The Value of Air Gapping Local Industrial Control Systems

What Is An Air-Gapped Network?

According to Jim Richberg, public sector field CISO and vice president of information security at Fortinet, “Air gapping refers to the separation of a network or device from any outside connection.”

In practice, air gaps rely on physical separation. There is “air” between two devices that prevents direct connection. In theory, this thwarts hackers from gaining access to ICS because no matter how thoroughly they’ve compromised other systems, there is no way to bridge the gap short of physically being in the room with the device in question.

EXPLORE: How smart technology is helping power utilities and more.

What Are the Benefits and Challenges of Air-Gapped Networks?

The biggest benefits of air gaps are tied to physical separation. If a network is completely isolated by an air gap, agencies can frustrate the efforts of attackers to compromise key systems.

Consider a ransomware attacker looking to find critical data, encrypt it and demand payment. In a public utility agency, this data is often handled by industrial control systems that control functions such as power generation volumes, power distribution or the level of specific chemicals in drinking water. If this data is kept on an air-gapped network, attackers face a hard stop when they attempt to move laterally from their compromise points — such as a nonsecure device or a phished email account — to the ICS device itself.

“Air gapping ICS assumes that in the event of an attack on a network connected to the internet, the core operational technology would be entirely separate and therefore safe,” Richberg says. “In addition, many of these components require relatively specialized expertise not readily available to master. In other words, much of the protection for ICS assumes security through inaccessibility or obscurity.”

However, the adoption of global search engines and ubiquitous connectivity means that this type of inaccessibility and obscurity is no longer possible at scale — the interconnected needs of public utility agencies mean that connecting industrial control systems to larger networks is often worth the risk. Richberg also notes that air gaps aren’t foolproof: “Organizations that rely on legacy air-gapped networks saw more operational technology breaches in 2021 than their integrated counterparts.”

Utilities Face Challenges in Securing Legacy ICS

Most industrial control systems weren’t designed for public-facing connections. They were created to fulfill specific internal functions related to providing or managing utility services.

The ingrained nature of these systems, however, makes it challenging for companies to remove and replace them; both the time and costs involved are often prohibitive and could result in days or weeks of service disruptions. As a result, many agencies opted to give ICS limited access to other systems on the network to better manage services.

But this connection creates a challenge: If attackers can compromise peripheral systems and move laterally through networks, they may be able to access industrial control systems and take control of core utility functions.

This isn’t an idle concern. Consider the recent attack on a water treatment plant in Oldsmar, Fla. After compromising the agency’s ICS, a hacker increased the level of sodium hydroxide in the local water supply to 100 times its normal concentration. Also known as lye, sodium hydroxide is used to manage water acidity and remove metals from drinking water. In high concentrations, however, this chemical can cause pain, vomiting, bleeding and burns.

Thankfully, the attack didn’t last long. An operator noticed that the cursor on his screen was moving around without his input, and once he took back control the attacker left, allowing the operator to reduce lye levels back to normal, ensuring that no one was hurt.

DIVE DEEPER: Protecting federally operated power facilities from cyber attacks.

What Are Government Concerns About Securing IIoT?

The fact that an attacker was able to gain access to this type of function is concerning. It indicates an increased awareness among malicious actors that industrial control systems are not only connected to networks at large but can be accessed and compromised to put citizens at risk.

The threat is growing: On April 13, the U.S. Department of Energy, the Cybersecurity and Infrastructure Security Agency and the FBI released a joint statement warning that “certain advanced persistent threat actors have exhibited the capability to gain full system access to multiple industrial control system/supervisory control and data acquisition devices.”

Attackers are also exploiting vulnerabilities such as CVE-2020-15368, which allows them to compromise Windows workstations commonly used in operational technology environments and move laterally through organizations to breach ICS tools.

READ MORE: How endpoint detection and response can help agencies nationwide.

What Measures Can Utilities Adopt Other Than Air Gapping?

While air gapping can limit the risk of unauthorized access to critical ICS data, it’s only one element of a successful security program.

“Federal agencies and state and local governments are increasingly working with critical infrastructure providers to harden defenses and reduce the vulnerability of integrated information and operational technology networks,” Richberg says.

Other ways to boost ICS security include:

• Segmenting networks: Logically segmenting networks rather than physically separating them can provide increased visibility without significantly increasing risk.
• Securing endpoints: Better security of connected local and cloud-based endpoints via robust network mapping solutions can help agencies pinpoint potential attacks before they access ICS frameworks.
• Zero-trust architectures: By requiring proof of identity rather than assuming it, utilities can limit the number of users on their networks, in turn reducing the risk of ICS compromise.
• Multifactor authentication: Both two-factor authentication and MFA offer an additional layer of challenge to ensure users are who they say they are and that attackers are stuck outside ICS networks, even if they compromise one avenue of access.

In addition, Richberg points to the increasing use of technologies such as data diodes or one-way gateways that permit the flow of information in a single direction only. This in turn allows ICS components to report on performance problems but not receive incoming malicious commands.

ICS risks are on the rise as attackers look to compel immediate action from state utility agencies. Air gaps are a solid starting point to reduce the risk of ICS compromise but offer improved protection when combined with additional elements such as network segmentation, endpoint security, zero-trust architecture and MFA.