What is air gapping?
Air gapping is something that is used within military environments, in airplanes, nuclear power plants, financial institutions and other critical infrastructure, but what is air gapping really?
Air gapping is a cybersecurity and compliance measure in which one or more computers are physically disconnected, or isolated, from untrusted or unsecure networks or network devices. There is a physical gap between this trusted device and that untrusted or ‘not completely trusted’ other. Unsecure networks are those outside your tight, direct control; for example, local area networks/Wi-FI, and the public internet, with all its communal tunnels, connection points, and connective devices.
Whether it’s for national security, PCI compliance, critical infrastructure protection, or for keeping legacy systems away from modern attack methods, air gapping is not just a cool sounding term; it has become a reality in today’s cybersecurity.
Air gapping physically isolates a system from other systems, or only allows unidirectional communication using one-way diodes or classic “SneakerNet” methods. It is often used in conjunction with network segmentation, microsegmentation, and cloud workload protection, as part of a zero trust strategy that recognizes the always connected, cloud-intensive computing landscape.
Of course, there will be differing opinions on what constitutes air gapping and what does not. Air gapping is different from quarantining, where the infected devices are the ones being disconnected or isolated. In air gapping, you are disconnecting resources not because they are infected but because surrounding connection points are untrusted and you want to protect the information, often logistical, and control mechanisms (including IoT and OT) inside your private network, industrial control system (ICS), or supervisory control and data acquisition (SCADA).
Air gapping is going off the public grid, putting air between trusted and untrusted, to avoid connections that could take over your system. As you might imagine, it is practiced in:
- Aviation, where the design ensures that the avionics system is not connected to entertainment systems, the latter which are publicly accessible.
- Nuclear power plants and other parts of the power grid, so that a site’s systems can’t be tampered with remotely via an Internet connection, and so that one system can’t be used to hijack and attack another via lateral movement.
- ICS and SCADA systems, so control over machinery is not compromised.
- SGI environments. SGI stands for Safeguards Information, which is codified under the Atomic Energy Act as information that concerns the physical protection of operating reactors, strategic nuclear material, spent fuel, and other radioactive material. SGI environments must be air gapped.
- Military and government systems, so that classified information cannot easily leak to unauthorized systems or parties. In this scenario, air gapping often takes the form of cross-domain solutions (CDSs) that use data diodes and approved software solutions to enforce unidirectional data flow, especially in cases where data flowing out can be dangerous to the operation or malware can infect mission-critical systems.
- PCI compliance, where access to customer financial data must be reserved only for authorized transactions and systems.
- In redundant storage, so that at least one version of the data cannot be easily accessed and compromised.
- Legacy environments, so that old, vulnerable software programs like Windows XP are not exposed to public, untrusted interfaces and networks.
With air gapping, you are in essence disconnecting from the network and huddling down with your resources to keep them hidden and safe. There are no plug-ins to the network, there are no open APIs. Air gapping is a system shut off from the rest of the digital world.
It’s easy to understand what air gapping might mean for keeping a system airtight and safe from malware or hostile or deceptive instructions. But what about for compliance?
Air gapping is a capability that keeps ‘this data’ separate from ‘that data,’ and that data away from unauthorized access, which are very important in meeting security and privacy regulations regarding data sharing such as GDPR, HIPAA, and PCI compliance.
Air Gapping in PCI Compliance
PCI is a standard that helps organizations to ensure the safe handling of credit card and financial transaction information. It provides a document library of specifications, tools, and measurement resources for Payment Card Industry (PCI) security compliance.
In several sections, the PCI compliance framework (the earlier-linked PCI DSS requirements document) describes the need for air-gapped system capability, mostly through firewall capabilities but also via human and automated processes and policies (sometimes hosted in the cloud).
PCI DSS Requirement 1 calls for a firewall or firewall equivalent. By definition a firewall is a device or software system that controls computer traffic allowed between an entity’s networks (internal) and untrusted networks (external), as well as traffic into and out of sensitive areas within an entity’s internal trusted networks.
Section 1 also requires that firewall and router configurations restrict connections between untrusted networks and system components in the cardholder data segment. Inbound and outbound traffic must be limited to “that which is necessary for the cardholder data environment.” Outbound traffic from the cardholder data environment to the Internet and connective devices must be explicitly authorized, going through a series of authentication procedures. This can be orchestrated through deployment of advanced security and PCI compliant rules that plug holes allowing unintended and potentially harmful traffic in or out.
As stated earlier, the value of air gapping goes beyond any organization that processes payment card data and any financial service provider, impacting national security and human lives.
Air Gapping: Other Applications
In the nuclear power industry and manufacturing, organizations employ air gapping to greatly mitigate the chance that ICS and SCADA systems can be compromised. These ICSs and SCADAs must be kept disconnected and unreachable by other networks and systems, or control at the plant or facility could be lost.
A form of air gapping is used in aviation as well. For example, the avionics system must not be “connectable” to the entertainment system onboard, thus protecting the aircraft’s internal controls from hostile outside takeover.
Air gapping is also a best practice in 3-2-1 backup strategies. Smart, redundant data storage demands three sets of data: at least one set of live data, and at least one instance off the grid, sometimes magnetic tape or otherwise completely disconnected and “not live” systems.
Across industries, air gapping allows unidirectional communication, either strictly permitting data “in only,” or strictly allowing it only to go “out.” Filtering and authentication controls can further narrow what information or activity can be transacted.
In addition to PCI DSS, air gapping has application in numerous other compliance standards and regulations, such as FISMA, GDPR, HIPAA, and others. These compliance regulations require that processors of data allow only users with the secure protocols access to confidential customer information. An air-gapped system thus represents a logical storage architecture for credit card data, financial records, video surveillance recordings, patient information, and more.
How to Air Gap Systems
So what does it take to air gap systems?
Air gapping should do the following:
- Make sure the designated device or system is completely unplugged and wirelessly disabled from vulnerable devices, systems or networks. Air gapping is as much about closing and sealing virtual doors as it is physical ones.
- Deny connectivity. An understated part of zero trust architecture is disconnecting the ‘receive’ function from likely sources of harm.
- Isolate that which is precious. Ensure that untrusted networks cannot connect with your mission control data and systems. Build in defense-in-depth access controls and authentication steps.
- Automatically and continuously scan log files and systems to detect signs of malicious activity as well as vulnerabilities. Most successful infiltrations of air-gapped systems start with pre-embedded malware, even before any wireless infiltrations take place. Root out these trojan horse lateral attacks and block them with a combination of virtual patching and air gapping.
- Establish endpoint security intelligence and response. Automate traffic and payload filtering on the device, perform fast digital forensics, and exercise instant on-device hardening.
- Apply defensive-in-depth security controls to create additional checkpoints to further protect your air-gapped systems.
But, you’ll still want to communicate a little bit… keep communications going in a unilateral, outward direction, if necessary.
Data diodes make for a unidirectional network. For example, the protected component can only send, it can’t receive; or vice-versa, the data diodes prohibit sensitive data from getting out to unauthorized parties. So, now you’re set up in an air-gapped environment and maybe communicating outward only along secure lines. Feel secure?
What Can Go Wrong
Time has shown air gapping is never full-proof, neither virtually nor physically. Malware can and has penetrated what were considered to be disconnected (air-gapped) environments.
The initial compromise (malware infection) can come through supply chain partners and their software, through external plug-ins or backup drives, or via unsuspecting or malicious insiders. From there, air-gapped systems can have data stolen or exfiltrated through Wi-Fi signals. Memory buses in air-gapped computers generate electromagnetic waves that any hacking device that has a Wi-Fi interface can pick up and receive.
Steps to Tighten Up Your Air-Gapped Environment
Atomicorp provides the experience, expertise and technical capabilities to air gap your most sensitive systems and keep them from compromise. Listen to our “Using OSSEC in Air Gapped Environments” to discover how you can:
- Deploy powerful endpoint protection to secure all assets wherever they might be. This includes anti-malware, device hardening, encryption, and strong password and authentication measures. Prevent initial compromise of the air-gapped computers via a strong set of least-privilege zero trust security rules governing system access.
- Keep Wi-Fi transceivers physically distant from the air-gapped systems.
- Monitor memory access, and jam and block signals from infected air-gapped systems so they don’t reach Wi-Fi receivers.
- Scan air-gapped computers for vulnerabilities to detect and plug exploitation pathways within the closed system.
- Establish air-gapped environments as a fast and strategic way to reduce dependency hell, and minimize unnecessary processing, yet retain your cache.
- Deploy modern, advanced security rules in your air-gapped environments.
- Reduce the steps associated with effective air gapping, each of which introduces complexity and greater chance for vulnerability.
Find out more.
Listen to the air gapping replay from the OSSEC Conference 2021.
Learn more about Atomic OSSEC.
Visit the Atomic Protector page.
Get more guidance on PCI DSS compliance – read the whitepaper.