Air gaps still a cheap and effective defence for critical networks: Kaspersky

Physically-separate networks aren't always the rule for industrial networks these days, said Eugene Kaspersky, but they should be.
Written by Stilgherrian , Contributor

When it comes to protecting critical networks, such as those running power stations and other industrial systems, an air gap is still "a very good idea", according to Eugene Kaspersky, founder of Kaspersky Lab -- and it's cheap.

Traditionally, an air gap was when the network containing critical industrial systems and the SCADA systems that control them -- including the (typically) Windows workstations used by the operators -- are communicating via a network that is physically separate from the internet.

These days, though, critical networks often have some sort of internet connectivity, perhaps to route the monitoring and control traffic to remote sites. Ideally, such connectivity is strictly limited to the control traffic.

Either way, non-control data could still find its way into the critical networks, and this must be prevented.

"Engineers, they are bringing the new updates, the new versions of the software, so they bring USB memory, notebooks, maybe CDs," Kaspersky told the AusCERT 2015 Information Security Conference on the Gold Coast on Thursday.

"Don't let them bring their data from outside to inside on the same memory. Make an air gap on a different operating system."

If the engineers travel with notebook computers running Windows, for example, then copy the software updates from those computers to a Linux or OS X machine, and then to the memory device that will ultimately transfer the data to the critical network.

"This air gap will block 99.99 percent of all known and future attacks -- it's not expensive. Maybe a couple of IT guys. Why a couple? Because one of them could be sick or on vacation," Kaspersky said.

"It doesn't guarantee 100 percent of protection, because if they really want to attack such a system, they will design Windows-Linux malware, which infects both, so anyway it will travel through this protection. It's more expensive to develop such malware. It's more risk to be recognised. But the air gap will be a very good improvement for the system, more close to the perfect security."

Kaspersky's definition of perfect security is when a system is protected so well that an attack must cost more than the potential damage to the target.

"Negative return on investment, simple. And [by] the cost of the attack, I don't mean just [the] money you need to pay for the engineers to design this attack. I also mean political attribution risks -- to be found, arrested, or attributed and real cruise missiles will be sent back to the source of the attack," Kaspersky said.

"So the power plant must be protected so well from [cyber attacks] that it's less expensive to send a cruise missile to destroy it."

Another inexpensive technique is to put a filter device running a secure operating system between the SCADA controller and the device it controls. That device can intercept commands that don't pass a reality check.

"For example, don't let SCADA change the speed of a turbine, to protect the turbine from resonance. Easy," Kaspersky said. Or don't allow gas pressure changes outside pre-set limits.

"Of course the SCADA has these controls itself, but it can be hacked, and the extra filters placed on the secure operating system will protect turbines from the most dangerous scenarios. Easy."

Stilgherrian travelled to the Gold Coast as a guest of AusCERT, and has previously travelled as a guest of Kaspersky Lab.

Editorial standards