believe it has the potential of not only placing false constraints on the network, it may be a contributing factor to a degraded network state compromising the overall performance of the network, and the source of hidden and/or unrecognized cost.

Considering the various pathways that can act as a conduit for intrusion and malicious intent—such as removable devices, laptops, diagnostic equipment and the like—an air-gapped network can leave one with a false sense of security. The Repository of Industrial Security Incidents (RISI) has noted the majority of incidents happen from within the ICS network. Other studies note the primary threat as malware being introduced to a system through a USB memory stick.

In this age of the Industrial Internet of Things (IIoT) and smart manufacturing, manufacturers are recognizing the benefits of a more fully integrated plant floor resulting in optimized operations and increased profits. Using an air gap for network security places a false constraint on networks, denying real-time access into manufacturing operations and thus delaying cost-saving decisions that could otherwise be made.

An isolated control network “hidden” on the plant floor could be overlooked, especially if it exists outside of the IT/OT area of responsibility. True, some would prefer it that way, but with the increased use of Ethernet on the plant floor, these forgotten networks will become degraded and problematic. A network that is flat and does not get upgraded throughout the years will start to become slow as other devices are added to the ICS. Network architectures that once handled the traffic are now becoming taxed and less efficient as ICS networks grow and see greater demands placed on them.

The inability to support remote access or external devices on an ICS network can greatly increase troubleshooting and maintenance costs. In some cases, limiting support to the “sneakernet” could increase downtime. At the same time, well-intentioned employees with a desire to resume production might be tempted to bypass network security protocols, even further compromising the system.

Creating an air gap might sound simple in theory (just unplug it), but, like many things, the actual implementation of an effective solution is much more difficult. Though we are discouraging this practice, we are not ruling out the potential effectiveness of an air gap to provide a secured network, even for an ICS. We do, however, encourage you to consider the cost, constraints and administrative burden it places on your organization. Doing so will help you to make a well informed decision and help to avoid being left with a false sense of security and the other shortcomings we have mentioned.

Next month, we will discuss the essentials of a secured industrial network, addressing aspects of the network architecture and security.

Larry Asher is director of operations and Dominic Schmitz is operational technology specialist at Bachelor Controls Inc., a certified member of the Control System Integrators Association (CSIA). For more information about Bachelor Controls, visit its profile on the Industrial Automation Exchange.