Securing Industrial Control Systems by Closing the Air Gap Security Loophole

Air-gapping is one of the most common ways ICS are protected, however, organizations’ interpretation of how to isolate networks often varies.

Cyberattacks on the U.S. continue to captivate and grab headlines. The recent Department of Justice (DOJ) indictment of 12 Russians alleged to have led the attacks on the DNC and the U.S. election infrastructure shook the nation, there’s a bigger worry—the continued assault on the country’s industrial control systems (ICS), which control critical infrastructure and have the potential to cause chaos and disrupt the everyday lives of Americans.

As reported this summer by The Wall Street Journal, attackers were able to successfully break into the secure networks of American energy utility companies. Most shocking about the revelations were the methods used to penetrate these supposed isolated—or “air-gapped”—networks. The nation-state attackers used standard hacking approaches to get access to the control rooms of U.S. utility companies.

As we’ve seen, the potential for devastation in ICS attacks is high. During two different attacks on Ukraine in December 2015 and 2016, attackers were able to access—and shut down—the country’s power grid for extended periods of time in the midst of winter. Due to their sensitivity and the impact on business and everyday life, the interruption and compromise of these utility infrastructure networks has an immediate effect—both in cost and physical implication.

What stands out in these recent ICS attacks is the ease with which the critical networks were compromised. ICS are supposed to have security controls and safeguards at critical locations to prevent the specific types of attacks that occurred from ever happening.

In the instance of the recently revealed attacks on U.S. utility companies, attackers were able to get inside the supposedly air-gapped networks of energy utilities to such an extent that they could have thrown the switches and disrupted power services or caused blackouts. It’s reported that these isolated networks were accessed through third-party vendors and the exploitation of privileged credentials.

Air Gapping Doesn’t Automatically Equal Security

Obviously, air gapping alone is not enough to stop attackers from gaining access to a network. Air-gapping is one of the most common ways ICS are protected, however, organizations’ interpretation of how to isolate networks often varies. For instance, while many believe they have taken all the correct measures to air gap critical networks, too often these vital environments are not really isolated, allowing for malicious actors to infiltrate networks.

In some of the recent cases, malicious agents used standard techniques and tactics to gain access to air-gapped infrastructure—including bridging isolated networks using credentials, shared hardware and devices, and other VPN bypasses. Take Stuxnet, for example. Agents used standard USB devices to plant the infection on the network.

It’s time to dispel the myth that separating IT networks from operational technology automatically equals security.

One of the key contributors to ICS vulnerabilities is the increasing need for these systems—and their data—to be accessible and to integrate with numerous IT technologies as well as third-party vendor’s operating software and commercial-off-the-shelf products. In this operational environment, air gapping seems ideal due to the proprietary equipment and communication protocols inherent in industries such as utilities and healthcare. But this results in critical infrastructure networks being connected to business systems on corporate networks and the outside world through the internet.

Best Practices to Create a Secure Environment  

This has created the biggest loophole for attackers. As the scope of ICS has increased, so have the privileged and administrative accounts that can access these critical networks. These include support and maintenance personnel, operators and control engineers, remote vendors, corporate applications and automated batch applications, all with little inherent oversight. Worse are applications and devices with hard-coded credentials that could be remotely exploitable and provide access for the manipulation of physical devices, the execution of damaging code or DDoS attacks.

By incorporating a few security best practices, in addition to the use of completely isolated air-gapped networks, organizations can control and monitor these critical infrastructure networks, while still providing IT and OT internal users, third parties and applications the access they need. For sensitive networks that have any access points, organizations should focus on:                                                                               

  • Identifying all users, applications and associated credentials used for granting access into the ICS. This should be comprehensive and include the discovery of all accounts and credentials assigned to users, application-to-application accounts accessed using embedded passwords or SSH keys stored locally. The best way to do this is with a tool that can scan the network and generate a report on all the privileged and administrative accounts that have access into the ICS network by internal and external users.                                                                               
  • Eliminating stale or unused credentials. Once accounts with access are accounted for, organizations can reduce the number of accounts accessing the critical infrastructure networks by weeding out those that are stale and unused, and then storing the remaining credentials in a secure digital vault. The digital vault can then be accessed by trusted users to get the specific credentials they have permission to use. This is ideal for granting network access to users from remote vendors who frequently change roles. Organizations can further reduce their security risks by regularly performing an automated rotation of system credentials stored and manage with the digital vault.
  • Implementing one-time use passwords. Rotate credentials after every use, using multi-factor authentication to access the vault and incorporate workflow approval processes before the most sensitive credentials are retrieved. Making users log into a digital vault before getting access to an ICS, credential and individual activity can be tracked and reported, which reduces the risks associated with shared accounts.                                                               

It’s critical to manage and monitor users outside of the ICS network as well, whether within the organization at a corporate level or from outside vendors and applications. By isolating all sessions originating outside of the ICS network, it’s easier to control ICS applications and allow for the implementation of tools to enforce flexible least privilege policies.

Automated analytics tools can also help to define activity patterns that can be used as a baseline to identify suspicious activity. Once the baseline is established, anomalies trigger an alert to IT, OT and security teams that an attacker may have compromised a remote vendor’s credential or is exploiting an account to access the ICS network. This can disrupt in-progress attacks and dramatically reduce potential damage.                                                          

The bottom line is ICS are highly sensitive and need security beyond air gapping. There are an array of processes and tools that, when used together and in addition to air gapping, can create a more secure environment.

Lavi Lazarovitz leads a team of CyberArk Labs security researchers.

More in Industry 4.0