Remember when Tom Cruise hung upside down from the ceiling in Mission Impossible and tried to steal data from a computer housed in a top-secret vault at CIA headquarters? From the perspective of today, we might wonder why all the crawling through the air ducts and risking his neck was necessary. Couldn’t he just hack the machine? No, because that CIA system was air-gapped. It was a freestanding computer that was not attached to any sort of network. If you wanted to use it, you had to be in that highly secured room. At least, that’s how the thinking went.
It’s easy to make fun of Hollywood and its excesses, but the film did reflect the predominant view at the time that the best security came from putting air between a system and anyone or anything trying to reach it. Things have changed, though. Air gaps still exist. Some organizations absolutely require them, but the practical realities of implementing and sustaining an air gap have grown quite a bit more difficult over the last two decades. To understand why air gaps are still important, it’s worth taking a moment to define the concept and explore what’s working well with them and what isn’t.
An air gap is a security countermeasure that is based on the idea of creating an impenetrable barrier between a digital asset and malicious actors. In this context, a malicious actor could be a hacker, a virus, an insider, a power surge, or a natural disaster—any force that threatens the digital asset. As its name implies, the simplest air gap is achieved by disconnecting a digital asset from any network connections and placing physical distance between it and anyone who might want to access it.
Interestingly, the air gap concept also exists in other fields. For example, building codes mandate an air gap between sources of water and drains. Electrical engineering requires a space between moving parts in an electric motor.
Air gaps serve two fundamental security use cases. They defend against intrusion into a network or system. They also protect digital assets from being destroyed, accessed, or manipulated. These two goals often overlap, but they are distinct. Implementations of air gaps may reflect one purpose or the other. For example, storing backup tapes in a salt mine is an example of an air gap that protects data from unauthorized access. There is no system to compromise. In general, data backup is a use case that favors the air gap. The thinking goes like this: If our systems are compromised or destroyed, we can restore them with data that has been kept safely away in an air-gapped environment.
Right or wrong, many security professionals consider the air gap to be the ultimate countermeasure. After all, if an attacker can’t even access the system or network, how can he harm it? Malware floating around the Internet cannot make its way onto an air-gapped system. Hackers cannot penetrate an air-gapped system and take control of it. Indeed, air gaps are common in high security environments, such as the military, finance, and power utilities. The security policies in these types of organizations may mandate the use of air gaps.
There are many variations on the air gap concept. At a high level, three main types are the most common:
The total physical air gap—This the salt mine type, which involves locking digital assets in a completely isolated physical environment, separated from any network-connected systems. A digital asset in a total physical air gap has no network connections. If anyone wants to get data from it or put data onto it, they must physically go to it, a process that usually involves going through physical security barriers.
Segregated in the same environment—An air gap can be achieved by simply disconnecting a device from a network. One could have two servers on the same rack, for instance, but still air-gapped away from each other because one is not plugged into the network.
Logical air gap—A logical air gap refers to the segregation and protection of a network-connected digital asset by means of logical processes. For example, through encryption and hashing, coupled with role-based access controls, it is possible to achieve the same security outcomes that are available through a physical air gap. Even if someone can access the digital asset, the asset cannot be understood, stolen, or modified.
One popular school of thought in today’s cybersecurity circles holds that there is simply no such thing as an air gap any longer. While this may sound like a flippant generalization, there is some truth to it. One issue is the pervasiveness of Internet connectivity today. With literally billions of devices connected to the Internet, and connections existing between devices, it is likely that a system that purports to be air-gapped actually has an Internet connection that no one knows about.
In fact, when organizations deploy device scanning tools to create an inventory of all their network connected devices, they invariably discover equipment that no one knew even existed, much less had a network connection. When one factors wireless network connections into this analysis, it becomes possible to imagine even more lapses in air gap design. A system may be physically separate, but still connected over the very air that is supposed to be forming a total barrier to access. Furthermore, hackers can now use highly sophisticated wireless “sniffing” technologies to glean data from a system that is otherwise physically isolated.
Air gaps are not easy to set up and sustain. In addition to being threatened by accidental connections or enterprising hackers, air gaps suffer from a variety of human-centric risks. Input/Output is the root issue. Air gap or not, users typically need to add, modify, or download data from the system. This is true for backups as well as production systems. Thus, most traditional air gaps involve what is popularly known as a “sneakernet,” a physical method of transferring data, e.g., a Wi-Fi dongle or USB port.
At this point, human nature takes over. Even well-intentioned users will accidentally leave doors unlocked or USB ports unguarded. They may get lazy and neglect to follow security procedures. One worrisome example of this risk occurs on merchant ships and naval vessels, whose mechanical control and navigation systems are air-gapped because, well, they’re on a ship and generally not connected to the Internet (though even that is starting to change.) Once a ship is docked, however, a malicious actor can gain access to the ship and use a USB stick to insert malware into the system. When a ship undergoes maintenance, and hundreds of semi- or non-vetted workers are aboard the vessel while the regular crew is away, it’s easy to see how an air gap will fall apart.
A supply chain attack can penetrate air-gapped systems through the software that runs them. This is how the unattributed attacker was able to place malware into an Iranian nuclear site, even though the place was underground, completely cut off from the outside world and guarded by soldiers. By planting the Stuxnet virus into a command-and-control system update, the attacker got through the air gap and destroyed centrifuges that were refining uranium.
Social engineering and insider attacks can also get past air gaps. Hackers who need physical access to a site in order to penetrate an air-gapped environment are usually clever enough to fake their way in by impersonating real employees or other ruses. (Look at Tom Cruise! He came in with the fire department.) Insiders are a persistent threat to air gaps as well, unpleasant as it may be to contemplate.
Encryption of data at rest is a good countermeasure to apply in conjunction with air-gapping for these reasons. An attacker will probably gain access to the air-gapped system if they truly want to break in. The best practice is to ensure that whatever data they can steal will be completely useless to them.
The best practice today is to be realistic about air gaps. They can work, and indeed they can be very effective in the right circumstances. It’s essential, though, not to adopt a simplistic mindset and think “It’s air-gapped, so therefore it’s secure.” This is simply no longer true.
Instead, it makes sense to think carefully about desired outcomes, risks and vulnerabilities for a specific air gap use case. For example, if the goal is to secure backups, then encryption is critical for a viable air gap. Also, a logical air gap may be the best solution. A physical separation may not be required. Implemented correctly, an air gap provides a strong layer of cyber defense.