Tuesday, October 6, 2015

The Air Gap Myth

The BBC discusses here an interesting report from Chatham House on the vulnerability of worldwide nuclear energy plants to cyber attack.  The report says that although many facilities claim that they do not have direct Internet connections---an air gap---that some of them do in fact have Internet connections.  For example, a connection may have been installed for maintenance, then not uninstalled and forgotten.

But let's be clear---the notion of an air gap is a fantasy in the modern world. Even if no direct connection exists, indirect connections through storage devices is sufficient to allow hackers to attack a cyber-physical system. Sneakernet---moving data manually from machine to machine---has a long and storied tradition in computing.  (Rumor had it that while Sun promoted its Network File System on the outside, it relied on Sneakernet for internal data transfers.)  The Stuxnet attacks were initiated through data carried by maintenance workers on flash drives. Those flash drives were infected on outside machines, then carried inside the facility to help the workers with their tasks.  The UCSD team showed in its demonstrations of car hacking that the maintenance computers used by mechanics were vectors for attacking cars.

Cyber-physical systems cannot ensure a circle of trust merely by claiming that they are not connected to the Internet.   It is hard to imagine a safety-critical system that is not vulnerable to sneakernet attacks. We need to design safety-critical systems that monitor themselves during operation to watch for attacks.  Trust but verify...

No comments:

Post a Comment