Overcoming Air Gap Security Failures

Author: Colin Robbins

Overcoming Air Gap Security Failures

Air Gaps are not as secure as you might think.

There is a clear need to have networks that are not connected to the Internet. For example military networks, corporate networks that contain core intellectual property (design of a new drug) and process control networks.

How do you securely transfer data (such as operational data, operating system updates, core information from third parties) from the Internet into such networks?

A common solution is to implement an air gap. This is how it (should) work:

  1. Data is copied from the Internet on a transfer medium (USB stick, CD)

  2. The USB (or CD) is removed from the computer

  3. The USB stick is then tested for known malware on a stand alone system (sheep dip)

  4. The USB stick is inserted onto a machine on the secure systems

  5. The USB stick removed and securely destroyed (or cleaned)

The problem with this manual process, is step 5 is all too often forgotten, and the USB stick re-used in step 1). This introduces a return path for any malware to leak data. This is not a new concept, it was exploited by Stuxnet and more recently in the Indian Navy security incident. The weakest link of this mechanism is not the technology or the process, but the human user operating the process.

Data Diode

A solution is to remove the human user operator from the process. This is where the technology of data diodes are finding increasing use in the market. They provide (as the name suggests) a one way flow of data, and by design can provide a 100% guarantee that data can only flow one way - very few security product can provide these assurances. There is a challenge in deploying diode as many of the data communication protocols require a two-way handshake. Data diode products typically use proxy technology to overcome this problem.

This is one of the challenges of security. Intuition suggests that air gaps are secure, and putting a network link in place will weaken the solution. The difficulty comes as this only considers the technical aspects of security, but security is about technology, process and people working together.

See Also

Read more posts on

About the author

Colin Robbins is a Principal Security Consultant, leading customer-funded research activities in secure interoperability and information exchange. He has specific technical interests in the Single Information Environment and Data Centric Security, as well as the processes of security, such as Secure by Design and Information Security Management Systems (ISMS). He is a Fellow of CIISec, and a former NCSC certified Security and Information Risk Adviser (Lead CCP).

Colin Robbins on Linkedin

Read more posts by Colin Robbins