Clear the “air gap” myth
to evade cyber threats
Securing critical infrastructure in the digital world
Legendary race car driver and designer Enzo Ferrari called the 1960s Jaguar E-Type "the most beautiful car ever made." Its style and character were undeniable. It could hit speeds of up to 240 kilometers per hour — and still keep people safe with one of the best braking systems of its time. While a lot of enthusiasts consider the E-Type to be perfect, it simply can’t compare to the modern features and capabilities of the latest Jaguar F-Type.
Operators of industrial networks in energy, manufacturing and other sectors are feeling a similar tension between hanging on to the past and embracing the future. The operational technology (OT) at the heart of their mission-critical infrastructure is aged, but it’s solidly designed and still brings safety and reliability to power grids, mines, railways and more. So why replace it?
The internet of things is a good reason. So is 5G and IP. Yet while the latest networking technologies could bring major benefits, many critical infrastructure operators are holding back out of fear digital transformation will expose their aging systems to cyber threats they can’t handle.
“They have the opportunity to do things better, faster and cheaper, but are concerned about opening back doors to attackers and having critical assets compromised,” says Tim Best, Nordic Cybersecurity lead at EY. “When somebody comes along and says, ‘Why don’t we virtualize all this?’ or ‘Let’s move to 5G,’ you can see why they’d be scared.”
While it’s sensible to be cautious where cybersecurity is concerned, with the right approach, digital systems can be protected — and deliver a host of business benefits.
The myth of the “air gap”
Many critical infrastructure operators take reassurance from the fact that their OT systems have historically been “air gapped” — completely isolated from the public internet or any other less trusted network — and supported by a strong defensive perimeter of keycards or other physical barriers that limit access to consoles and terminals. But the air gap is vanishing, often whether operators know it or not, raising the question of what’s more concerning: a network you think is protected but isn’t, or one that’s deliberately open but backed by a robust security regime.
“There’s a difference between not being internet-connected and not being internet-reachable,” explains Holly Grace Williams, founder of cybersecurity testing company Akimbo Core. Williams is an ethical hacker who uses the same techniques as malicious actors to test companies’ defenses. She’s worked with many organizations that think their OT systems are closed off from the world but aren’t because they’re linked to internet-connected internal systems.
OT broadly refers to the industrial networks and systems that monitor and control complex physical processes: robots on a production line, emergency shutoffs in industrial facilities, traffic management systems for trains and aircraft, valves and pumps in oil and gas pipelines. In recent years, those OT systems have become increasingly interconnected with the information technology (IT) systems that handle finance, procurement, project management and other enterprise data sources. The automated, cross-organizational workflows resulting from that merger can help critical infrastructure operators improve productivity and implement predictive maintenance capabilities. But interconnectivity also means the air gap is no longer there and the threat surface that can be exploited by attackers is expanding.
“The more interconnected you get, the greater the risk an attacker can get in,” says Williams. “I’ve been able to access OT via the internet several times, finding my way through vulnerabilities in perimeter devices or published services like email servers and then pivoting into the OT network.”
Once a hacker breaches an OT system, they can make unauthorized changes to configurations or send inaccurate information to operators, disrupting workflows or disabling equipment. That could lead to environmental and economic impacts or even put lives in danger.
Hackers hitting from all sides
The Colonial Pipeline is by no means alone in falling prey to malicious online actors
- December 2020: Hackers breach an internet-connected water reservoir system in Israel, gaining the ability to tamper with water pressure, temperature and other variables.
- February 2021: Hackers take advantage of internet-connected shareware to attack the SCADA systems of a Florida water treatment plant and increase the volume of sodium hydroxide being used. An attentive employee noticed before real harm was done.
- June 2021: The world’s biggest meat processing company, JBS, is hit with a ransomware attack that temporarily shuts down several U.S. plants.
Because OT systems play a critical role in industrial and public infrastructures, they have become an increasingly attractive target for cybercriminals and state-sponsored attackers — as seen in May 2021 when the Colonial Pipeline was hit by a ransomware attack. Operations were shut down to contain the breach, cutting off 45 percent of the eastern United States’ gasoline supply. That led to fuel shortages and panic buying at the pumps. While the pipeline itself was brought back online within days, it took months to restore all systems.
OT security depends on staying up to date
According to Bloomberg, the Colonial Pipeline attack used a single compromised password to access a virtual private network (VPN) for staff working offsite during the COVID-19 pandemic. The VPN didn’t have multifactor authentication as a security measure, highlighting what EY’s Best says is one of the big reasons air-gapped systems can become vulnerable when exposed to the internet: they’re not up to date with the outside world. He says he knows of some sites still using Windows NT or older.
“Industrial OT systems have long lifespans: up to 40 years in the energy sector and 30 in manufacturing. So you see sites with a mix of legacy and modern devices, all with very different security capabilities,” says Josef Urban, a technology lead at Nokia Bell Labs. “The legacy devices might lack the CPU and storage resources to store certificates, do encryption, run anti-virus or support larger firmware load sizes.”
In a recent Nokia survey of 62 organizations, 42 percent reported using industrial control systems between seven and 20 years old, with another five percent using systems more than two decades old. Like classic cars, these legacy systems can be difficult to maintain as time goes on. Because they can’t be proactively patched or updated in the same way modern systems can, they’re often put behind a firewall and left untouched. In many cases, older technologies simply weren’t designed with security in mind — think of the mechanical door locks and easy-to-access ignition wires of older vehicles versus today’s biometric access technologies and electronic ignition systems.
Some industrial control systems are more than two decades old. Like classic cars, these legacy systems can be difficult to maintain.
While some operators think 5G, IP and related technologies are inherently more vulnerable to attack because they’re digital or based in the cloud, Urban says that’s not the case, noting that the latest technologies have security baked in to protect the OT environment. 5G slicing is one example. IP/MPLS VPN is another. They are techniques for creating essentially distinct networks over a single, common infrastructure, which makes it possible to isolate traffic and shrink the threat surface for any one particular service. There are also capabilities such as network anomaly detection that intelligently monitor for threats and automatically respond — far more quickly than human teams possibly could.
When two become one: Bringing IT and OT together
As organizations look to interconnect their OT and IT, they need to take the vulnerabilities — and advantages — of each type of system into account. For Williams, that requires a strong focus on internal communication.
“Alignment on risk appetite is important,” she says. “Security specialists want to hold the line. They’d like to say no to everything, but that’s not really an answer as it limits your agility. On the business side, they might accept a higher level of risk later to get the benefits they want today. The security and business teams just need to talk to each other more and find the right balance.”
Where greater alignment is needed, says Best, is in how IT and OT teams prioritize the pillars of cybersecurity: confidentiality, integrity and availability. In an IT system dealing with financial data, integrity and confidentiality are most important. That data has to stay private and can’t be manipulated. Availability still matters, but some downtime is okay. That’s not true in the OT world.
“Availability is the top concern for critical systems in ‘hard hat’ environments,” he says. “They must pump the oil. They must produce the widgets. They must extract the rubble out of the ground. Protecting availability, especially for national infrastructure that has to operate 24/7, is sacrosanct.”
Yet Best also warns that operators who resist updating their legacy systems because of an aversion to any amount of downtime are actually more vulnerable to attack due to the unpatched vulnerabilities — which can have a far bigger impact on availability than any planned outages. Both he and Williams agree that organizations can and should focus on all three pillars equally.
Following the telecoms example
Critical infrastructure operators are not the first to wrestle with bringing the OT and IT worlds together and opening them up to the internet. Telecommunications companies had to do the same about 20 years ago — with similar concerns about the criticality of their environments. Some of the lessons learned from that experience apply directly to the infrastructure situation.
For telcos, the challenge arose with the introduction of a new management network architecture that would support open, interconnecting management systems and eliminate the performance limitations and costs of old, closed, legacy systems.
The transition wasn’t easy. It took nearly three network generations to be fully completed and brought some hard-won insights, such as the fact that bolting digital solutions onto physical and closed-network systems doesn’t work. It leads to the accumulation of what Best calls “technical debt”: the equipment replacement and business opportunity costs that inevitably come after choosing easier, less expensive options over a cohesive, long-term IT/OT architectural vision.
“When you jump in without architecting, you’re in trouble,” adds Williams. “Bits and pieces of existing OT and new connectivity, that’s where the architectural conceit fails. It’s not a single plan, it’s not greenfield, so the vulnerabilities introduced aren’t fully understood.”
Today, telcos have answered the architectural questions. They’ve replaced standalone operations centers with orchestrated, global network and service operations centers that run 24/7 and are staffed remotely. That functionality is built on IT-type networks with service management capabilities and end-to-end, defense-in-depth security built in.
So how can critical infrastructure operators get there? According to Nokia Bell Labs, they can start by drawing on the fundamental principles of physical security they’re already using. That involves translating physical measures into their digital equivalents using a defense-in-depth strategy, implementing several complementary countermeasures for protecting OT sites from attacks. That includes firewalls, zoning of the OT network, and using artificial intelligence and machine learning to predict, detect and respond to threats.
A defense-in-depth strategy that features several complementary countermeasures can help protect OT sites from attacks.
For example, role-based identity and access management takes the place of physical keycards, with operators striving for “zero-trust” environments where system access is granted only on a need-to-know basis. Programmable network/system segmentation can be used to create sub-networks of devices with similar security requirements, which helps limit attackers’ movements if they get inside. And automated asset identification provides greater visibility into all critical systems and devices to ensure each one gets the level of protection that it needs.
As the IT and OT worlds converge, Williams says access to OT resources should continually be evaluated, especially when bringing third-party partners and collaborators into the industrial network. That means testing, testing and more testing.
“When you’re designing the architecture, do penetration testing at every stage and don’t test in isolation. If you test OT, then IT, then the external infrastructure, you’ll miss the risks that come from the interconnections,” she says. “Then do a security audit to make sure implementation matches the design, then test again for gaps.”
Building a safer future
When done well and with purpose, merging OT and IT can be accomplished in a way that actually shrinks the threat surface — resulting in highly secure critical infrastructure environments that also offer considerable business benefits.
“There must be thousands of opportunities for these heavy industries to digitalize and leverage 5G and other technologies,” says Best. “They just need to do it securely. But if they plan well and follow a process of risk assessment, implementation of controls, regular review and training of their people, they have the opportunity to drive down costs, deliver better service and make huge productivity gains.”
If the evolution of cars is any indication, the careful blending of physical and digital technologies will deliver important advantages. So while the classic Jaguar E-Type remains a beauty (and a pleasure to drive), Enzo Ferrari would no doubt admire the latest F-Type model and its many new safety and security features. Now it’s up to critical infrastructure operators to trust in and embrace the equivalent advances made in networking technology — and put the past in their rear-view mirrors.