You Can't Design For Air Gapped And Manage Irresponsibly

Screenshot 2016-06-12 at 12.40.12 PM

SANS NewsBites Vol. 18 Num. 045 has a newsblurb and commentary on "Air Gapping SCADA Systems Will Not Work" published on (June 3, 2016) by the TheRegister.UK with quotes from Supervisory Control and Data Acquisition (SCADA) technology pioneer Faizel Lakhani.

The article focused the criticism for not using air gapped system because many of the current examples of air gapped networks have vulnerabilities that get added over time by employees who introduce technologies that wouldn't be allowed if the system was managed properly. 

Building a successful and effective air gapped system requires a dedicated culture of security engineering that is hard work.  Not doing that work will more than likely introduce threat vectors that a dedicated adversary will exploit. 

 And in other air gap news recently:


Where Is Your Power Strategy?

Power-decisions

Per FreeBeacon.com and TheHill.com there is news that the FBI has warned power companies about additional cyber threats to the United States critical infrastructure (i.e. the grid).  

This warning drives home the continued need to not only protect your air gapped network from digital threats, but also to make sure you completely understand and protect your power needs required by your air gapped network:

  • Your Grid
  • Your Generator
  • Your Backup Battery

You more than likely aren't able to completely power gap your air gapped system from the grid, but you do need to consider how to isolate as much as possible your generator(s) and your backup battery(s).  These capabilities will more than likely have industrial control systems (i.e. Internet of Things) that need to be protected from external threats.

If you have any best practices then please let us know by leaving a comment.


USB Memory Card Malware Threat

Flash-drive-146163_960_720
There is reportedly a new particularly advanced USB-savvy malware being called "USB Thief" (Google Search) being discussed by many in the technology press.  

If you allow users (including system admins) to use USB storage devices on air gapped systems then this threat can be a potential attack vector a persistent attacker could deploy against your organization.

Basically an infected USB device could be inserted into an air gapped computer where it could collect considerable amount of "protected data" and then exfiltrate the "protected data" back to the infected USB device. Once the device is removed there is reportedly no trace of the malware on the compromised system and no record of the data collected.

Best defense would be not to allow USB storage media on air gapped systems.  Otherwise, restricting data migration from the air gapped network (i.e. the high-side) to the internet network (i.e. the low-side) would be another defensive measure.  Good physical security would also limit the effectiveness of this threat vector.

Some links with more coverage (some of it F.U.D.): techtimes.com, sci24h.com, arstechnica.com, pcworld.com, thestack.com, securitybrief.co.nz, slashdot.org, idgconnect.com, and itsecuritynews.info

 

 


Emerging New Exfiltration Of Data Via RF Threat

Laptop-radio-exfil-project

There is a new open source effort to build out a working data exfiltration toolkit using radio frequencies.   The source code has been posted to GitHub.  More info on the news at Softpedia

The key defensive measure would be to make sure no malicious rogue capabilities make it to your air gapped networked systems, and that you consider RF shielding countermeasures.

 


Electromagnetic Attack Demo On Air Gapped System

EM-Computer-Attack-VisualizationResearchers preparing for a future conference presentation have released details (PDF paper here) of their successful electromagnetic (EM) attack against an air gapped system that included no additional software to be previously installed on the system being hacked.  The hardware costs to build the attacking system was around $3000.  The air gapped system had no TEMPEST protections (PDF reference for more information).

You can read more via:

 

 


DOD Definition Of Insider Threat

The United States Department of Defense's definition of an insider threat:

An insider threat is defined as someone who uses his or her authorized access to damage the national security of the United States, whether through espionage, terrorism, unauthorized disclosures of classified information, or other harmful actions.