ClickCease
Nov 21, 2024

The Air Gap Won’t Save You – Isolated Network Security Info You Need

Most security disclosures are short-lived events. Often critical vulnerabilities, such as ETH0 Stack Vulnerability (2022), are patched and fade into history. In the constantly shifting landscape of OT cybersecurity, one concept has persisted for decades—the air-gap. Isolated network security has traditionally been seen as the ultimate security measure for critical operational technology (OT) systems. However, this dogma has been facing scrutiny since many organizations who relied on air gapping as their sole method of securing their environment quickly learned that they were “accidentally converged”. Are air-gaps in OT network security a relic of the past, or can they evolve to meet the challenges of emerging threats such as IoT vulnerabilities and Bluetooth exploits?

An Isolated Network’s False Sense of Cybersecurity

Even in the most isolated OT environments, convergence can result from organizations integrating IT and OT systems for operational efficiencies, remote monitoring, and data analysis, or through the adoption of new technologies like IIoT and cloud services. However, in some environments accidental convergence can occur.  Without careful segmentation, security controls, and awareness, convergence leads to increased attack surfaces, thus dissolving the traditional air gap that once protected OT environments from external cyber threats.

Air gaps are now dissolving and no longer viewed as impenetrable security solutions. Experts view them as providing a misleading sense of security. Modern cyber threats and attack vectors have evolved to exploit even the most isolated systems.

Notable Breaches of Air-Gapped Systems

Recent incidents highlight the vulnerabilities of air-gapped systems: The Pipedream/Incontroller (2022) attack demonstrated how bad actors could leap over air-gaps by using malicious code. In 2020 Snake/EKANS ransomware specifically targeted OT networks in industries like energy, manufacturing, and healthcare. Though it initially infiltrated IT networks, EKANS had functionality designed to disable ICS processes, raising concerns about its ability to cross air-gapped environments through lateral movement or insider threats. While a critical device on an isolated or airgapped network may appear to be impenetrable  it can quickly become the Achilles heel of the operation because it is often unpatched, unprepared and unprotected.

Best Intentions, Bad Results

Each of the following methods can be exploited to breach air-gapped networks by providing unintended communication channels or vulnerabilities that connect isolated OT systems to external networks.

Acoustic

Acoustic (sound) waves can be used as a covert communication channel between air-gapped devices. Malware like “AirHopper” or “Ultrasonic Cross-Talk” can transmit data through high-frequency sound waves, using a computer’s speakers and microphones as both transmitter and receiver. Devices within close proximity may inadvertently create a bridge across the air gap via sound waves. If an air-gapped system is infected with malware, it can transmit data acoustically to a nearby networked device, which then sends the data over the internet.

Light

Devices can use LEDs or other light-emitting sources as communication channels. Malware like “BitWhisper” can manipulate the blinking of status LEDs on network cards, routers, or even keyboards to send binary signals across the air gap to nearby devices equipped with light sensors or cameras. A device with a camera (like a surveillance camera or even a smartphone) can “accidentally” be in the line of sight of an LED blinking covertly to transmit data from an air-gapped system. This can create a bridge, where the data collected from the LED’s light signals is then sent to external networks.

Seismic

Seismic vibrations (from machinery, hard drives, or even fans) can be manipulated to transmit signals. Researchers have demonstrated how hard drive activity can be used to generate vibrations that can be detected by nearby devices equipped with vibration sensors (like accelerometers). If an air-gapped OT system operates in close proximity to IT systems that are connected to the internet, vibrations can transmit small bits of information to nearby sensors, unintentionally bridging the gap. A nearby internet-connected device can pick up these vibrations and relay the data externally.

Electromagnetic Emissions

Electronic devices emit electromagnetic radiation (EMR) during normal operation, such as from their CPU, network cards, or power supply units. Attackers can use methods like TEMPEST attacks to capture and decode these emissions, effectively “listening” to the signals being produced by air-gapped machines. Devices in close physical proximity to air-gapped systems, such as smartphones or IoT devices, could accidentally detect these electromagnetic signals if they are inadequately shielded. If an infected or compromised IT device can interpret these signals, it may send captured data to the attacker via the internet.

Thermal

Thermal (heat) emissions from computer components like CPUs and GPUs can be used to communicate data. The “BitWhisper” method demonstrates how malware can cause intentional heat fluctuations in one computer, which can be detected by temperature sensors in a nearby air-gapped machine. Air-gapped systems may unintentionally share thermal environments with other networked systems. A compromised networked device could detect these temperature changes and relay data to an attacker, effectively bridging the air gap.

Radio Frequency (RF)

Many industrial devices generate unintended RF signals as part of their normal operation. Malware like “AirHopper” or “Funtenna” can intentionally modulate these RF emissions to encode and transmit data to nearby RF receivers such as radios or mobile devices. Nearby networked devices can inadvertently receive these RF emissions. If these devices are compromised, they can interpret the RF signals from the air-gapped system and send the data to external networks, bridging the gap.

Physical Media

Physical media such as USB drives, CDs, DVDs, or external hard drives are often used to transfer data between air-gapped systems and other networks. Malware (e.g., Stuxnet) can exploit this by infecting the physical media and spreading to both air-gapped and networked systems. An infected USB drive or other physical media may be unknowingly plugged into both air-gapped and internet-connected systems by users or technicians. This effectively bridges the air gap.

The Evolution of Air-Gap Strategies

Manufacturing and critical infrastructure organizations face significant cybersecurity challenges in their Operational Technology (OT) environments due to the increasing convergence of IT and OT systems, the rise of Industrial Internet of Things (IIoT) devices, and sophisticated cyber threats. Applying robust cybersecurity to OT environments requires a comprehensive, multi-layered approach that prioritizes both system integrity and operational continuity. Here’s how these organizations should apply cybersecurity to their OT environments:

Risk Assessment and Asset Inventory

  • Conduct a thorough risk assessment – Identify critical OT assets, vulnerabilities, and potential cyber threats. This includes understanding how OT and IT systems interact, the potential attack surfaces, and the impact of a cyber incident on physical operations and safety.
  • Maintain a real-time asset inventory – Use automated tools to continuously discover and track all IT, OT, and IoT devices, their connections, and software versions. Many OT devices were never designed with security in mind, making them more vulnerable. Understanding what assets are in your network is the first step in securing them.

Network Segmentation

  • Segment IT and OT networks – Ensure that OT systems are isolated from IT systems by implementing robust network segmentation. Use firewalls, data diodes, or VLANs to strictly limit communication between OT and IT networks, reducing the chance of lateral movement by attackers.
  • Apply zones and conduits – Follow the ISA/IEC 62443 standard for creating security zones based on the criticality of OT systems and using controlled conduits for communication between zones. This compartmentalizes potential cyberattacks, preventing them from spreading across the entire network.

Implement Strong Access Controls

  • Role-based access control (RBAC) – Restrict access to OT systems based on the principle of least privilege, ensuring that only authorized personnel can access specific systems or data. Use RBAC to control who can make changes to OT configurations, especially for critical systems.
  • Multi-factor authentication (MFA) – Require MFA for any access to critical OT systems, particularly when remote access is necessary. This adds an extra layer of protection against credential-based attacks.
  • Network access control (NAC) – Implement NAC solutions to identify and authenticate devices connecting to the OT network, blocking unauthorized devices and reducing the risk of rogue devices infiltrating the network.

Secure Remote Access

  • Minimize and monitor remote access – Only allow remote access to OT environments when absolutely necessary, and ensure that access is limited to specific time frames and personnel. Use secure methods like virtual private networks (VPNs) with strong encryption, and ensure all access is logged and monitored.

Patch and Vulnerability Management

  • Vulnerability scanning and assessments: Conduct regular vulnerability assessments of OT environments to identify weaknesses. Use multi-detection tools that do not interfere with OT system operations to detect vulnerabilities and other security issues and prioritize remediation according to business criticality.
  • Regularly patch OT systems – While patching in OT environments can be difficult due to operational constraints such as scheduled maintenance windows, it’s crucial to apply security patches for critical vulnerabilities as quickly as possible. Develop a patch management strategy that identifies and prioritizes what gets patched when, thus minimizing downtime and disruption.

Intrusion Detection and Monitoring

  • Deploy A Comprehensive Intrusion Detection Solution – Deploy security that is designed for IT/OT/IoT environments in order to monitor traffic for signs of unusual or malicious activity. Solutions that provide complete coverage of all assets can help monitor the behavior of all devices, and flag potential security breaches even when they laterally move from one asset class to another.
  • Implement continuous monitoring – Use Security Information and Event Management (SIEM) systems that can ingest OT-specific data to correlate security events. Continuous monitoring enables real-time threat detection and faster response to incidents.

Incident Response and Recovery Plans

  • Develop OT-specific incident response (IR) plans – Design tailored incident response plans that account for the unique needs of OT environments, including the protection of physical safety while also minimizing operational disruption. Ensure IR plans are regularly tested and updated.
  • Backup and restore capabilities – Ensure critical OT systems are regularly backed up, and test the restoration process to minimize downtime in the event of a cyberattack. Implement offline backups for essential data and system configurations that are not accessible over the network.

Supply Chain and Vendor Management

  • Secure the supply chain – Conduct cybersecurity assessments of all third-party vendors, suppliers, and contractors who access OT environments. Ensure they follow security best practices and adhere to your organization’s security policies.
  • Use trusted and verified components – Only use hardware and software from trusted vendors. Apply integrity checks for firmware, drivers, and other critical OT software to prevent the introduction of malware via the supply chain.

Security by Design for New OT Systems

  • Build security into OT system development – When deploying new OT systems, follow the “security by design” principle. Ensure that devices are capable of being securely managed and updated, and that security controls are integrated throughout the system lifecycle.
  • Secure procurement standards – Implement strict security standards in procurement processes to ensure that new OT systems meet industry best practices for cybersecurity.

Employee Training and Awareness

  • Train staff on cybersecurity – Ensure that all employees, especially those managing or interacting with OT systems, are trained on cybersecurity best practices. They should be aware of how cyberattacks can impact physical safety and operational uptime, and how to recognize and respond to threats.

Compliance with Industry Standards and Regulations

  • Adopt relevant cybersecurity frameworks – Implement widely recognized OT security frameworks and standards, such as ISA/IEC 62443 for industrial control systems, NIST SP 800-82 for ICS security, or the NERC CIP standards for the energy sector.
  • Stay compliant with regulations – Many critical infrastructure sectors ( are subject to government-mandated cybersecurity regulations. Ensure compliance with relevant regulations, including data protection, critical infrastructure protection, and safety requirements.

Zero Trust Architecture

  • Apply Zero Trust principles in OT – Apply a Zero Trust model to OT environments. This involves continuous verification of every device, user, and connection, regardless of whether they are inside or outside the network.

Conclusion:

Manufacturing and critical infrastructure organizations must adopt a holistic approach to securing their OT environments by implementing a combination of strong network segmentation, access control, monitoring, incident response, and employee training. As OT systems become more connected to IT networks, the traditional air gap is no longer enough to prevent cyberattacks. By integrating IT security best practices with OT-specific solutions and adhering to industry standards, organizations can significantly reduce their cyber risk while maintaining operational safety and uptime.

 


Originally published February 27, 2018, last updated November 21, 2024

Get Updates

Sign up to receive the latest from Armis.