The Myth of the Operational Technology (OT) Air Gap

The much-discussed cybersecurity issue of operational technology has become a real concern for enterprises whose infrastructure is under constant threat. In fact, cyberattacks have become a very real risk for production systems, manufacturing plants, industrial control systems and chemical processing plants. Criminals have identified these systems as targets as they’re often connected to poorly secured networks, the compromise of which could result in substantial monetary returns for cyber criminals thanks to ransoms, intellectual property theft, and espionage. 

The ‘retro’ approach, which consists in completely disconnecting critical systems not only from the public network, but also from closed internal networks, has gained relative traction recently. Not long ago, the US government issued a statement announcing that its electrical plants will soon air-gap certain systems to defend them from potential attacks. 

Disconnecting from the network, however, might not be the most effective way to protect operational technology from motivated attackers. It might, in fact, have the counterproductive effect of creating a sense of false security in cybersecurity teams. 

Air-gapping doesn’t mean that critical systems are protected from a motivated attacker willing to compromise them. Rather, even without being attached to the network, connections abound, and systems light up with data flows without the company knowing about it. There are many ways in which cybercriminals can exploit these connections, some more creative than others, some not far fetched at all. 

OT air gaps can be crossed

The underestimated, humble USB is an example of how an attacker could bridge OT air gaps. Often seen openly accessible on SCADA workstations or process engineering systems, USB sticks can carry malware or be a route out for corporate intellectual property (IP). The now infamous Stutnex worm, that was first revealed to the public in 2010, is believed to have made its way into a secure facility by a USB. All it takes is an attacker to convince an employee to plug a USB stick into a computer labelling it with the right words, such as “payslip info” or “HR”. Humans are curious creatures, and a little social engineering can go a long way. 

Smartphones are another convenient mechanism to cross air gaps, as they have become portable computers with the capability of carrying malicious software. If switched into WiFi hotspot mode, they can serve as an attack vector. Their cameras, if compromised, can be exploited to exfiltrate visual data that can be useful to an adversary. There have certainly been instances where bored operators have fired up a hotspot and streamed dubious movies overnight, effectively compromising the security of the facility.

Through unsecured Wi-Fi hotspots, large amounts of OT data can be leaked in short spans of connection time. This is often down to bad configuration, or maybe a desire by the OT team to take advantage of an existing internet connection. Certainly, this is not always malicious as more and more OT equipment manufacturers need access to their hardware for predictive maintenance and similar reasonable business needs. But, often, these connections have not been risk assessed and can constitute a vulnerability.

More dangerous than Wi-Fi, but increasing in popularity, is the practice of adding cellular connections to equipment so that it can “phone home”. In many cases, these connections are never spotted due to their small form factor and the difficulty in spotting their transmission. These are often found during site technical surveillance counter measures assessment or bug sweep. 

More creative proof of concepts have shown that a motivated attacker could, in theory, flash LEDs or light sources to transmit data using power source analysis or noise as a transmission medium. Although complicated to carry out, an attack in this fashion is not implausible.

Accepting that air gapping critical systems is rarely an efficient security control is the first step to tackle the connections to either understand and bound the risks or remove them altogether. Given the potential of an OT compromise to have not only security, but also physical safety consequences, a thorough risk assessment becomes a vital and urgent priority that all businesses should implement.