Shutterstock 1160509549 638e353b15b82

The air gap myth

Dec. 8, 2022
Practically all cybersecurity models must follow a layered approach to protection

Misuse of the term “air gap” by automation professionals and possibly OT practitioners leads to misunderstanding with IT and other networking professionals. I had this experience with a colleague who had an IT cybersecurity background and multiple certifications from the SANS Institute and other organizations. For at least a month, we talked at cross-purposes about how the control system is “air gapped” because we had a defense-in-depth strategy, dedicated firewalls between systems, a DMZ, and all the other elements associated with a secure OT (in this case SCADA) control system.

The Oxford dictionary defines an air gap as “an absence of a direct or indirect connection between a computer and the internet, effected for security reasons,” which implies that if there is a connection between systems they are not “air gapped.” So why does this term continue to be mistakenly used in the automation sector?

The use of “air gap” may be a legacy of the days when control systems truly were isolated from IT and associated business systems, but that time has long passed. However, we are likely also all familiar with the story of why railway ties are 4’8” inches apart and Roman roads, and this may simply be “one of those things” that gets perpetuated because that is the way I was taught or told.

I would suggest a better term to use would be “island.” An island is separated by water, forming a natural gap between itself and the next land mass. This makes it easier to control all the different access methods to the island(s) whether they are harbors and ports, ferries, bridges, tunnels, (hard-wired) or airports (wireless).

The island concept is also consistent with the legacy cybersecurity idea of moat and castle with the single drawbridge to control access into the protected area. Castles themselves were also built with layered defenses in addition to the mote and followed the defense-in-depth principle with multiple ramparts having the castle wall with its gate, outer yard, and then additional defenses before reaching the castle itself.

Unfortunately, the problem with the castle or bastion model is that there is only one way to access what is being protected whether that is your castle, island, home or OT network. All such installations also have a back door, if for no other reason than to have an alternate exit or escape route. To extend the idea to putting a burglar system on your house, you need to protect not just the front door, but the alternate exit back door, garage door(s) and windows, reinforcing why we require a defense-in-depth approach to security.

Practically all cybersecurity models follow this layered approach to protection and are based on defense-in-depth to shield the most important information from attack by requiring significant effort to reach the protected asset(s). In addition to defense-in-depth, IEC 62443 / ISA 99 uses the zones and conduit model where a zone is defined based on a functional requirement, physical location, or other basis, while a conduit is the controlled connection between two zones. Comparing this to the island concept, each zone is analogous to an island and each way to access an island a conduit.

There will always be “smugglers” (hackers) trying to get onto your island, but by limiting access and with the proper tools (firewalls, DMZ, end-point protection), systems (SIEM, SOAR), and people (analogous to coastguard or police) to monitor and protect your shoreline (perimeter) it will be possible to quickly identify and contain any transgressions (attacks).

Considering the importance of integration between systems, and especially with the increasing importance of cybersecurity as part of the systems, particularly with the anticipated adoption of IIoT and the plethora of new devices as well as connection of those devices to control systems continues, it behooves us to at a minimum be sure we have a common understanding of terms we use to communicate with other professionals.

Replacing “air gap” with “islanding” or another similar term everyone can agree upon would be a good step in improving the working relationship and the security of the critical infrastructure our control systems protect. 

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.