By Alex Nehmy
The air gap is dead.
The notion of having air-gapped computer systems from the primary corporate environment and the internet is antiquated, steeped more in fairy-tale romance than reality.
An air gap consists of two networks, so there’s a gap between them consisting of air. The Australian Cyber Security Centre defines an air gap as “A network security measure employed on one or more computers to ensure the network is physically isolated from any other network. This makes the isolated network secure, as it doesn’t connect to unsecured networks like the public internet.”
Air gaps make great sense from a cybersecurity perspective—data and threats cannot traverse from one network to another. An air-gapped network is akin to an island, safe, secure, and isolated from other networks that have lesser security and more significant threats. Hence air gaps are used in extreme risk or secretive environments such as nuclear power generation and highly classified defence systems.
However, cybersecurity doesn’t operate in a vacuum. It exists to empower an organisation’s digital transformation objectives while managing cyber risk. Cybersecurity controls are often inherently at odds with the useability of IT systems. The greater the cybersecurity controls, the less usable and business-friendly the outcome. Air gaps restrict communication, and hence, they do not meet business requirements for modern, dynamic, and flexible communications networks.
IT and OT Are More Connected Than Ever
The greatest misconception these days is that critical infrastructureorganisations still have an air gap. However, the overwhelming majority of industrial operational technology (OT) environments are indeed not air-gapped; they’re physically connected to IT and logically separated by a firewall. As these critical infrastructure organisations are undergoing their own digital transformations, they are increasingly reliant on data from the industrial OT environment in order to run their business systems in IT. In fact, IT and OT are now more connected than ever. An air gap does not support this business-critical connectivity.
Let’s take the case of the Colonial Pipeline ransomware incident. The Darkside cybercrime group infected the IT environment with ransomware, effectively locking key business systems, including the billing system. The billing system relies on data from Colonial Pipeline’s OT environment to measure gas usage and bill customers. This data exchange from OT into IT is key to the financial operation of the business. An air gap would break this business-critical communication and therefore is not feasible.
As the ransomware rendered the billing system inoperable, Colonial Pipeline took the unprecedented step of disabling the gas pipeline, which services the southeastern United States, resulting in the most materially significant cyberattack in United States history.
OT Has Converged with IT, While IT Has Converged with the Cloud
Just as IT and OT have converged and can no longer be separated, so too has IT converged with the cloud. Remote working collaboration tools, cloud-based business management systems, and cloud data centres are the standard for IT in a post-pandemic world. In fact, for many modern organisations, the cloud is inseparable from IT. They have wholly merged.
Businesses are striving for more agile operations, lower costs, and greater customer satisfaction, and the cloud has been integral in many IT businesses achieving this.
In comparison to IT, OT is the last bastion of on-premises computing. There are no technical or cybersecurity reasons why the cloud cannot be used to transform the operations of OT. The primary limitation is a cultural one.
The cloud offers a massively scalable platform with efficiencies and capabilities that are difficult to match with in-house data centres. And OT is the literal heart of any industrial business. Why wouldn’t a company want to embrace the benefits of the cloud to extract maximum value from their most important business systems and data? There are untold benefits awaiting ….
Using Risk to Guide Cloud Usage
How can we begin to move the needle on cultural change within OT to embrace the cloud? A risk-based approach, combined with a focus on delivering transformational business outcomes, is our best bet.
When it comes to risk, there are two key types of data within OT, each with its own risk profile. They are primary control system data and telemetry data from internet of things (IoT) devices in the field.
Primary control system data has the ability to control or directly affect the OT environment and as a result, it is high risk. For example, in electricity distribution, it can be used to literally turn the power on or off, potentially resulting in life-or-death situations for both employees and critical care customers.
Alternatively, IoT telemetry is merely providing a real-time view into the operational environment from IoT sensors in the field and does not have control of the critical infrastructure. It is, therefore, a much lower risk. The IoT field-based sensors are collecting data about temperature, vibration, pressure or almost anything that can be measured to provide a real-time picture of how the physical world is operating. This data, when combined with the power of the cloud, will drive significant business outcomes that, to date, have not been realised.
There is a big difference in the risk posed by each of these data sources, and as such, the data should be handled differently based on risk. Primary control system data will likely remain on-premises for the foreseeable future, while IoT telemetry is low-risk enough to be handled in the cloud. Indeed, the sheer volume of IoT data and the insights available through machine learning will necessitate the use of cloud computing.
Embracing the Benefits of Cloud Computing for Industrial Environments
The benefits of embracing the cloud for low-risk data, such as IoT telemetry, are numerous:
Real-Time Visibility for Better Decision-Making
IoT sensors in the field generate a constant stream of data, which provides real-time visibility into industrial operations, whether that’s monitoring manufactured goods for defects or the voltage of electricity distribution networks.
Rich, real-time data allows for greater visibility and understanding of industrial environments, leading to better decision-making and increased operational efficiencies.
Predictive Maintenance for Higher Availability
Predictive maintenance uses IoT telemetry to monitor physical assets in the field for signs of abnormal behaviour that may indicate the asset is about to fail. For example, in manufacturing, knowing when critically important production machinery is about to fail allows the asset to be fixed just before failure. This results in a decrease in unplanned downtime, increasing plant efficiency and maximising the output of operational systems.
Better Customer Outcomes
Ultimately embracing the benefits of cloud computing to drive the efficiency and availability of industrial operations has a flow-on effect on the customer through reducing costs and increasing responsiveness.
One final benefit of embracing the cloud is increased cybersecurity and OT system availability. We know that cyberthreats to OT environments are increasing, and an incident within an OT environment (or in the case of Colonial Pipeline, within an IT environment) can affect the availability of business-critical OT systems and services.
Cloud-enhanced cybersecurity systems provide an immediate maturity uplift to best secure these critical operational environments. Should a threat actor gain access to OT, their actions cannot be predicted or controlled and are likely to result in unplanned outages and impact industrial business operations.
The data used by these next-generation security systems is primarily network and endpoint telemetry, also known as metadata, which is akin to IoT telemetry and is equally low-risk.
Securing an OT environment with cloud-enhanced cybersecurity systems reduces the likelihood of malicious activities taking place, further protecting the availability of key OT systems.
A Secure OT Environment Is Also an Available OT Environment
The digital transformation that IT has realised through embracing the cloud is also waiting for OT. More efficient operations, better insights and decision-making, and higher availability of key industrial systems are just a few of the benefits.
It’s time for OT to move past any cultural inhibitors and use risk and business value as drivers for their cloud transformation.
Article link: https://www.paloaltonetworks.com/cybersecurity-perspectives/the-air-gap-is-dead