The contextual versatility of the word “air” to preface another term has become quite purposeful in modern times. For instance, the act of playing “air guitar” is usually performed by a middle-aged male during his morning commute when he becomes overcome with inspiration provided by a rock song from his youth that’s blasting on the radio.
While the air guitar is not exactly a term shrouded in glory, the “air gap” is a whole different game.
What Is An Air Gap?
Until the early 1990s, the connected world was a simpler place where physical wires were necessary for two machines to establish communication. In this seemingly prehistoric era, the only way to infiltrate such communication existed in the ability to transfer corrupt data over those wires. In the absence of such a physical connection existed a void — an air gap — that made it virtually impossible for system intrusion to take place between two devices that had no wires connecting them.
Techopedia defines the air gap as a “security measure implemented for computers, computer systems or networks requiring airtight security without the risk of compromise or disaster. It ensures total isolation of a given system from other networks, especially those that are not secure.” Air gap networks were most commonly used in situations demanding uncompromised security, such as military, healthcare, aviation and industrial control (e.g., SCADA) for nuclear power systems.
Then, the nature of networking drastically changed.
Is Your Dirty Network Holding You Hostage?
Connections of today are no longer purely physical in nature. People are unplugging landlines, cable providers and anything else they can in favor of convenience, low cost and wireless advancements. But Wi-Fi vulnerabilities alone can make your network dirty, with rogue access points broadening the attack surface. Also common are side-channel attacks in which a path to the corporate network can be created through the password-free guest network. The list is long.
We live in a virtual environment bolstered by the extreme proliferation of connected “things” such as smart machines, sensors, intelligent buildings and biomed devices — otherwise known as the industrial internet of things (IIoT). This hyperconnected environment presents a two-sided coin, with one side that yields incredible efficiencies and smarter business decisions, and another that surrenders security and increases risk.
As wireless connections such as Wi-Fi, cellular or satellite continue to replace physical ones, the old-school air gap has become mostly nonexistent. Today’s go-to solution to protect our IIoT networks is to continue using technologies such as internal firewalls, VPNs and VLANs. Unfortunately, many IT pros are experiencing Stockholm syndrome with the big network and security cartels; they’re held hostage with a false sense of security using inadequate solutions.
These legacy products no longer measure up for the IIoT world because today’s demands for connectivity are too substantial, and hackers have become extremely sophisticated. Even next-generation firewalls don’t adequately scale and protect traffic moving between converged OT and IT systems.
To free yourself from dirty networks, potential cyber-catastrophes and the cartel, it might be time to bring back the air gap — a next-generation air gap.
The Next-Generation Air Gap
Today, we have access to technology that allows us to create “virtual” air gaps with the ability to apply military-grade security to all devices, whether physically or virtually connected, but with transparent ease. This next-gen air gap can address all firewall shortcomings while allowing us to enjoy all the wonders of a smart environment in the IIoT world. Consider it a “virtual air gap firewall” that works with your existing network and makes IIoT connectivity inherently secure.
Next-generation air gaps are created by addressing the fatal flaw in the TCP/IP architecture (the heart of internet-based communications): the dual purpose of IP addresses serving as device address and identity. By replacing the vulnerable IP address with a cryptographic identity, communication between devices is rendered invisible to unauthorized users, creating a virtual “air gap” from hackers attempting a shot at compromising the integrity of your data or network.
The next-gen air gap can override human error by automating security policies, which eliminates the complexity that firewalls cause. It can also dramatically diminish the attack surface of a network, reducing enterprise risk and costly system downtime.
Clearing The Air With Parting Advice
I believe the emergence of virtual air gap technology deserves attention from IT and the C-suite of any organization that must reduce risk. As you plan for forthcoming IIoT projects, you should follow these best practices:
• Understand what devices are on your network.
• Start with a clearly defined scope for your IIoT project with a manageable number of devices.
• Identify all endpoints that are “in scope” of the project and what those devices require access to that is outside of the air gap (to establish security policies).
However, there are also some potential obstacles you’ll need to consider before beginning this journey:
• Unknown network devices. You should use network monitoring tools to collect devices communicating on their networks. Monitoring tools should provide communication paths and ports/protocols being used (e.g., http, ssh, https, etc.)
• Seemingly impassable networking and routing obstacles. Try to enlist a network engineer who is very familiar with the network routing policies that are in place.
• Scope creep. Align the project scope and objectives with stakeholders, and develop a holistic — meeting OT and IT requirements — architecture for the implementation. Try to enlist a dedicated project manager to minimize or eliminate scope creep.
Legacy security solutions have shown their vulnerabilities with one successful hack after another. Bringing back the air gap could be a viable solution. Just make sure you’re prepared.