The Myth of the Operational Technology Air Gap
Posted on 2 Aug 2018 by Nigel Stanley
The cybersecurity field of operational technology (OT) is buzzing as companies increasingly realize that their production systems, manufacturing plants, chemical processing plants or industrial control systems are at risk from cyber-attacks. This realization is fuelled by a big uptick in hacker interest as such systems are insecurely connected to the internet and compromising them is a change from stealing credit card information.
In response to cybersecurity concerns, I often hear the claim that a company’s OT systems are air gapped and not connected to the internet — so they are immune from cyber-attacks via this route. The bad news is that on further investigation, in almost all instances, such claims are found to be incorrect. The reality is that connections abound and systems light up with data flows without the company knowing about it.
How can this be?
The humble USB is renowned for bridging OT air gaps. Indeed the now infamous Stuxnet worm that was first revealed to the public in 2010 was believed to have been introduced into a “secure” facility by a USB stick. The rest is history. It is extremely rare for me to visit any plant or facility and not find some form of USB port openly accessible on SCADA work stations or process engineering systems. These USB ports may be a route in for malware or a route out for corporate intellectual property. Either way open USB ports are bad for the operating company.
The all-powerful smartphone is another convenient mechanism to cross air gaps when switched into Wi-Fi hotspot mode. I know of cases where bored operators will fire up a hotspot and stream dubious movies overnight when the control room is quiet. And we mustn’t forget the smartphone camera that can exfiltrate stacks of visual data useful to an adversary.In the image below, see the cyber attack frequency, by Industry.For more infographics about the state of cyber security in OT environments, click here
Has Wi-Fi been assessed for risk?
Insecure Wi-Fi hotspots can leak large amounts of OT data before anyone has realized it happened. This vulnerability often comes down to bad configuration or maybe a desire by the OT team to take advantage of an existing internet connection. Certainly insecure Wi-Fi hotspots are not always malicious as more and more OT equipment manufacturers need access to their hardware for predictive maintenance and similar reasonable business needs. But has the connection been assessed for risk?
Bug sweeps to see if connections can “phone home”
A bit more pernicious than Wi-Fi is the increased use of cellular connections so that equipment can “phone home.” In many cases these connections are never spotted because of their small form factor and difficulty in spotting their transmissions. Indeed in my experience I know that many cellular connections are only found during a bug sweep — a site technical surveillance counter measures assessment.
Other connections to OT
Finally we have some esoteric ways of connecting OT kit to the internet. These ways include flashing LEDs (or light sources) to transmit data through to using power source analysis or noise as a transmission medium.
Quest to control OT security
Once we have accepted that the air gap as a security control is rarely valid we need to aggressively deal with these connections to either understand and bound the risk or remove them altogether.
To achieve security control, an operational technology risk assessment is vital and I would suggest this is an urgent priority before your business disappears down a connection pipe it didn’t realize was there.