By Alex Nehmy, Director of Industry 4.0 Strategy APJ at Palo Alto Networks
The Air Gap is dead
The notion of having air-gapped computer systems from the primary corporate environment and the internet is antiquated, steeped more in fairy tale romance than reality.
An air gap consists of two networks, so there’s a gap between them consisting of air. The Australian Cyber Security Centre defines an air gap as A network security measure employed on one or more computers to ensure the network is physically isolated from any other network. This makes the isolated network secure, as it doesn’t connect to unsecured networks like the public internet.
Air gaps make great sense from a cyber security perspective. Data and threats cannot traverse from one network to another. An air-gapped network is akin to an island. Safe, secure and isolated from other networks that have lesser security and more significant threats. Hence air gaps are used in extreme risk or secretive environments such as nuclear power generation and highly classified defence systems.
However, cyber security doesn’t operate in a vacuum. It exists to empower an organisation’s digital transformation objectives while managing cyber risk. Cyber security controls are often inherently at odds with the useability of IT systems. The greater the cyber security controls, the less usable and business friendly the outcome. Air gaps restrict communication and hence they do not meet business requirements for modern, dynamic and flexible communications networks.
The greatest misconception these days is that critical infrastructure organisations still have an air gap. However the overwhelming majority of industrial operational technology (OT) environments are indeed not air-gapped, they’re physically connected to IT and logically separated by a firewall. As these critical infrastructure organisations are undergoing their own digital transformations they are increasingly reliant on data from the industrial OT environment, in order to run their business systems in IT. In fact, IT and OT are now more connected than ever. An air gap does not support this business critical connectivity.
The airgap is dead, long live the airgap
Let’s take the case of the Colonial Pipeline ransomware incident. The Darkside cybercrime group infected the IT environment with ransomware, effectively locking key business systems, including the billing system. The billing system relies on data from Colonial Pipeline’s OT environment to measure gas usage and bill customers. This data exchange from OT into IT is key to the financial operation of the business. An air gap would break this business critical communication and therefore is not feasible.
As the ransomware rendered the billing system inoperational, Colonial Pipeline took the unprecedented step of disabling the gas pipeline, which services the southeastern United States, resulting in the most materially significant cyber attack in United States history.
OT has converged with IT, while IT has converged with the cloud
Just as IT and OT have converged and can no longer be separated, so too has IT converged with the cloud. Remote working collaboration tools, cloud based business management systems and cloud data centres are the standard for IT in a post pandemic world. In fact, for many modern organisations, the cloud is inseparable from IT. They have wholly merged.
Businesses are striving for more agile operations, lower costs and greater customer satisfaction and the cloud has been integral in many IT businesses achieving this.
In comparison to IT, OT is the last bastion of on-premise computing. There are no technical or cyber security reasons why the cloud cannot be used to transform the operations of OT. The primary limitation is cultural.
The cloud offers a massively scalable platform, with efficiencies and capabilities that are difficult to match with in-house data centres. And OT is the literal heart of any industrial business. Why wouldn’t a company want to embrace the benefits of the cloud to extract maximum value from their most important business systems and data? There are untold benefits awaiting…
Using Risk to Guide Cloud Usage
How can we begin to move the needle on cultural change within OT to embrace the cloud? A risk based approach, combined with a focus on delivering transformational business outcomes, is our best bet.
When it comes to risk, there are two key types of data within OT, each with their own risk profile. They are primary control system data and telemetry data from Internet of Things (IoT) devices in the field.
Primary control system data has the ability to control or directly affect the OT environment and as a result it is high risk. For example, in electricity distribution, it can be used to literally turn the power on or off, potentially resulting in life or death situations for both employees and critical care customers.
Alternatively IoT telemetry is merely providing a real time view into the operational environment from IoT sensors in the field and does not have control of the critical infrastructure. It is therefore much lower risk. The IoT field based sensors are collecting data about temperature, vibration, pressure or almost anything that can be measured, to provide a real time picture of how the physical world is operating. This data, when combined with the power of the cloud, will drive significant business outcomes that, to date, have not been realised.
There is a big difference in the risk posed by each of these data sources and as such, the data should be handled differently, based on risk. Primary control system data will likely remain on-premise for the foreseeable future, while IoT telemetry is low risk enough to be handled in the cloud. Indeed, the sheer volume of IoT data and the insights available through machine learning will necessitate the use of cloud computing.
The digital transformation that IT has realised through embracing the cloud is also waiting for OT. More efficient operations, better insights and decision making and higher availability of key industrial systems are just a few of the benefits.
It’s time for OT to move past any cultural inhibitors and use risk and business value as drivers for their cloud transformation.
Find Alex Nehmy on LinkedIn: https://www.linkedin.com/in/alexnehmy/