Yes, Air Gapping Works, Here’s How It Protects Operational Technology

To “air-gap” or not to “air-gap?” That is not the question. The question is, can you have a consistent “air-gap” discipline over time that is resistant to cybersecurity threats and to the pressures of corporate enterprise IT to keep your business running and in production?

With the explosion of IoT and remote support capabilities, manufacturing and production hang in the balance when it comes to cyberattacks. Devices that weren’t part of the IT network in the past, standalone devices performing independent functions are now connected and more accessible to bad actors online. And outages in these areas can cost tens (if not hundreds) of thousands of dollars in a single hour.

Hollywood has done its fair share of depicting what hacking or a hacker can do to seize control or disrupt secure environments (Wargames, Swordfish, Sneakers, to list a few). Recently, Honda experienced an event in which internal controls were reportedly breached remotely—shutting down production for over 24 hours. What was the cost? What would the cost be to your enterprise if production was halted by ignorance or overzealous beliefs in your own security measures?

Then there is an ever-present internal challenge of corporate enterprise IT encroaching into Operational Technology (OT). Let’s keep one thing top of mind for company leaders; simply put, the production of goods is what keeps everyone in business—making Operational Technology security paramount.

The best practice is to concentrate on foundational cybersecurity controls.

These three foundational cybersecurity controls can help you mitigate the most risk from both internal and external threats:

Foundational Cybersecurity Controls

1. Understand and manage data flows, aka network communication.
   • Maintain an accurate asset inventory (vendor, make, model, firmware version, etc.)
   • Monitor device data flows, what is expected versus what is abnormal.
2. Enforce expected communication patterns or data flows with network segmentation.
3. Monitor and manage configuration changes of all devices within the control network.

Does “air-gapping” work? Yes, it does, but a strong perimeter defense takes practice. It takes consistent and continuous visibility with real auditing of who, what, where, when, and why!

You must have a DEEP THOROUGH EXECUTABLE VISUAL KNOWLEDGE and recordable history log of every industrial control, software, network device, sensor, USB port, connector of any type in the system, etc.; then apply the 5W’s. That’s the discipline.

What are the 5 W’s?

• What devices are on it?
• What are these devices communicating?
• Who are these devices reporting to, and Why?
• What, When, Where is regular communication between these devices?
• Why are any external connections being set up?

Leveraging the 5 W’s

Here are the basics of utilizing the discipline of 5-W’s related to devices. These should apply to all communications, personnel, events, etc., within the air-gapped network.

• “Who” also explores if they are authorized or not authorized (employee or MFG or contractor) to enter and perform such work?
• “What” was accessed, “what” was replaced or serviced or reconfigured?
• “Where” did the work occur or “where” was the entry point into the network, physical or the scrupulous REMOTE ACCESS.
• “When” did the work take place? Off hours, were they not scheduled or scheduled?
• “Why” was the device accessed, EOL, or did not meet MFG standards or compliance needs, or an actual event occurred?

Managing Data Flows

With regards to managing data flows, it starts with maintaining an accurate asset inventory inclusive of hardware and software. Once your accurate asset inventory is complete, you’re ready to be disciplined in the 5-W’s and manage all the data flows (communication patterns) in and out of your control networks.

1. File transfers – FTP, SFTP/SCP, etc.
2. Transient devices – laptops, tablets, mobile phones, etc.
3. Removable media – i.e., USB keys
4. Internal network connections – intra cell or zone as well as inter-cell or zone
5. External connections – all connections to/from business or corporate network, suppliers, vendors, etc.
6. Wireless networks – especially those set up on the fly for ease of use.

There’s also the need for high-redundancy and proper failover capabilities to protect against hardware failure. Typically this means redundant connections to the core for all edge switches, and in some cases, redundant edge switches all in the name of keeping the network humming.

Once an accurate asset inventory is complete, you can be disciplined in the 5-W’s and manage all data flows (communication patterns) in and out of your control networks, devices, personnel, and mitigate your potential vulnerability to bad-faith actors.  A strong perimeter defense takes consistent and concentrated discipline to maintain the reason and theory of increased security by utilizing “air-gapped” networks.