It was only a few years ago that most people were not seriously worried about the cybersecurity of control networks. The largely unconnected nature of these systems helped ensure their security. Now, with a rising number of manufacturers digitizing and sharing industrial control data with other systems, cyber attacks are increasing and the potential impacts range from severe financial damages to the loss of human life.
Clearly, cybersecurity for industrial control systems (ICSs) is an urgent matter. Company executives across a range of industries feel their control systems are more vulnerable than they were a year ago, according to the 2016 State of ICS Security Survey from the SANS Institute. Some three-quarters of respondents (67 percent) say they perceive a severe or high level of threat to their control systems. That's up from 43 percent just a year earlier.
Byron K. Wallace worries a little less than most. As cybersecurity process control network (PCN) vulnerability assessor for a large oil and gas producer, he knows his control system is air gapped—or at least as close to air gapped as he can make it. “Are you ever 100 percent air gapped? Technically no, but practically yes,” says Wallace, who has a Ph.D. in IT.
His company’s PCN exists on its own without connections to remote users or other networks. The precautions are numerous. USB ports are locked down. Access controls are strict. Employee training is paramount. All equipment and software is rigorously tested in a separate lab before it is put on the control network. Wallace’s team performs comprehensive audits on a regular basis to ensure there are no connections he doesn’t know about.
Meanwhile, Wallace says, operations do not miss out on the benefit of sharing information. Operators input data from production and downtime reports from the air gapped system into the company’s information system. These data are updated each day, and that’s good enough, he says. The ability to have real-time data would not provide enough benefit to warrant risking a major security event.
It’s important to weigh out the benefits vs. the costs, Wallace says. “If malware gets into the plant and it goes down, I have a risk of losing $400,000 per day.” Any incremental savings from continuous process optimization are not enough to justify the connectivity.
Wallace makes it clear, however, that this approach is not for everyone. “You have to understand your operating philosophy and what works for you,” he says, adding that it requires a special relationship with control vendors. “The vendor can’t just come in and patch the system. It’s a cutthroat, no-trust environment. This does not work for everyone. Your management philosophy may not allow this approach.”
For a list of key questions to ask yourself, see “Could Air Gapping Be Right for You?”.
Unlocking the value of production data
What’s the safest state for a plant? When it’s shut down and not producing. As true as that might be, it’s hardly a serious option. Instead, we’re left with the question: To air gap or not to air gap?
Much of the control equipment in operation today was produced decades ago and built for the long haul, with no thought of communicating with other systems—and correspondingly, no need for cybersecurity. Particularly in process industries like utilities, some companies are using long-established air gaps to protect their control systems. But in today’s hyper-connected world, that choice comes at a cost.
Sharing the vast amount of process data with other systems fuels better decision-making, allows more granular performance management, and enables asset optimization and predictive maintenance to reduce costs and improve safety. In heavily regulated industries, the proverbial shop-floor-to-top-floor connectivity eases compliance. It allows remote access for employees and vendors to fix problems, minimizing downtime.
“There is no real argument. Do you want to be connected or not? That train has already left the station,” says Shmulik Aran, CEO of NextNine, which sells ICS security solutions.
Companies that persist in air gapping may well find the economics of that choice bearing down on them at some point, says Albert Rooyakkers, founder, CTO and vice president of engineering for Bedrock Automation. “They will miss the predictive analytics, causing them to blow a bearing on a turbine that costs $150 million,” for example.
Beyond the opportunity cost of not connecting control systems, many question the fundamental viability of air gaps. “There’s a religious debate about air gaps: Do they work or not; do they exist or not?” says Jeff Lund, senior director of product line management for Belden. “It’s an interesting philosophical debate, but it can be irrelevant to the question of whether they make you more secure or not.”
Most cyber incidents originate from inside the system, Lund says; in that case, air gaps do not help. A device fails, for example, masquerading as a denial of service attack. Belden often hears from smaller manufacturers that they are not as likely as their large counterparts to be the target of a cyber attack. “But you don’t need security just because you’re an attractive target. It’s to make yourself more resilient against these other failures that can happen.”
Companies that think they maintain air gaps around their ICS networks might be in for a nasty surprise, says Marc Kaplan, vice president of security architecture for Tempered Networks. “The only true air gapping is when you have a network that is completely disconnected—no Bluetooth, no Wi-Fi, non-routable IPs, no USB ports, no remote access of any kind and strictly enforced access controls.”
Air gaps can also introduce errors, warns Gregory Wilcox, global technology and business development manager for Rockwell Automation. “Employees may write down data on clipboards and then manually key it in, but then you have increased the risk of errors.”
Most of the spokespeople for control vendors interviewed here did not report a resurgence of interest in air gapping among their customer bases. “What we’re seeing is the need for connectivity to control system data,” says Jeremy Bryant, general manager of industrial communications for Siemens USA. “We do see an exception in the electric utility space, where regulations may require an air gap from the control system to the outside.”
Bedrock Automation’s Rooyakkers comes down solidly on the anti-air gap side. “How can you be future-proof in a disconnected world? You can’t just go live in the woods,” he says. A better strategy, he adds, is to implement modern networking technology that has security built in, along with other measures layered on top. “You’re stuck until you decide to build the right technology in a brownfield or greenfield approach.”
Other cybersecurity approaches
If not an air gap, then what? There are a host of security architecture choices and specific technologies that are designed to provide a layered approach to protecting ICS, including (in no particular order):
- Identity-defined networking. Tempered Technologies’ Identity-Defined Network fabric operates on a trust model with IEEE 802.1X certificate-based authentication and identification. This approach goes beyond passwords and perimeter protection to continuous, intelligent authorization based on context. The network is cloaked, so it can be viewed only by authorized users.
- Segmentation. With this cloaking variant, the network is broken up into segments with strict access controls in between. Rather than a strict separation between two networks, the segments can open, give access when presented with the right credentials and then close again.
- Defense-in-depth. Siemens advocates creating connectivity with a defense-in-depth approach. As the name suggests, a wide variety of standards-based security technologies are layered upon each other, along with well-defined and enforced organizational practices. “We only allow the communication to the people that need to have it,” Bryant says. “You know specifically who is getting on your network and what they are doing.”
- Data diodes. Also called unidirectional security gateways, data diodes allow only a one-way flow of information. This means data can flow from the control system to the information system but not vice versa. Emerson Electric and other vendors, such as Waterfall Security, are proponents.
- Demilitarized zone (DMZ) between industrial and IT space. Rockwell’s Wilcox advocates a “best of both worlds” approach that resides between air gap and a shared environment. “This is about good connectivity between separate infrastructure,” he says. Each side can pass information to the other via a highly secured industrial DMZ that resides between the two environments.
- Special-purpose security appliance. Belden offers the Tofino Xenon security appliance that complies with the IEC 62443 cybersecurity standard for control and does deep packet inspection. “It looks inside the message and asks if that source is asking to do something that it is allowed to do,” Belden’s Lund says. This approach goes beyond standard firewalls.
Most important to remember: No approach, whether air gap or something else, is infallible or a fit for every company. “Air gap is not a universal solution,” says Claudio Fayad, vice president of technology for Emerson Automation Solutions. “It does have benefits, but it does not guarantee 100 percent protection. And it can be restrictive because it doesn’t allow you to do the optimizations that could help you make better products, deliver less impact to the environment and other benefits.”
Wallace, obviously an air gap proponent, takes a measured approach. “You can never eliminate a threat. You can only minimize it. You create layers and barriers and hope to deter intrusions. That’s what we have been doing for years on the business system side but now we are doing it for process control,” he says. “With air gap, the vulnerability is still there, but it’s reduced.”