July 13, 2022
June 13, 2023

Why the Air Gap Is Not a Reliable Way to Protect Your OT Systems

Why the Air Gap Is Not a Reliable Way to Protect Your OT Systems

While air gaps mitigate operational technology (OT) cybersecurity risks, they are not a reliable defense against advanced cyber attacks and human error. BlastShield creates a software-defined perimeter to enforce stringent security protocols, enabling only authenticated and authorized devices to communicate within the network.

Air gaps, aren’t Sufficient

The “air gap” security strategy actively disconnects a computer or network from external networks, such as the Internet.

This term sprung from the concept of creating an actual “gap of air” between a system and the external world to curb unauthorized access.

But while this measure drastically fortifies industrial security, it’s not invincible..

Here are the reasons:

  • The human element
    Air-gapped environments don’t exist in a vacuum in that humans are inextricably involved in plant operations..
  • Humans may unwittingly introduce malware (through contaminated USB drives, for instance) or can be manipulated into extracting data (a technique known as social engineering).
  • Data exchange necessities
    In reality, air-gapped systems often require data transfer with other systems, typically via removable media like USB drives. If compromised, these drives can infect air-gapped systems. Stuxnet was an example of an “air-gapped” environment that was compromised via removable media that bridged the air gap and led to the ultimate disruption of the Iranian centrifuge operations
  • Hardware and firmware exploitations
    Numerous attacks can exploit hardware or firmware vulnerabilities, either remotely or directly. In an air-gapped environment, however, these attacks require physical access, typically acquired in several ways.
  • The BadUSB vulnerability, for instance, enables a USB device's firmware reprogramming to mimic a keyboard and inject harmful commands.
  • Wireless and acoustic intrusions
    Advanced attacks can extract data from air-gapped systems using innovative methods, such as malware that utilizes a computer's speakers to emit ultrasonic signals detectable by nearby devices or manipulating the computer's electromagnetic field to transmit data.
  • Supply chain intrusions
    These attacks compromise a system or component during manufacturing, implanting hard-to-detect malware that could affect even air-gapped systems.
  • The alleged attack on Supermicro motherboards reported by Bloomberg in 2018 exemplifies this, even though the claims are still subject to debate.
  • Physical access
    Should an intruder gain physical access to an air-gapped system, they could install hardware keyloggers, directly retrieve data from the system, or otherwise jeopardize it.
  • Inadvertent wireless connections
    Devices within an air-gapped environment might inadvertently form wireless connections that may circumvent the air gap.
  • For example, a device may have undeterred Wi-Fi or Bluetooth capabilities that unknowingly connect to an unsecured network.
  • Visual and audio data leaks
    Certain malware can harness light and sound to transmit data across the air gap. One technique includes using a device's blinking LED lights to transmit data to a proximate camera.
  • Malware could also employ sounds generated by a computer's fan or hard disk drive to send data.
  • Heat emissions
    Another unique attack vector is leveraging the heat emissions of computers. A malware piece named BitWhisper demonstrated this concept, illustrating a slow but plausible data transmission from an infected machine to a nearby computer by controlling the heat output.
  • Radio Frequency (RF) emissions
    Attackers can exploit electromagnetic emissions from various components, such as the CPU and RAM, to extract data from air-gapped computers, a technique known as Van Eck Phreaking or TEMPEST. While it needs specialized equipment and proximity, it remains a potential attack vector.
  • Malware evolution
    The continuous evolution of malware presents consistent threats to even air-gapped systems. Advanced Persistent Threats (APTs), often state-sponsored and resource-rich, are especially perilous.
  • Insider threats
    This risk factor is omnipresent in any organization. A malevolent insider could exfiltrate data or introduce malware into an air-gapped system, particularly if they have direct hardware access.

So, despite air gapping being a robust defense strategy, it's not entirely impervious, especially against well-equipped and determined adversaries.

These considerations serve as a reminder that security is a continual process that requires vigilant surveillance, layered defense, and comprehensive risk management strategies.

Enhance Industrial Security with an Optimal Approach

To mitigate these risks and bolster the security of air-gapped environments, organizations need to enforce a multi-layered security strategy that transcends air-gapping.

Stringent access controls are a key component of these strategies, and that's where BlastShield comes in.

BlastShield, a cutting-edge Zero-Trust Network Access (ZTNA) solution, takes network security to new heights.

By employing a software-defined perimeter (SDP) approach, BlastShield strengthens access controls, mitigates risks linked to stolen credentials, and simplifies management complexities.

BlastShield consolidates security by integrating multiple measures into one solution, including phishing-resistant Multi-Factor Authentication (MFA), data-in-motion encryption, micro-segmentation, granular access controls, device invisibility, and application proxy.

Unpacking BlastShield

BlastShield encompasses several critical components for its operation, all managed through the BlastShield Orchestrator.

These include the BlastShield Client for end-user devices, the Authenticator for phishing-resistant passwordless authentication, the Host Agent for target devices, and the Gateway Agent for safeguarding endpoints without a Host Agent.

Integrating BlastShield in Air-Gapped Security

As a comprehensive solution, BlastShield is an ideal addition to enhance security measures in air-gapped environments. Here's how:

  • Software-defined Perimeter (SDP) architecture
    BlastShield employs SDP, a zero-trust model that treats any device, user, or application accessing the network as a potential threat.
  • This dynamic perimeter adds an extra security layer to air-gapped systems, managing resource access in real-time. It significantly diminishes the risk of credential theft, as specific permissions are required for resource access.
  • Phishing-resistant Multi-Factor Authentication (MFA)
    By adding an extra security layer to the login process, BlastShield's phishing-resistant MFA makes it more difficult for attackers to impersonate users and gain access, thus strengthening air-gapped systems against phishing attacks.
  • Device invisibility
    By rendering devices on a network undetectable to attackers, BlastShield limits the attack surface and enhances the security of air-gapped systems.
  • Unauthenticated users cannot discover or target devices safeguarded by BlastShield, mitigating the risk of credential theft or lateral attacks.

Enforcing strict access controls is a crucial element of air-gapped security, and BlastShield provides an impressive solution. By integrating its multi-faceted security measures, BlastShield strengthens defense layers, making it a sound investment for all organizations, particularly those in the industrial sector.

Get Started

Getting started with BlastShield is straightforward and cost-free.

Create a trial account, download the BlastShield Authenticator and Client, and experience enhanced security within minutes.

By integrating BlastShield into your security measures, you empower yourself to effectively counter the constantly evolving threat landscape and protect your air-gapped systems.

Start a free trial now using at: https://www.blastwave.com/free-trial

OT Secure Remote Access
Network Cloaking
Network Segmentation

Experience the simplicity of BlastShield to secure your OT network and legacy infrastructure.

Schedule a Demo