A major food company in the Midlands found a simple way of avoiding ransomware and viruses: it disconnected the factory IT system from the internet. No connection, no attackers.
This approach is known as “air gapping”. With no physical link to the outside world, the IT stack is isolated. Security guaranteed, in theory. But is it a viable strategy?
Government agencies like the CIA in the US have started to recommend air gapping as part of a comprehensive anti-ransomware programme, notes Joe Sullivan, chief security officer at website security specialist Cloudflare.
“Air gapping has existed as a security and resiliency concept in business continuity programmes since well before the term ‘ransomware’ became popular,” he says. “It has typically been used as a way to protect against accidental or malicious destruction of primary sources of data and software by making backup copies that are stored offline.”
Air gapping grew in the aftermath of the high-profile attacks on the likes of Saudi Aramco and Sony, which used software like the Shamoon wiper virus to erase sensitive data.
Today, the motivation to unplug is soaring. The FBI warns there are more than 100 strains of ransomware circulating. In the second quarter of this year there were more than 300 million attempted attacks captured by a single security provider, more than the whole of 2020. Payouts in 2021 should top the entire past decade put together.
However, there are good reasons why air gapping is still niche. As Sullivan notes: “There is an old joke in security that a computer is only safe when it is turned off. Sadly, that has been proven true. Every system that is powered up and online is under threat.”
An ageing problem
A major problem with air gapping is that systems can’t be updated easily. Software updates get skipped. The system grows vulnerable.
“When systems are air gapped the priority of investing into the implementation of proper security controls goes away,” says Ehsan Foroughi, CTO at Security Compass. “System developers get too relaxed and start relying on that air gap as their defence.”
Sooner or later an upgrade must be made. The system connects to the outside world and exposure returns, only worse than before. The unprotected system is vulnerable, missing months or years of upgrades and security patches.
There’s also the issue of human error. Foroughi tells the story of a US government network behind an air gap that was compromised because one employee found it too hard to keep replicating work between two desktops, one connected to the air gap network and one to the internet. So he temporarily connected them, breaking the air gap – allowing attackers to jump across the bridge into the protected network.
Security questions
There’s another problem. Rather surprisingly, a disconnected system may not be isolated after all.
Mordechai Guri is an academic researcher at Israel’s Ben-Gurion University of the Negev and an expert at hacking unconnected systems. In a recent paper he revealed how he could read the signals from an ordinary ethernet cable using a $1 antenna. The cable electrically leaks information, which can be read from up to tens of metres away. He was also able to transmit information.
Guri’s method requires a direct physical attack on an IT system, hence Russian ransomware villains may be unlikely to try it. But Guri has found around a dozen other ways to connect to air-gapped systems by picking up leaked signals. One of his methods involves analysing the acoustic waveform emitted from the CPU and chassis fans to transmit information, captured on a nearby mobile phone at 900 bits an hour – slow, but usable.
The only solution to this snooping is to keep attackers at a physical distance or install a Faraday cage, which blocks electromagnetic transmissions. Even then, a physical attack is possible. Hackers may break into a facility and upload malware via a USB stick. The Iranian national nuclear programme is believed to have been compromised this way – it was an air-gapped system.
Air gapping also faces a challenge from alternative methods of protection. Zero Trust networks for example, offer elevated security with few of the downsides. In a Zero Trust environment only a limited set of approved devices can connect. Access is limited by time. Users can access only a narrow subset of systems. The philosophy is based on the assumption that each access could be a malefactor; it sets out to limit the blast radius inside the internal network.
There are also One Way Links, using network diodes. These allow data to travel only one way through a system. “Unidirectional communication could allow you to collect data from a secured, usually air-gapped place like a nuclear power plant,” says Steve McGregory, senior director, security R&D at Keysight Technologies. “This would prevent someone from being able to connect into the nuclear power plant through that connection.”
The road ahead
So what’s the future for air gapping?
The inability to update air-gapped systems means they grow ever weaker. The chances of an accidental connection or rogue breach of the gap are unpalatable. And naturally, a disconnected system is limited in its capability. No emails, no upgrades, no data sharing with the outside world: it’s a high price to pay.
But there is a use case. Backups are vital in combating ransomware, when infected systems need to be restored. However, malware will seek out and infect backups. A simple method to protect them is to place them in an air-gapped storage unit. Laborious, yes, but secure.
“Air gapping is the only real defence against ransomware, which continues to offer the biggest threat to information systems,” says Tony Proctor, principal lecturer in cybersecurity at the University of Wolverhampton. “Many organisations have kept their backup systems online for convenience when copying the live data. As such they are highly vulnerable to ransomware. Air gapping means that these backups can be maintained offline and will not be affected by the ransomware.”
As ransomware gangs like Evil Corp (yes, that is its name) run rife, air gapping backups may be the solution. It’s not perfect. It’s labour intensive. But when disaster strikes, it may prove to be the low-tech solution that saves the company.