Oct 21, 2021

Chapter 2 – The OT air gap dissolved: A playbook

Blog Header – Air-Gapped

The convergence between information technology (IT) and operational technology (OT) is dissolving the air gap that, in the past, has kept industrial and manufacturing environments relatively safe from cyberattacks.

Air-gapped networks are isolated from the internet and enterprise IT networks to protect industrial control systems (ICS) and OT from external threats. Think of the potential risk of having reactors in a nuclear plant connected to the internet.

For obvious security reasons, you don’t want critical infrastructure being manipulated remotely over the internet. An air-gapped network makes it more difficult for hackers to gain access to those environments. Difficult, but not impossible.

Why the air gap is dissolving

Not only are hackers exploring new tactics to infiltrate air-gapped networks, but the air gaps themselves are also dissolving.

Industrial modernization

Many plants are air-gapped by design because they were built before the internet. When industries started to incorporate digital technology, they kept it under a controlled environment. 

Initiatives to modernize dated industrial facilities are now dissolving the air gap between OT and IT silos. Once stand-alone equipment such as pumps and valves can be automated and controlled remotely for efficiency and effectiveness. In addition, OT devices are now built on top of common platforms such as Windows and Linux rather than very specific and less known systems. These new trends increase industries’ exposure to cyberattacks.

Demand for real-time data

Companies are converging IT with operations to boost their efficiency and reduce costs. 

For example, real-time access to data can facilitate planning and reduce downtime. Organizations are combining IT and OT to revolutionize operations, improving their capabilities and reach. 

One example is the use of machine-driven coal refinery trucks, controlled remotely from a  command center. This type of automation enables mining operations in remote areas to keep running continuously.

Internet of Things

The proliferation of the Internet of Things (IoT) devices exposes industrial environments to a growing number of threats, especially when employees bring to work their own smart devices such as tablets, smartphones, and smartwatches. 

Organizations are also relying more on IoT devices such as surveillance cameras and devices found in building management systems, such as smart door locks.

Is the Purdue model obsolete?

The Purdue Enterprise Reference Architecture (PERA) has been the standard control model in industrial environments, dividing operations into six levels (0-5) with separated boundaries. The air gap typically occurs between operations (levels 0-3) and the IT network (levels 4-5), as indicated in the image below.

Armis_Purdue_Model

This hierarchical structure was established in the 1990s. It doesn’t reflect the challenges of the Industry 4.0 era.

Increased use of demilitarized zones (DMZs)

With the advance of technology, organizations are increasingly breaking the silos between OT and IT  to achieve efficiencies in costs and processes. For this reason, administrators are using firewalls to mediate communication in demilitarized zones (DMZs) between levels 3 and 4.

A reference in cybersecurity, the SANS Institute still sees value in the Purdue classification as a conceptual framework that set the foundation for ICS security. For example, the National Institute of Standards and Technology’s Guide to Industrial Control Systems (NIST 800-82) recommends separating ICS from the corporate network and deploying a DMZ to prevent traffic between the two layers. 

According to a survey by the SANS Institute, 49% of the respondents in the ICS/OT industries reported using a DMZ between IT and OT networks. In addition, 42% of the respondents said that their control systems had direct connectivity to the internet. In 2019, the response rate was 12%. The SANS Institute’s report notes that this increase might be attributed to a series of factors, from higher adoption of cloud-based technologies to a better understanding of connectivity pathways.

Don’t let lower perceived risks of air-gapped networks deceive you

Air-gapped networks give a false notion of high security. At Armis, we often hear from new clients that there’s nothing to worry about because their OT is air-gapped. However, when deploying our agentless device security platform, we quickly find vulnerabilities in their air-gapped networks.

A common point of exposure is the engineering workstations, which typically run Windows or Linux. Thanks to our platform, an organization has recently discovered that one of its engineers was using an “air-gapped” workstation to access social media sites. What seems as trivial as checking Facebook in your spare time at work can expose a critical environment to a series of security risks, while also showing how easily air gaps can be breached.

Manufacturers often focus on their device security but do not consider the interconnected implications of employees bringing their devices to work. Once we discovered that an employee of one of our clients took a smart exercise bike to the office. The bike was transmitting large amounts of traffic from what was supposed to be a controlled environment.

A roadmap to comprehensive ICS security

Air gaps as a stand-alone security measure are not sufficient to protect organizations from threats that are growing in sophistication. The increased attack surface in this Industry 4.0 era makes security even more challenging. Here are few steps that security leaders should consider:

1. Raise employee awareness

Organizations might think that their ICS networks are 100% air-gapped, but they are not. Misconfigured firewalls and user violations all increase the risk of exposure.  In fact, many attacks leverage employees’ lack of awareness or compliance with proper security procedures.

Humans might be victims of phishing attacks or create security breaches by connecting peripherals (for example, unauthorized flash drives) to air-gapped computers. That’s why it becomes crucial to better train employees with access to air-gapped systems.

2. Invest in agentless and passive monitoring solutions

Traditional IT solutions rely on agents or active scanning. They don’t work for protecting industrial environments because:

  • Most OT and IoT devices cannot accommodate agents. 
  • Network scans can disrupt or crash OT devices, leading to downtime and jeopardizing employee safety.

ICS and manufacturing environments need an agentless solution like Armis, which works with all devices, managed and unmanaged, IT or OT/ICS. Our platform provides visibility to devices from all levels of the Purdue architecture and monitors the communication between them in real-time.

3. Understand the importance of asset management

Organizations need holistic device visibility into their OT and IT networks. The idea is that you can’t secure what you don’t know exists. When deployed, the Armis platform discovers all assets in your environment and performs a risk assessment to identify any vulnerability and threat. 

This information is crucial to developing a plan to mitigate exposure. Book a risk assessment to see what the Armis Agentless Device Security Platform can find in your ICS environment.

4. Embrace the Zero Trust framework

Armis also helps organizations to implement the Zero Trust principles in their ICS environments. Initially coined by Forrester, the Zero Trust model has been key to increased ICS cybersecurity. This framework ensures that all devices and users are continuously verified to maintain their network’s access.

Get Updates!

Sign up to receive the latest news

path-12-path-12-path-12-mask