What Is An Air-Gapped Network?
According to Jim Richberg, public sector field CISO and vice president of information security at Fortinet, “Air gapping refers to the separation of a network or device from any outside connection.”
In practice, air gaps rely on physical separation. There is “air” between two devices that prevents direct connection. In theory, this thwarts hackers from gaining access to ICS because no matter how thoroughly they’ve compromised other systems, there is no way to bridge the gap short of physically being in the room with the device in question.
What Are the Benefits and Challenges of Air-Gapped Networks?
The biggest benefits of air gaps are tied to physical separation. If a network is completely isolated by an air gap, agencies can frustrate the efforts of attackers to compromise key systems.
Consider a ransomware attacker looking to find critical data, encrypt it and demand payment. In a public utility agency, this data is often handled by industrial control systems that control functions such as power generation volumes, power distribution or the level of specific chemicals in drinking water. If this data is kept on an air-gapped network, attackers face a hard stop when they attempt to move laterally from their compromise points — such as a nonsecure device or a phished email account — to the ICS device itself.
“Air gapping ICS assumes that in the event of an attack on a network connected to the internet, the core operational technology would be entirely separate and therefore safe,” Richberg says. “In addition, many of these components require relatively specialized expertise not readily available to master. In other words, much of the protection for ICS assumes security through inaccessibility or obscurity.”
However, the adoption of global search engines and ubiquitous connectivity means that this type of inaccessibility and obscurity is no longer possible at scale — the interconnected needs of public utility agencies mean that connecting industrial control systems to larger networks is often worth the risk. Richberg also notes that air gaps aren’t foolproof: “Organizations that rely on legacy air-gapped networks saw more operational technology breaches in 2021 than their integrated counterparts.”