Recent revelations of Russian hacking of US nuclear plants have brought the issue of industrial information security policy to the forefront of public and cybersecurity industry awareness. How vulnerable are industrial control systems to cyberattacks? It depends whom you ask.
While the Department of Homeland Security reported that Russian hackers were able to access the actual control systems of nuclear power plants, a variety of voices attempted to tamp down public concern by citing the “air gap” concept of cyber policy. The air gap refers to a network segregation between the Internet or other corporate networks and the industrial control networks. According to James Conca, a nuclear energy expert, “America’s nuclear plants are one of the best protected of all systems from possible cyber threats. The safety and control systems for our nuclear reactors and other vital plant components are not connected to business networks or the Internet.” Conca believes in the power of the air gap.
Does the Air Gap Work?
I asked Edgard Capdevielle, CEO of Nozomi Networks, whether the air gap is still a viable countermeasure to external attackers. Nozomi Networks offers operational visibility and cybersecurity for industrial control networks and industrial control systems (ICS). The company, which just closed a Series B financing round, works with ICS clients around the world. Their solution uses behavioral profiling and anomaly detection, among other factors, to detect and prevent attacks on critical infrastructure.
To Capdevielle, the air gap is a fallacy that provides a false sense of security. As he put it, “Air gapping does not exist. It is a myth. Most industrial control networks adopted the TCP/IP standard about seven years ago. Before then, they were on a different standard. Once you adopt the TCP/IP standard, there is a gravitational-like force to connect. It’s like saying that one group of folks are not going to talk to another group even though they just learned the same language and they’re intermingling. That just cannot be avoided. With the adoption of TCP/IP, industrial control networks adopted Windows machines as their primary form of control operating system and Windows machines need to be patched and updated.” To make his case, Capdevielle pointed out that there are now Internet connections offshore oil rigs and reservoirs.
The Information Security Policy Challenges of ICS
Without an air gap, industrial concerns and utilities have to start implementing more rigorous information security policies to their industrial control networks. This can be a serious challenge for a variety of reasons. It’s partly a cultural issue. For a generation, ICS management was the responsibility of an ICS team. The focus of the ICS team was on operational excellence, not security. Now, these teams are either merging with IT or letting IT handle security for them.
The other issue is the technological sophistication of the ICS itself. When industrial control systems ran separately from general corporate networks, they did not face much pressure to adopt strong cyber security controls. Now that such systems are directly connected to the Internet, the technology is in a race to catch up.
“These networks have not been exposed to innovation for a long time,” explained Capdevielle. “They were born to be point to point connections. Connecting ICS to TCP/IP is like having a technical discussion with someone from the 15th century. That person doesn’t know what Block Chain or Bitcoin or TCP/IP is. They’re completely lost. Control systems are very similar. They know how to open a valve, close a valve, but they don’t know how to reroute it or protect it. In the traditional network, you have a full CPU, with a full operating system. In industrial control networks, you don’t. Every single end point in an industrial control system uses a ‘poor man’s CPU,’ a ‘poor man’s operating system’ and so forth, that was created with the context of never being connected to a network, much less to the Internet.”
Capdevielle further noted that most ICS management teams do not have a clear idea of how many points of connection (POCs) they have. This is not a criticism of the people who run these operations. It’s just at a technological limitation of their existing tooling. Nozomi solves this problem with a passive solution that gives visibility into the devices and software within the control network and monitors them for anomalies. It has a one-way connection to a network. “A passive solution allows visibility into the network without disruption”, Capdevielle explained.
The advantage of this approach is to be able to notice systemic changes that are not supposed to be occurring. “If a malicious actor changes the settings on a programmable logic device (PLC), such as a heat sensor in a furnace, we will see that and issue an alert.” Historically, such a PLC would not be configured to alert anyone if it were reset. Now, with TCP/IP connections and a nonexistent air gap, that configuration exposes the ICS to risk. Today, there is an increasing array of solutions to address this risk exposure. Even without an air gap, it’s possible to secure industrial control networks.