Hackers and attackers like nothing better than sitting in the comfort of their own armchairs to conduct remote attacks on vulnerable networks around the world. But some critical systems aren’t exposed to the public internet and sit, apparently safely, in an isolated environment, air gapped from the rest of the world by a lack of internet connectivity.
There is no doubt that keeping a system off the public internet increases its security posture, but it can also introduce vulnerabilities when operators need to ingest data or transfer data outside the network. Despite the increased security that an air gapped system can offer in certain situations, they have proven to be vulnerable to attack, both in the wild and in research situations. So, just how secure are air-gapped networks?
In network security, an air gapped network is one that has no physical connection to the public internet or to any other local area network which is not itself air gapped. In an air gapped environment, all the usual communication software like email clients, browsers, SSH and FTP clients are disconnected from the outside world.
A properly air gapped network means that devices within the network are invisible to, and effectively isolated from, remote threat actors, who often scan the public internet for vulnerable machines through services like Shodan. Similarly, remote code execution (RCE) software bugs cannot be directly exploited by an attacker outside of the air gapped network itself.
An air gapped system can, of course, communicate with other physically separated devices, but any means of data transfer outside of the network must take place through external hardware, temporarily attached to the network. Such hardware can include USB flash drives and other removable media as well as specially-authorized laptops. Importantly, these external devices require a person to physically connect and disconnect them to the air gapped network.
Conversely, devices which are only partitioned from other network devices by means of a software firewall are not considered to be truly air gapped, since such software can easily contain vulnerabilities that might allow entry to remote attackers.
An air gapped computer can be thought of as just a special, very limited, kind of air gapped network: a ‘network’ with only one device, in which all external network connections are disabled, and – again – data transfer in or out of the system requires physically plugging in some other device to a port on the air gapped machine. To effectively air gap such a device, WiFi and Bluetooth must be turned off and any ethernet cable unplugged. There must also be no wired connections to other computers or devices unless they are also similarly air gapped.
On the face of it, being invisible to attackers searching the public internet for devices vulnerable to remote attacks seems like a huge security advantage. It certainly increases the risk and effort for threat actors wishing to attack such devices because, without internet connectivity, air gapped systems cannot be compromised with direct, remote access.
This makes air gapping attractive in certain situations such as critical infrastructure operations like nuclear power plants, water plants and other industrial systems. Sensitive business and financial data, such as payment and control systems, can also benefit from air-gapped environments if they do not need an internet connection. Military networks carrying classified information and healthcare organizations operating certain kinds of medical equipment are other obvious candidates for air gapping.
In some cases, businesses may need to operate legacy software that will only run on old, vulnerable devices. Such software can be used safely if the computer is disconnected from all internet services and other external network connections.
However, there are challenges with using air gapped systems safely. Working in an air gapped environment can be inconvenient for computer operators. Complete separation from all external data severely limits what can usefully be accomplished in an air gapped environment, particularly for tasks that require live or frequent data updates.
For the vast majority of computer tasks, data will need to be ingested at certain times, and similarly data processed on an air gapped computer or device may need to be transferred elsewhere to make it useful or available to others who need it.
It is this transfer of data that presents the greatest risk. That risk is increased when those using air gapped systems have a false sense of security that the network is inherently safe because of its lack of internet connectivity.
The integrity of the air gap is only maintained when the means of data transport in and out of the environment are equally subject to the highest levels of security. In practice, the integrity of air gapped networks has proven to be extremely difficult to maintain without the help of added security controls.
Because of the difficulty of maintaining an effective air gap, it is not surprising that threat actors have found ways to attack air gapped computers. Perhaps the most notorious example was the Stuxnet attack. which was designed to target Iran’s nuclear program. Although it was discovered in 2010, it is thought to have been in development since 2005.
At the time of discovery, the Stuxnet worm was a 500Kb program that infected the software of over 14 industrial sites in Iran. It targeted Microsoft Windows machines and spread on its own through USB drives plugged into the air gapped machines on the network. The result was Iran losing almost one-fifth of its nuclear centrifuges.
In 2016, researchers discovered the Project Sauron malware, which attacked air gapped and other networks via a poisoned USB installer. Project Sauron was reportedly discovered on networks belonging to more than 30 organizations in the government, scientific, military, telecoms and financial sectors.
In 2019, researchers discovered the Ramsay framework, a cyber-espionage toolkit that was tailored to target air gapped networks. The malware used a number of infection techniques, from exploiting remote code executions in software like MS Word to trojan installers of popular software like 7zip. Ramsay collected data and stored targeted data in special archives that contained a marker for “control” software: presumably, attacker-controlled programs intended to be introduced to the target network separately by either a human operator or an infected USB device and retrieved at a later date.
Both nation-state actors and researchers have developed more esoteric means of attacking air gapped networks. Cottonmouth-1 is a USB hardware implant that can provide a wireless bridge into an air gapped computer if physically connected by an intruder or malicious insider. Researchers have also repeatedly shown how air gapped networks can be breached through various electromagnetic signals, from FM and cellular radio waves to thermal and NFC signals that can carry up to 100 metres. These include:
When looking at how to protect air-gapped computers, the obvious question is: what kind of security software can keep up with novel threats without itself needing to break the air gap? Legacy AV solutions typically need to retrieve signatures for newly-discovered malware on a regular basis. Some so-called next-gen solutions rely heavily on their ability to send telemetry to the cloud and analyze it off-device. Neither is going to work when your primary security posture requires no internet connectivity.
The answer to these problems is an on-device behavioral AI that can detect, protect and remediate malware, ransomware and device-based attacks from peripherals like usb drives autonomously. A solution such as SentinelOne can operate independently of internet connectivity to detect both known and novel malware based on behavior rather than file identity or process exclusion.
If you would like to see how SentinelOne can help protect your air gapped networks, contact us for more information or request a free demo.