The Limitations of Air Gapping in SCADA Systems

Overview

Air gapping is a widely recognized security measure used in Supervisory Control and Data Acquisition (SCADA) systems to prevent unauthorized access from external networks. The principle behind air gapping is to physically isolate critical operational technology (OT) environments from IT networks and the internet, thereby reducing the risk of cyberattacks. However, as this case study illustrates, air gapping does not eliminate cybersecurity risks and can give organizations a false sense of security.

Air Gap

Server

Internet

Background

In 2024, a large company, referred to as “TargetCo,” employed air gapping as a primary security measure for its SCADA systems managing critical infrastructure. TargetCo believed that this separation from the internet and corporate network ensured their systems were immune to cybersecurity threats. However, a subsequent incident revealed several vulnerabilities inherent to relying solely on-air gapping for security

Incident Description

Despite air gapping, TargetCo's systems were compromised when an insider threat emerged. An employee inadvertently introduced malware into the SCADA environment through a removable USB device used to transfer operational data from a connected system. The malware was designed to exploit known vulnerabilities in the SCADA software and bypassed various security measures in place.

Six Key Findings

1. Insider Threats

Air gapping does not account for insider threats. Employees with access to both the air-gapped system and removable media pose significant risks, as they can inadvertently or intentionally introduce malware or conduct unauthorized activities.

2. Physical Security Weaknesses

Physical access to air-gapped systems can be compromised. In the TargetCo case, an employee allowed unauthorized access to their workstation, which resulted in malware being introduced into the SCADA systems. This highlights how physical security needs to be as robust as digital security.

3. Third-Party Vulnerabilities

Many organizations rely on third-party vendors for maintenance and support. If these third parties connect to the air-gapped systems via tools like laptops or mobile devices for service, they can inadvertently transfer malware onto these systems.

TargetCo employees inadvertently exposed their air-gapped SCADA system by connecting a 4G router to facilitate remote access for a thirdparty support team. This unauthorized connection allowed the external team to access the otherwise isolated network via cellular data, bypassing the air gap. Consequently, this increased the risk of potential security threats, as external attackers could exploit the router to gain unauthorized access to critical infrastructure.

4. Limited Visibility and Monitoring

Air-gapped environments often face challenges with security monitoring and incident response. Without regular monitoring and the ability to analyze threats in real time, organizations may be unable to detect and respond to attacks promptly.

5. Patch Management Challenges

Keeping SCADA systems updated and patched is vital for cybersecurity. Air-gapped systems may experience delays in applying necessary updates due to their isolated nature, exposing them to known vulnerabilities.

6. Legacy Systems

Many SCADA systems rely on outdated technology and software. Air gapping does not address inherent vulnerabilities in legacy systems that may no longer receive security updates or support.

Conclusion

The incident at TargetCo serves as a cautionary tale that underscores the limitations of air gapping as a standalone security solution for SCADA systems. While air gapping can reduce surface exposure to cyber threats, it does not negate all risks. Organizations must adopt a comprehensive cybersecurity strategy that includes regular threat assessments, insider threat mitigation, robust physical security measures, continuous monitoring, and patch management, alongside air gapping, to truly protect their critical infrastructure.

Six Recommendations

1. Implement Multi-Layered Security

Utilize a combination of preventive, detective, and responsive security measures tailored for the SCADA environment, including firewalls, intrusion detection systems, and endpoint protection.

2. Enhance Employee Training

Conduct regular training sessions on cybersecurity awareness, including the risks associated with removable media and insider threats.

3. Regular Vulnerability Assessments

Regularly review and assess the security posture of air-gapped systems and connected environments to identify and remediate potential weaknesses.

4. Develop Incident Response Plans

Establish a comprehensive incident response plan that addresses potential threats and outlines clear procedures for managing and mitigating incidents involving air-gapped systems.

5. Adopt Continuous Monitoring Solutions

Even in air-gapped environments, consider implementing passive monitoring tools that can operate without connectivity to provide insights into system integrity and potential threats.

6. Integrate SCADA System to Network

In the end TargetCo should consider integrating their SCADA system as part of corporate network. This approach would improve ability to implement modern security technologies and reduce or minimize human factor

As cybersecurity threats continue to evolve, organizations must recognize that a “set it and forget it” approach to security – such as relying solely on air gapping – is insufficient. A proactive and layered security strategy is essential for safeguarding critical operational technologies in today’s complex threat landscape.