Connect with us

Hi, what are you looking for?


Network Security

Bridging the Air Gap: Examining Attack Vectors into Industrial Control Systems

Enterprise and ICS networks should at least be separated at layer 3, so it’s probably more accurate to say that we’ve routed the air gap, but I didn’t want to give up the double entendre of bridging the gap. Terrible network jokes aside, the simple truth is that digital networking has displaced the air gap, blowing it into the distant places of legend. It is a myth. It does not exist.

Enterprise and ICS networks should at least be separated at layer 3, so it’s probably more accurate to say that we’ve routed the air gap, but I didn’t want to give up the double entendre of bridging the gap. Terrible network jokes aside, the simple truth is that digital networking has displaced the air gap, blowing it into the distant places of legend. It is a myth. It does not exist.

I’m not trying to be controversial, although I know many will disagree with me. I’ll concede that the ideal of the air gap is valid and I’ll even concede that true separation is a viable goal. However, “air” is no longer an effective method of security because there is always a way into and out of a control system, whether over wired connections (where the air gap is purely figurative) or wireless (where the air is a contributor rather than a deterrent) or via sneaker-net (where the air gap is irrelevant). To avoid the inevitable comment, “we don’t need to do this because we are air-gapped,” this needs to be understood prior to talking about how to protect our SCADA and ICS environments against network-based attacks.

Here are two examples of digital bridges: a secured network connection established between SCADA systems and the business network for monitoring purposes, and a secured wireless access point within the SCADA network. Note that both are “secured.” Note that each has at least one direct vector of attack, as well.

One vector is common, one is clever. The first and most obvious is a simple case of network penetration. The “authorized” information flow of SCADA information to the business network has been secured by a correctly configured firewall, allowing only Modbus TCP traffic from a small collection of HMIs to communicate to a particular monitoring workstation. The firewall rule explicitly denies all traffic except for this supervisory channel, which is locked between source and designation IPs, using only TCP port 502. Because inbound and outbound communications are so well controlled, the attack vector is clear: attacks will most likely occur over TCP port 502 from the monitoring workstation, and those attacks will target a small collection of HMIs. Of course, there’s always the chance that the firewall will be compromised, and additional paths will be opened up as well. So what do you do?

First, monitor everything inbound on TCP port 502. Use deep session inspection to verify that all port 502 traffic is properly formed Modbus TCP traffic, and that there are no hidden binaries or payload inside of the authorized communications. This is because advanced attackers will hijack Modbus, mess with its insides, and use it to smuggle malicious code through the firewall. Inbound manipulated Modbus might include malware hidden deep within the session, while outbound command and control channels might be masquerading as Modbus even though they’re actually using IRC or HTTP. The technology of choice here is deep session inspection—next generation intrusion detection systems that perform layer 7 deep packet inspection against entire application sessions. Deep session inspection will tell you that HTTP is running over port 502, for example, or that the Modbus payload contains Base64 encoded binaries. In other words, by looking past a single packet (as most IDS and IPS products do) to examine an entire session, you can be assured that your authorized information flow is valid and un-compromised.

So all it takes is a product? That would be nice, but we all know that security is a process and not a product. This is true here as well—if you read back to the beginning of the last paragraph you’ll note that there are other ways in, such as altering the configuration of the firewall to open a backdoor through which an attack could occur. To protect against this, write the following keywords on a banner and start waving it over your head: “Situational Awareness.” More on that in a moment.

The second example is the clever one. In Digital Bond’s published research from the 2010 SCADA Security Scientific Symposium (S4), there’s an interesting use case of jamming Wi-Fi signals using some commercial electronic components. A wireless access point will typically broadcast itself when no connection exists, so a wireless jammer can cause an endless cycle of WAP discovery, creating extra network traffic that is excessive enough to disrupt certain real-time Ethernet protocols, like Modbus TCP. The attacker doesn’t need to access the network at all, or even enter the building: simply deploy a jammer through your creative mechanism of choice (mine would be an AR Drone Quadricopter) and let the control system sabotage itself. As promised, another attack vector that will ignore an air gap. How do you protect against this one? Look up at that banner you’ve been waving for the last paragraph: Situational Awareness.

Advertisement. Scroll to continue reading.

Situational awareness, in the context of threat detection, means monitoring all activity on the network. In this example, monitor network flows and compare those against the allowed information flows, per your firewall configuration (and, hopefully, per your internal security plan). If traffic is seen originating from the business network on a port other than 502, or from a source IP that is not your monitoring workstation, or that is not destined to that small handful of HMIs, something must be amiss. Inspection of the firewall may just reveal that it has been manipulated, and is letting rogue traffic into your supervisory network. Better yet, use configuration management to watch that firewall and notify you immediately if any change is detected, thereby giving you a better chance of mitigating the inevitable attack. In our second example, intermittent loss of connectivity of one or more wireless access points can be detected by monitoring network health using SNMP. If we go a bit further, we can correlate that to process failures in the control loop, right? You bet … but that’s another topic for another day. Next time we’ll dig into Situational Awareness and provide some examples of what to monitor, how to monitor it, and how to best utilize that monitoring for threat and risk detection.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...