On Air Gaps and Killer Toothbrushes

Monday, May 28, 2012

Chris Blask


For all the exhortations in favor of them, air gaps protecting Industrial Control System networks have that "Not Happening" thing going on in the real world.

It might be considered surprising that folks with outrageous amounts of experience would argue at all in their favor at what seems like such a late date, but in fact it follows a curve that is instructive inasmuch as we can see how it has been bending so far.

This is a pattern that seems very predictable given my own varied path through tech. It speaks to a specific challenge we face in achieving our objectives that is as tangible and consequential as an over-pressured pipeline or PLC vulnerabilities.

The challenge isn't that you have to deal with a lot of block-headed, tunnel-visioned cardboard cutout people - as is popularly believed - but exactly the opposite.

This is both good and bad.

A herd of cattle may not be efficient but you know what you have to do to deal with it. When people who are smarter than you are disagree with you - about something that it is very important you get right - you have to think really, *really* hard and stress out about it continuously.

Getting gored by rampant BBQ-fodder may be a touch painful for a few moments, but debating points of life and limb with folks who make Hannibal Lechter look like a dimwit is a particularly elegant agony which lingers much longer.

In the early 90s I attended a conference where Dennis Ritchie and Marcus Ranum were leading a packed room discussing security and firewalls. With what I came to recognize as Marcus' trademark directness, he lay down the conversational Gauntlet[tm] on the inarguable necessity for firewalls to be open source.

I was just an upstart who had fallen into a sketch on a Chinese restaurant napkin like Alice into the Looking Glass, so though usually among the more outspoken folks in the room I relatively held my tongue on the absolute validity of the point in all cases.

Heck, everyone in the room including the guy who invented the bloody firewall and another who invented the root of every modern operating system on the face of the freaking planet were incontrovertibly convinced that commercial firewalls could never effectively compete with open source.

Ten years, thousands of BorderWare and millions of PIXen later I was taking Marcus to the airport after an advisory board thing with Protego. At some point in our stream-of-unconsciousness babbling he said he had to admit that history had shown my original point to be correct.

The experts can and should forever drive to achieve unrestricted ideals. But the engine to distribute the best possible saturation of the value of that knowledge - to the expanding billions of people who need it, in the minimum amount of time - requires proprietary products and corporate interests and all those 'bad things' pure engineers are genetically programmed to resist.

"Air Gaps" are the poster child for the same kind of syndrome in ICS. This syndrome led that room full of the smartest people in the world umpteen-odd years ago to firmly hold a belief that was not only incorrect but which had a direct negative impact on achieving the very goal they strove for.

Had the braintrust represented in the room with Ritchie and Ranum decided that day to work *with* the Evil Overlords of Globalized Corporateness - instead of against them - we would certainly have had measurably more progress on deployed security over the intervening years.

But anyone expecting that to happen - at that time, among those people - would have been missing a lesson learned throughout human history. From the meeting where the money guy explained to the engineer that the company couldn't justify the cost of raising those dividing walls a couple decks higher on the Titanic, to the city manager rejecting the architect's request for larger stones in that one corner of the wall around Jericho, there has been an irreconcilable difference between the folks who build things and the folks who fund them.

Both sides are just being honest.

During a wing-fed evening following an enthusiastic exchange in Tim Roxey's Roadmap talk at ICSJWG Savannah, Fred Cohen used the notion of hackable electric toothbrushes that killed our kids to prove a point about the necessity of making security intrinsic at the foundation of industrial control systems.

The long arcing history of the future will, I believe, prove Fred right about perhaps all of his expansively contemplated points. But we respectfully disagree about some of the shorter-term mechanisms necessary to survive the intervening decades in much the same way Marcus and I disagreed during the early firewall market.

Similarly, many of those who still rally to the defense of air gaps are folks with experience and intellect beyond question. They have spent more time applying those weighty assets to these issues than virtually anyone else, and their opinions cannot be disregarded. Experience and brilliance, however, do not always lead to correct conclusions.

Air gaps do not and should not exist. Patching vulnerabilities won't make systems secure. Standards and regulations are here to stay. The threat will surpass our ability to tolerate it long before we can re-engineer and re-deploy every vulnerable system. These are all just facts, and ignoring them is just as dangerous as ignoring corrosion on high-pressure pipes.

It is easy to understand the arguments against these realities. Many of the folks who most vocally argue against them make excellent points backed by irrefutable experience and expertise. The highest art achieved is infiltrated to its core with capillaries of compromise, though, and the art we practice will not be found different.

Our responsibility to address the challenges we choose to bear remains, regardless of right or wrong by any other definition. History will not judge us by whether we used Best Practices or baling wire, it will judge us by our success.

Cross-posted from ICS Cybersecurity Blog

Possibly Related Articles:
Industrial Control Systems
Firewalls SCADA Vulnerabilities Network Security Infrastructure Information Security Air Gap Industrial Control Systems IS Controls
Post Rating I Like this!
Andrew Ginter Air gaps are in decline, yes. But to say they are "dead" or a "myth" is nonsense. The easiest disproof of broad, sweeping generalizations is proof by counterexample. And I'm lazy - so here goes.

The simplest counterexample to your sweeping generalization is nuclear generator digital safety systems. Many of these are still air-gapped. Others are protected by unidirectional gateways. In North America at least, NO such systems are separated from the Internet by only a chain of firewalls.

Explain to me how we would all be safer if still-air-gapped nuclear safety systems were replaced with firewalls.

There are other examples as well, but this one seemed simplest.
Chris Blask Hey Andrew,

"The exception that proves the rule", at best. But rarely, rarely even that.

The whole point of the debate about Air Gaps is that even where they "exist" they do not exist like people think they do.

In the minds of many, "Air Gaps" = "I am secure". For those of those who think deeper, it could refine to: "I am not connected to the Internet, therefore bad software can not get onto my network."

These are bad and evil thoughts.

Software moves back and forth between networks by forces of nature that are as unstoppable as Continental Drift. "The Internet perceives censorship as damage, and routes around it", and control system networks are no different. Unless you build your network in a salt dome populated by engineers who eat cave-fish and write code from Purest Bits, foreign code is getting in (even then some of the fish will be phish).

Separating and segmenting networks is a lovely idea. ISA99, data diodes and - yes - even places where one network or segment is physically isolated - are all viable ideas. But assuming, ever, that code is not moving between your network and the outside world is the Road to Perdition.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.