Why Air-Gapping Is Not a Long-Term Cybersecurity Solution

However, the air gap may work as a short-term solution under certain scenarios.

Only a few short years ago, air-gapping, also known as “security by isolation,” worked in all operational technology environments. Older ICS and SCADA systems, many of which are still in use today, were built without cybersecurity in mind. The internet as we know it today did not exist, OT and internal IT systems were completely isolated from each other, and no one foresaw any reason for them to ever connect.
However, as organizations embrace digital transformation, OT and IT are converging. For these reasons, many security experts have declared the air gap dead. While reports on the death of the air gap have been greatly exaggerated, security by isolation is not a long-term solution.

The Air Gap Lives – For Now

Many highly sensitive OT systems, such as those used by government agencies, utility companies, and manufacturing plants, continue to employ at least some degree of air-gapping. In some tightly regulated industries, such as electric utilities, organizations are required to air-gap OT systems.
Air-gapping is still very much alive and playing a relevant role in OT cybersecurity, at least as a short-term solution under certain circumstances, such as:
• The benefits of sharing real-time process data between the OT system and IT systems are outweighed by the risks of cyber attacks.
• The air-gapped system is truly isolated, with no connections to remote users, the internet, Bluetooth, or any internal networks, and is audited for unauthorized connections on a regular basis.
• Physical access to the system is tightly controlled to protect against “sneakernet” attacks such as the infected USB drive, planted by a malicious insider, that was responsible for Stuxnet.
• All software and hardware are thoroughly tested before being installed on the air-gapped system.
Additionally, air-gapping is a good temporary defense for highly sensitive OT systems in cases where organizations need to buy time to implement a comprehensive cyber security solution.
When properly implemented, air-gapping minimizes the risk of a cyber attack. However, like any other security precaution, it is not infallible. It is also not a long-term solution under any circumstances.

Why the Air Gap’s Days Are Numbered

The air gap may not be dead, but digital transformation, the changing threat landscape, and modern business realities have put it on life support, at least as a sole cybersecurity measure. There are three primary reasons why air-gapping is not a sound security solution in the long run:

1. It causes organizations to miss out on valuable process data

Organizations that air-gap their OT systems are minimizing their risk, but they’re also not benefitting from the highly valuable process data these systems generate. When analyzed in real time, this data provides actionable business intelligence that can be used to cut costs, reduce downtime, and improve efficiency, quality, and worker safety. Eventually, the risks avoided by air-gapping will be far outweighed by the opportunity costs of eschewing modern predictive analytics, continuous process optimization, and the cutting-edge innovations of the Industrial Internet of Things (IIoT).

2. It makes maintenance and repairs more costly and difficult

An air-gapped system cannot be remotely accessed by hackers – or by employees or vendors for troubleshooting, repairs, or routine maintenance, such as software patches. Not only do maintenance and repairs end up costing more, but they also take longer, and the organization incurs higher indirect costs from increased downtime.

3. It may result in a false sense of security

The cold, hard reality is that there is no such thing as a system that cannot be breached, even a properly air-gapped system; the Stuxnet virus proved this. Some security experts argue that air-gapping can lull organizations into a false sense of security. They assume that an air gap is all they need and do not engage in active monitoring or other security measures; for example, some SCADA system administrators don’t change the default passwords on PLCs before connecting them. Meanwhile, cyber criminals are increasingly targeting ICS, SCADA, and other OT systems that power critical infrastructure, and today’s attacks tend to be sophisticated, intricately planned operations carried out by well-funded, organized groups.

A Layered Approach Is Better Long-Term

OT systems will likely always be air-gapped to some degree. There’s no reason for certain systems to be continuously connected to the internet, for example. However, air-gapping will be only one component of a layered OT security approach and combined with such measures as segmentation, identity-defined networking, special-purpose security appliances, and unidirectional security gateways. This allows organizations to enhance their OT security while allowing them to reap all the benefits of digital transformation and the IIoT.