Many networks across a variety of verticals including government, military, financial services, power plants, and industrial manufacturing have been so-called “air-gapped.” This means they are physically and logically isolated from other networks where communication between these networks is not physically or logically possible. This can be a good thing or bad thing depending on your network needs.
In the industrial vertical, these air-gapped networks were the networks that supported the industrial control systems within the plant or factory where communication was physically or logically isolated between the plant and the enterprise networks.
In today’s Industry 4.0 revolution—where the network is the control system—analyzing data from the industrial process is key to driving optimization and efficiency. With more and more “smart” field devices (connected and managed through the network), the notion of whether air-gapped industrial networks are practical for the future, or if there is really an air-gapped network today, is worth considering.
Are Air-Gapped Systems Really Secure and Effective?
In theory, air-gapped networks seem like a good idea. In practice, it is another story. Do they really guarantee isolation from the internet or from the corporate business network?
It has been proven in a number of different scenarios that air-gapped networks can be infiltrated. The most famous of these examples is Stuxnet, the worm that was able to target and disrupt the process of enriching uranium that could be used to manufacture nuclear warheads in Iran’s Natanz nuclear facility.
There are many other non-threatening examples like modems and wireless networks being set up by contractors, maintenance, or control engineers to make their lives easier to transfer data in or out of the air-gapped networks. What about transient devices such as laptops, tablets and smart phones? Don’t forget about removable media (USB, CD-ROM, et al.), remote access and data coming via sneakernet (any means of transferring data without it traversing a network). Are these environments truly air-gapped?
All of these examples prove that nothing is truly air-gapped or that it can’t stay 100% air-gapped over time. Do air-gaps give us a false sense of security? How many times do cybersecurity professionals hear, “Oh, we are air-gapped. We do not need to worry about cybersecurity”? If that is the case, how does someone know if they are air-gapped if they do not assess or monitor their networks for new data coming in from removable media/transient devices or external network connections being set up with modems or VPN’s?
At the end of the day, new data is coming into these so-called “air-gapped” environments. What’s the best management strategy?