The Myth of the Operational Technology (OT) Air Gap

By Nigel Stanley, CTO, TUV Rheinland

Nigel Stanley, CTO, TUV Rheinland

The cyber security of operational technology (OT) systems is currently a hot topic being extensively discussed by organizations whose production systems, manufacturing plants, chemical processing plants, or industrial control systems are under constant threat of cyber-attacks.

These concerns are further fuelled by an uptake in the hacker’s interest in these systems, which are often increasingly connected to the internet and if compromised, can yield substantial monetary gains though a ransom, or result in intellectual property theft and espionage.

Recent reported cyber-attacks on safety critical OT systems could have seen far reaching impacts beyond monetary or IP loss. Enterprises often respond to cyber threats with drastic measures, some even taking a ‘retro’ approach and completely disconnecting critical systems from the internet in order to protect them from attacks. This, unfortunately, is not a viable long-term option—especially with equipment manufacturers who need such access for remote diagnostic and maintenance purposes. 

"Formulating an OT risk assessment program is the vital, urgent priority that all businesses should implement, because it is almost impossible to protect a connection that you did not know existed"

In fact, even without being attached to the internet, connections can abound and systems light up with data flows without the company even knowing about it.

How can this be?

The humble USB data stick is renowned for bridging OT air gaps. Indeed, the now infamous Stuxnet worm that was first revealed to the public in 2010 was believed to have been introduced into a “secure” facility via a USB stick. The rest is history.

These days it is rare to visit any plant or facility and not find some form of USB port openly accessible on SCADA workstations or process engineering systems. These ports can serve as a route in for malware or a route out for corporate IP. Either way, it is bad news for the system operator.

The all-powerful smartphone is another convenient mechanism to cross air gaps when switched into Wi-Fi hotspot mode. There have been cases where bored operators have fired up a hotspot and streamed dubious movies overnight, when the control room is quiet. This creates an attack vector and could serve as an entry point for attackers. In addition, we must not forget that smartphone cameras can ex filtrate stacks of visual data useful for an adversary or hacker.

Insecure Wi-Fi hotspots can leak large amounts of OT data before anyone realize it. This is often down to bad configuration, or maybe the installation of an unapproved solution by users frustrated with a slow IT department that takes months to setup a much-needed connection.

A bit more pernicious than Wi-Fi is the increased use of cellular connections so that equipment can ‘phone home’. In many cases, these connections are never detected due to their small form factor and difficulty in spotting their transmissions. In my experience, them are discovered only during a site technical surveillance counter measures (TSCM) assessment or bug sweep.

Finally, we have some more esoteric ways of connecting OT kit to the internet. These include modulating flashing LEDs or light sources to transmit data, using power source analysis, or even noise as a transmission medium.

Once we have accepted that the air gap as a security control is rarely valid, we either need to aggressively deal with these connections to understand and bound the risks or remove them altogether. Formulating an OT risk assessment program is the vital, urgent priority that all businesses should implement, because it is almost impossible to protect a connection that you did not know existed.

Weekly Brief