Air-gapped networks give a false sense of security

Claroty

By Leon Poggioli*
Monday, 04 November, 2024

As modern OT networks across various industries are becoming more digitised, there is growing recognition that relying on ‘air gapping’ as your sole cybersecurity strategy is neither effective nor safe. And yet, the myth of the air gap as a practical OT cyber defence still persists.

The basic premise of an air gap is as follows: by isolating a system from the outside world and ensuring no internet connectivity, it can no longer be attacked, because there is no means for an attacker to access this system. The general view taken by organisations who use the air-gapping strategy is that they have no real need for cybersecurity monitoring, given their system cannot be attacked in the first place.

While this premise seems sound at first, there are three key reasons that this is an ineffective approach to protecting these systems:

Isolated networks still need to be updated, whether implementing software updates, adding new devices to a system or decommissioning end-of-life infrastructure.
Even with no means of connection to the outside world, asset owners still need to monitor for insider threats; for example, an unauthorised change to a process control value.
Control verification is still required to alert in the event of an external connection and provide continuous assurance that the air gap is actually operating as planned.

There are plenty of high-profile examples of hackers breaking through supposedly secure air gaps. The most recent event of this kind came from an APT (advanced persistent threat) hacking group named GoldenJackal, which successfully breached air-gapped European government systems.

In short, the hacking group used malware placed on USB drives to exfiltrate data from their system. If this network was in fact air-gapped, how did GoldenJackal manage to steal sensitive data using a tool as simple as a USB? The group used a specialised malware dubbed GoldenDealer, which resides on normal machines that are not subject to air gaps and then copies itself onto any USB drive inserted into that machine.

Once that USB drive is then inserted into an air-gapped machine, the malware installs a backdoor (GoldenHowl) and file exfiltration malware (GoldenRobo) which then exfiltrates data from those machines, and sends it back to GoldenJackal when the USB device is connected back to an internet-connected machine.

By collecting device inventory and configuration data, attackers could use that to target strategic assets for cyber attacks, either for ransom or cyberwarfare purposes.

The GoldenJackal attack is just one example of how cybercriminals can easily breach air-gapped systems, which are unfortunately viewed as untouchable by some organisations.

The best way organisations can defend themselves from such attacks are as follows:

Never rely on the air-gapping strategy as the sole method of cyber defence for OT systems.
Ensure OT networks are continuously monitored for vulnerabilities and attempted attacks regardless of whether they are isolated.
Remove USB connectivity where possible to devices connected to OT networks.
Deploy a safe, sanctioned secure access and file transfer method to allow these systems to be updated with appropriate control and oversight.

The only thing an air gap accomplishes is a false sense of security. By taking appropriate measures, organisations can protect their OT environment from cyber attacks and have the appropriate visibility in place to ensure their systems are operating correctly.

*Leon Poggioli is the Australia & New Zealand Regional Director at Claroty, a technology company focused on cybersecurity for industrial control systems and healthcare environments.