Integrity Blog

Security for Air-Gapped Control Equipment

An air gap, at least in terms of networking, is a method of isolating computers or networks and preventing them from making external connections, either physically or wirelessly. Air gapped computers or networks may be used for various means: to separate information systems operating at different classification levels; isolating equipment from electronic eavesdropping measures; developing sensitive applications; or even just isolating manufacturing equipment and controllers to meet certain industry and safety standards. As a security measure, air gapping can be effective, but history shows it is not fool-proof. Think Stuxnet.

Some industries, such as manufacturing, have equipment and associated controllers that are not connected to the Internet, other computers, or networks, but still have operating systems that require patches. The equipment controllers may need information, such as CNC programs and design specifications, loaded onto them from external sources. If portable drives, such as a USB thumb drives, are used to transfer updates and information onto the controllers, there are several administrative, technical, and physical controls to consider to help mitigate and control risks.

1. Risk Management and Assessments.

Portable drives are very user-friendly, but can also be risk multipliers. Any time the portable drive is inserted into the manufacturing equipment controller, the risk of introducing malware onto the system increases. Ensure portable drives are ones that have been sourced from a reputable location, and ensure policies and procedures are in place to address access controls and how the portable drives may be used. Define which systems the drives may be used with, who may use them, and the purposes for which they may be used. Also, ensure that risks associated with air-gapped equipment and associated controllers are considered and documented.

2. Asset Management and Media Protection.

Like other storage devices, an organization should control and track portable drives. Add drives into the asset inventory before first use and inventory them periodically thereafter. Ensure that each drive is marked with appropriate information, such as content sensitivity/classification level, distribution and usage restrictions, and inventory control numbers. Store the portable drives in locked containers if not being used. Also, consider checking-out the drives only when needed and only to authorized persons, or assign each drive to a specific user.

3. System and Information Integrity.

Due to the risks associated with the insertion of portable drives onto air-gapped assets, certain technical controls should be considered. Use end-point protections on any system into which portable drives may be inserted. Scan the drives for malware before insertion into the equipment controllers. Implement other technical measures to prevent unauthorized programs and code from being installed.

4. Physical Security.

Implementing appropriate physical security controls are part of the equation. Only authorized users should be permitted access to the portable drives, manufacturing equipment and associated controllers. Install physical covers over controller connection points (e.g., USB port) and lock them if the ports are not in use (acknowledging appropriate port block products may not be available for all applications). If permitted by the business, use video surveillance of the manufacturing area to capture recordings of persons accessing and using the equipment.

There are definitely many considerations when securing air-gapped computers, networks and equipment controllers, and these considerations could apply outside the manufacturing industry as well. Other business factors and needs will obviously be part of the decisions made regarding the controls that are implemented and maintained. An air gap is in itself a security measure, but one easily overcome. As with other components of your information security program, continue to determine risks by evaluating vulnerabilities, threats, likelihood of attack, and impacts, and use this information to determine if the security measures in place are still appropriate and working as expected.

Security Information and Event Management

What is a SIEM?

SIEM is security information and event management, which utilizes software to provide real-time event analysis of devices on a network. SIEM aggregates information from devices and interprets key attributes (IP’s, users, event types, memory, processes, ports, etc.) that are correlated to identify security incidents or issues. Devices, including firewalls, servers, IPS/IDS, anti-virus, spam filters, etc., generate event logs, which are delivered to the SIEM for analysis.

SIEM software can be used to assist in validating and meeting compliance requirements such as HIPAA and PCI. Network availability, configuration issues, and performance can also be monitored; for instance, when a server cannot be reached or is utilizing too many resources outside of normal boundaries, an incident is created and the proper user can be notified.

How does SIEM work?

SIEM works first by gathering all the event logs from configured devices. The logs are sent to a collector, which typically runs on a virtual machine inside the host network. Next, the logs are securely sent from the collector to the SIEM. The SIEM consolidates the logs, parses each log, and categorizes them into event types, such as successful and failed logons, exploit attempts, malware activity, and port scans. These event types are then run against rulesets to determine if there is any illegitimate traffic. An alert will be created if a rule is triggered.

For example, if someone has 20 failed logon attempts in 10 minutes it could be seen as suspicious. However, it would likely create a low-priority incident, as there is a fair probability that a user has simply forgotten their new password. Now, if the user has experienced 100 failed logons followed by a success within a certain time frame, a high severity incident could be generated. This would likely indicate a successful brute-force attack.

Read about managed SIEM here.

SIEM is able to perform these powerful correlations based on the large variety of devices sending data to the correlation engine for monitoring. In addition to parsing key attributes from each raw log, SIEM is able to identify event types. Event types are broken into categories such as login failures, account changes, permitted/denied traffic, malware, and exploits, etc. Logic is then added to identify patterns of information, quantities of events, or intervals of time in which conditions are met. This information is gathered to create alert triggers for incidents. As a result, the SIEM is able to identify threats based on correlations of multiple events, which by themselves wouldn’t necessarily provide attack indicators.

Benefits to using a SIEM

Visibility into a network can be the key to understanding and stopping an attack. Real-time monitoring allows for greater insight and reduced response times. Compliance requirements and administrative operations can be accomplished utilizing the reporting tools in SIEM. For example, if you wanted to view all failed VPN logons for your organization, you can schedule reports or run them on demand. Log data is typically stored within the system and can be leveraged for historical analysis or investigations. Perhaps an incident occurred 10 months ago, a SIEM could provide audit records and activity reports via a single interface.

The biggest benefit of all may be the peace of mind that is provided through having a complete understanding of the activity on your network. Without proper event log monitoring, you exponentially increase the risk that a compromise will occur unnoticed. SIEM gives you the ability to increase your overall security posture by adding an additional layer to your defenses.

Data breaches harm an organizations brand and reputation.

A Data Breach’s Effect on Your Organization’s Reputation

Cybersecurity isn’t just for guarding credit card and personal information. For businesses it is about protecting intellectual property, vendor and client relationships, and operational efficiency. Looking at the bigger picture, you will recognize the impact a data breach can have on an organization and its reputation.

There are direct expenses tied to security incidents. Consulting, attorney, digital forensics, and insurance fees are all prevalent, but those expenses may pale in comparison to the long-term effects that a breach can have on an organization’s ability to retain customers and gain new business.

The Lasting Impact of a Breach

When a breach occurs, there is a sudden shift in how the market perceives an organization. The trust from clients and vendors weakens, prospective customers become leery, and just hearing someone say the organization’s name brings thoughts of vulnerability and weakness. Regardless of how the breach transpired, the reputation of the victim organization will be tarnished. The timeframe for how long this negative impact will last is unknown, but without a doubt, it will have lasting effects on the organization’s brand image.

So, what does all of this mean? Who is responsible and how do we prevent such a disaster? The honest answer is that everyone is responsible, but the only way to change an organization’s security culture is by going through the executive team. The C-suite must lead by example when it comes to cybersecurity. After all, an organization’s future depends on it.

Regardless of industry, every viable organization handles some form of sensitive data. Whether it be Research & Development with consumer insights, the Finance department with corporate bank accounts, or Sales with contract negotiations, sensitive data is being processed by employees and communicated using technology. One slipup by an employee or exploitation of a vulnerable system will expose an organization to cyber criminals, which is why everyone should be aware of security threats and their consequences.

Protecting Brand Image - Security Awareness & Training

Information security training is the foundation for building a security focused culture within an organization. Without it, there is no guidance for employee conduct. It is unfair to assume that everyone understands how to properly handle sensitive data or navigate potentially unsafe website and email links. Cyber criminals are slyer and more deceptive than ever, and it is an organization’s responsibility to train its employees to conduct business in a professional, secure manner.

There are several great methods for providing security training. For starters, on premise security training from an engaging presenter is an effective way to gain the attention of employees. Training videos can offer a way to provide content without scheduling restrictions, and they can be viewed multiple times by a user. Another great means of communicating security awareness is through posters and graphical content. Posters can be displayed in common areas such as breakrooms, lunch areas, and bulletin boards. The key to security awareness and training is repetition and consistency. You must build a strong security culture through persistent training and regular activities.


An IT Director's Guide to Communicating Security Needs with the Executive Team
Giving Security the Attention It Deserves

An IT Director's Guide to Communicating Security Needs with the Executive Team

This paper discusses effective ways to communicate security concerns and solutions to the executive team – providing talking points and suggestions.

Get the Guide Now

Get our blog posts delivered to your inbox: