Dear Colleagues

I used to jo-ke (mistakenly) that the only secure way of protection of your control system from cyber att-acks is having an ‘airgap’ (i.e. your industrial control system has no connection to the internet or the ‘outside world’).

As we all know, one of the enduring myths of control systems has been that the highest level of se-curity is in ensuring no physical connection between the industrial automation network and the firm’s business network (and thence probably the internet). With no physical connection, it is assumed that the ghastly hackers, vir-uses and worms cannot access the industrial automation network.

The legendary Airgap
In theory, the concept of the legendary ‘air gap’ is great and gives you a warm fuzzy feeling that your industrial control system is secure. In practice it just doesn’t stack up. Probably one of the main reasons, is that your control system today uses so many components that are closely aligned with your business network ranging from the Windows operating system, word processing, spreadsheets to Adobe pdf reader to a host of other commercial packages. As well as your industrial automation software, of course. All requiring regular updates and the inevitable patches. A normal part of software life.

Patch files riddled with vir-uses
So if you have decided on an ‘air gap’ to maintain se-curity of your system what do you do to update your isolated system ? You put all these new patch files onto a USB ‘stick’ or CD and transport this across to your isolated control system. But this was how the Stuxnet vir-us was spread. Or use a dedicated laptop to copy the files across using a serial connection. Well, as Eric Byres pointed out – this is how the Slammer worm jumped into numerous control systems.

Vendors preach
Many vendors will preach about the necessity for an airgap to protect your control system but in the same breath, will also talk about total plant integration of your control, MES and ERP systems. It is difficult to visualise seamless integration over an airgap.

Much as we would like to isolate our trusted control systems by terminating any pathways to the outside world, this is impossible. All that happens is that you create new pathways.

There are some exceptions
I do admit that there are those very simple control systems such as your airconditioning control system for your room, which are not connected to the outside world but even here, you may want to update a program with an EPROM (or equivalent) and many users want to monitor their systems remotely over the Internet. Perhaps, there are extraordinarily high risk military and nuclear installations where there are airgaps where very occasional upgrades are very carefully done. Even here, there are significant risks.

Assume the worse and plan accordingly
But most traditional industrial control systems for our typical plants, power and water utilities do not have airgaps and are connected to their company’s business networks.
So to face up to cyberse-curity issues, you need to face up to the brutal reality, that your control system is indeed connected to the malicious outside world and your computer se-curity measures need to assume the worse. None of us are immune to att-ack. We need to design and maintain our systems on this basis.

Thanks to Eric Byres and Dale Peterson for an interesting set of discussions.

In the context of se-curity of our networks, perhaps General Douglas MacArthur’s remark is another way of looking at the problem: There is no se-curity on this earth, there is only opp-ortunity.

Yours in engineering learning
Steve