27 July 2012 by Andrew Wadsworth
Black Hat Security Conference Highlights Myth About Air Gaps
The annual Black Hat security conference is underway in Las Vegas. Control systems ranging from those found in medical appliances to cars to power plants are coming under ever greater scrutiny. Researcher Eireann Leverett claims to have found 36,000 devices directly accessible from the internet (see the Reuters report here) and wants to "demolish the myth" that control systems are generally safe because of an "air gap" between them and the Net". We, and many others working in this field, have been beating down that myth for quite a while already (check out this over on slideshare).
It's not just the obvious connections to the internet that need to be addressed. They're easy – pull the plug on the network connection. It's the less obvious ones that need more investigation – routable network connections between control systems and business systems which are on networks connected to the internet, suppliers' external connections to provide remote monitoring and diagnostics, for example.
Greater publicity of control systems weaknesses is a double edged sword. On the one hand, if it prompts more asset owners to, and suppliers to, take security seriously and take action that's a good thing. On the other, if they're not already aware, it draws the attention of the bad actors to an easy target and, to use the military expression, a target rich environment.
On balance, better to raise awareness that action is needed. The bad actors that we need to worry about already know. Read more about the 4 myths of process control system security here