Following the Colonial Pipeline Ransomware incident, Twitter exploded in to an orgy of blather from people demanding that we “air-gap” ICS. Those righteous keyboard warriors know what is best, I’m sure.
We cannot avoid having a secured connection with the office. But on the other hand, we don’t need ICS networks to be connected to the office 100% of the time. If there are elements in the office that require “real-time” performance, then someone should examine the data flows and why such connections are required. In most cases, the connection could be replaced by a reporting device on the OT side of the network, or it is just someone’s pet project that has no business case.
Office connections should have asynchronous, buffered connections. For example, I visited a pipeline operation similar to Colonial about three years ago. While they operated at a slightly smaller scale, They had a very manual connection between the office and the control room. At the beginning of the shift, the office would hand the operations staff a few sheets of paper with a list of what petroleum products need to move through the pipeline from where to where. The operators do this, and when the shift is up, the operators would generate a report for the office and hand the clerical and planning staff a few sheets of paper with the current results. This was not a huge amount of time-critical data.
So if some executives come to you thumping their chests saying “we must be connected all the time because it’s complex and intricate” –tell them to go fly a kite. They need to get a sense of perspective. By the way, flying a kite is a great way to relax, and feel small, while your kite flies high.
Furthermore, we should all practice network segmentation. This means periodically disconnecting the automated segments of the operation by disconnecting network connections. This gives people proper training and practice for identifying those key network segments so that they won’t be flustered and make mistakes when the real need arises. It also trims the operation down to essential automation so that everyone knows exactly what to expect.
When people work with automation enabled all the time, one should expect the manual skills and understanding of the automated systems to atrophy. If operators and office staff do not fully understand what the automation should do next and how it is supposed to work, how will they be able to determine that something is broken before it is too late?
This practice of breaking automation into semi-automatic subsystems is not just good for security, but also for operational proficiency and diagnostic training. In the case of a pipeline such as this, going back to older methods of faxed fuel orders and the like is also good as a method of cross-checking the automation.
And that brings me back to the people who think these systems cannot possibly operate without the automation. I like automation. I have designed automation over my entire career. But it is important to keep the semi-auto and manual controls available. If the automation or the instrumentation fails, there should be a backup plan of some sort. Assuming that without automation everything falls apart would be like assuming that without an autopilot, a ship would automatically run aground. It won’t. The pilot would end up working a lot harder and the maneuvers may not be as precise, but the ship is in no danger –unless the pilot has forgotten how to operate the ship.
“Air-Gapping” the networks between OT and IT is not practical in most cases. There is a significant Return on Investment for connecting them. But limiting the flow of traffic and practicing procedures for isolating the two is not as crazy as it sounds. Practicing that feature also has a very significant Return on the Investment. It is probably worth doing.
The views and opinions expressed in this post are those of the author and do not represent the official policy or position of SCADAfence.
The original post can be found here: https://scadamag.infracritical.com/index.php/2021/05/15/air-gapping-it-and-ot/
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.