SCADA Air Gaps – A Philosophy Issue not a Technology Issue

Posted by on 28/08/2012

Over the past month, I have received a number of emails and seen a number of LinkedIn articles suggesting that I was attacking the concept of data diodes when I stated that Air Gaps are a myth. Unfortunately, this is a serious misunderstanding of my message to the ICS/SCADA community.

I am not writing about technology when I say Air Gaps are impossible. Whether you use a firewall, a data diode or tin cans and string to filter and control your information flow is not my point. These are all valuable technologies (well, maybe not the last one). They are also not silver bullets, but when used intelligently in a defense in depth strategy, they can all do a lot to secure a control system. Read more »

Posted in Industrial Security
Tags: ,
Leave a comment

Industrial Security: New Vulnerability Disclosure Framework A Step Forward

Posted by on 01/08/2012

This is an excerpt from the Think Forward blog by Ernie Hayden at verizonbusiness.com 

In a move that may be helpful for critical infrastructure asset owners, on July 23 the Industrial Control Systems Joint Working Group (ICSJWG) published a new document on a framework for disclosing Industrial Control System (ICS) vulnerabilities.

Common Industrial Control System Vulnerability Framework

Industrial Control Systems Joint Working Group (ICSJWG), which was established by the U.S. Department of Homeland Security Control Systems Security Program, published the document – Common Industrial Control System Vulnerability Framework. The document was developed with the intention of providing consensus-based guidance to vendors and system integrators in helping them create ICS vulnerability disclosure policies. Read more »

Posted in Industrial Security
Tags: , , , , , , , , ,
Leave a comment

SCADA Security: Falling into the Air Gap Trap

Posted by on 20/07/2012

This is an excerpt from the Practical SCADA Security blog at Tofino Security.

Last week I discussed how security experts and ICS / SCADA vendors are giving up on the dream of the air gap as a viable security solution for the modern control system. Unfortunately, it is still all too easy to believe your control system is isolated.

Recently I had a very enlightening conversation with a control engineer who thought his system was air gapped. Read more »

Posted in Industrial Security
Tags: , , , , , , ,
Leave a comment

Are SCADA Air Gap Supporters a Dying Breed?

Posted by on 20/07/2012

Last week I updated my air gap blog from 2011. I noted some companies (like Siemens) no longer mention air gaps. Then to keep things balanced, I added new examples of consultants that support the air gap theory. In particular, I selected this quote from Paul Ferguson at Trend Micro:

“I’ve written about SCADA issues in the past, but one issue that I’ve consistently tried to emphasize is that critical control systems should never, ever interact nor interconnect with Internet systems in any way, shape, or form. There’s a good reason for this, and it’s always been referred to as the “Air Gap” Principle.” Read more »

Posted in Industrial Security
Tags: , , , , , , ,
Leave a comment

#1 ICS and SCADA Security Myth: Protection by Air Gap

Posted by on 12/07/2012

This is an updated version of this article, which was first appeared on Belden Blogs on March 3, 2012 and on TofinoSecurity.com on June 30, 2011

Recently I gave a talk focused on air gaps as a security strategy in control systems. The talk was at the AusCERT 2012 conference and to my amazement, it generated a large amount of discussion in the media both inside and outside Australia. Here are a few examples:

While all this interest is very heartening, a number of the people commenting seem to have misunderstood my message. Today I am writing to make my views on air gaps a bit clearer.

Eric Presenting at AusCERT 2012

Byres presenting “Unicorns and Air Gaps” at AusCERT 2012

Supporters of Air Gaps Do Exist

The theory of the air gap sounds great; by creating a physical gap between the control network and the business network, bad things like hackers and worms can never get into critical control systems. But as you can probably guess from the title of my blog, I don’t believe that true air gaps actually exist in the ICS and SCADA world.

Certainly, there are many people that disagree with me outright. For example, Paul Ferguson, an Internet Security Intelligence blogger at Trend Micro recently wrote:

I’ve written about SCADA issues in the past, but one issue that I’ve consistently tried to emphasize is that critical control systems should never, ever interact nor interconnect with Internet systems in any way, shape, or form. There’s a good reason for this, and it’s always been referred to as the “Air Gap” Principle.” 1

Similarly, last year there was a flood of SCADA and ICS vulnerability notices with advice on addressing the issue by using an air gap. One example I gave in the past came from the original Siemens Security Advisory addressing the vulnerabilities in Siemens SIMATIC S7-1200 PLC line:

“In addition, it is important to ensure your automation network is protected from unauthorized access using the strategies suggested in this document or isolate the automation network from all other networks using an air gap.” 2 Read more »

Posted in Industrial Security
Tags: , ,
Leave a comment

On Twitter