Air-gap security an "enduring fairy tale": Byres

Government, vendors and industry need to accept that the dream of an air gap is dead: Byres

The "air gap" -- the idea that a physical gap between between an industrial control network and an organisation's business network will prevent attacks from reaching critical control systems -- is "one of the most enduring fairy tales in the field", according to leading US critical infrastructure security consultant Eric Byres.

"As much as we want to pretend otherwise, modern control systems need a steady diet of electronic information from the outside world," Byres writes at the Practical SCADA Security Blog.

"Severing the network connection with an air gap simply spawns new pathways -- pathways like the mobile laptop and the USB key, which are more difficult to manage and just as easy to infect," he said. "There is a good reason why you won’t find the air gap mentioned in vendor engineering manuals. As a theory, it is wonderful. In real life, it doesn’t work."

Byres illustrates his argument with the diagram of a high-security network architecture taken directly from Siemens’ Security Concept manual (pg 42).

"Can you spot the air gap in the drawing?" he asks. "Funny, neither can I."

The blog post echoes comments Byres made at the AusCERT information security conference in May, where he speculated that the Stuxnet worm may not necessarily have infected the target supervisory control and data acquisition (SCADA) systems via a USB key.

Byres told the conference that an attacker could mimic the vendor's documentation CD, package it the vendor's stationery, and send it to the manager of the target network. The disc would contain PDF files of real documentation that were infected with Stuxnet.

CSO understands that such a documentation-based attack has already been attempted, although it is believed to have failed.

"Government, vendors and industry need to accept that the dream of an air gap is dead," Byres wrote.

Follow CSO Australia on Twitter: @CSO_Australia

Tags Siemens’ Security Concept manualByresAir-gapPractical SCADA Security Blog

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Get powerful mobile security capabilities, and protect the data the various mobile devices inside your organization.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.