As more information about the attack on Saudi Aramco has emerged, such as in the article in Dark Reading last week, it increasingly appears to be an aggressive and significant attack, with one attacker claiming to have compromised 30,000 of the company’s clients and servers. As described in the Saudi Aramco press release, however, the attack had “no impact whatsoever on any of the company’s production operations”, apparently because the attack was unable to cross the air gap between externally-accessible personal computers and the production control and monitoring systems.
The strategy of using air gaps for purposes of isolating portions of the IT infrastructure is one I’ve been thinking about recently, primarily in terms of smart grid security. In the past, it was relatively straightforward to isolate various parts of the energy infrastructure, particularly segregating energy distribution from customer information management.
That physical isolation is no longer possible in smart grid, where measurement, reporting and control of distribution are directly linked in externally-accessible customer management systems. The value of connectivity across those environments is outweighing the security benefits of physical isolation.
Logical isolation is certainly feasible and important in smart grid. Identifying and controlling legitimate interaction across the boundary between logical environments, like distribution control and distribution reporting, has to be a fundamental architectural principle for smart grid. But such logical isolation mechanisms are not themselves sufficient. Equally important is data collection and analytics that ensure not just that the control mechanisms are in place and working, but also more fundamentally that the purpose of those isolation mechanisms – for example, protection of the energy distribution capability — is being achieved. Otherwise, unanticipated attack strategies may find ways to cross the logical divide undetected and unimpeded by the mechanisms used for logical isolation.
Creating this kind of intelligence will be essential for smart grid. The risk of natural disasters is already taken seriously. The risk of determined adversaries needs to be taken equally seriously, recognizing that defensive strategies have to include looking for attacks that compromise even the best defenses, including those that will cross both physical and logical air gaps.