Cutting the cord: Can Air-Gapping protect your data?

Isolating hardware from the internet deters hackers, but at a huge cost. Charles Orton-Jones investigates the tactic of Air-Gapping

Hackers are a nightmare. A recent survey revealed 79 per cent of US companies spotted a cyber attack in the last year, up from 68 per cent the year before.

A radical solution lies in Air-Gapping. This is the unplugging of hardware from the internet. No access, no hacking. A moat of air surrounds your precious data to keep marauders at bay. That’s the theory.

It’s extreme. But does it work?

A large flour mill in Northamptonshire is a fan. The factory hardware is Air-Gapped to ensure no viruses or hackers can enter. “We aren’t an IT company,” says the CEO. “We can’t keep up with cybersecurity, so we Air-Gap to make sure our operations are secure. What you can’t touch you can’t hack.”

Data vaults, top secret repositories, and nationally critical infrastructure are the most suitable for Air-Gapping. India’s largest and newest nuclear power plant in Kudankulam, for example, keeps core systems isolated.

Air-Gapping brings peace of mind. There are no updates to roll out. No iterations of ransomware to worry about. Hardware can run for years with no danger of attack.

The downsides

So those are the alleged benefits. Now here come the negatives of Air-Gapping. And boy do they pile up.

The first challenge is keeping systems up to date. Software requires patching and upgrading as bugs are found and new features needed. An Air-Gapped system can be updated via USB sticks and CD-Roms, but this is (a) time consuming and (b) introduces a partial connection with the outside world.

Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, has observed the havoc this can cause.

“Yes, hardware and software both can be easily patched just like we did back in the day, before the internet,” says Hauk. “Patches can be ‘sneakernetted’ to machines on a USB stick. Unfortunately, USB sticks can be infected by malware if the stick used to update systems was created on a networked computer.

“The Stuxnet worm, which did damage to Iran’s nuclear program and believed to have been created by the United States and Israel, was malware that targeted Air-Gapped systems, so no system that requires updating is absolutely safe from attacks, even if they are Air-Gapped.”

The Air-Gap may suffer breaches. Users may want to take data home or have another reason to access systems. A temporary connection to the outside world, even via a USB stick, poses a serious risk.

Danny Jenkins, CEO and Co-Founder of ThreatLocker, an international cybersecurity firm providing Zero Trust endpoint security, is highly doubtful of whether organisations can prevent these temporary breaches.

“Air-Gapping only stops network threats,” says Jenkins. “There are other ways risks can be introduced into a device. For example, I worked with a cruise ship company that had an issue with computers getting malware and garbage installed while they were at sea. This is because staff would be putting stuff in on USB drives. Because the computers had no internet connection they couldn’t even run antivirus. Which allowed users to do whatever they wanted.”

Then there are over-looked connection points. A system may appear to be Air-Gapped. But backdoors, such as internet connected devices, may compromise the entire endeavour.

Rafael Maman, VP of Operational Technology Security at Sygnia, warns that total separation is getting harder to achieve.

“Converging IT and Operational Technology environments and rapidly introducing Industrial IoT (I-IoT) on the manufacturing floor, the ‘air gap’ around the OT environment is rarely complete any more.

“This allows threat actors to take advantage of the resulting broadening and deepening of the attack surface, with potentially devastating impacts. In addition, strict network separation, while remaining a key component of OT Security best-practices, also hampers the organisation’s ability to navigate, collect and analyse essential data to detect and respond to threats in the OT environment.”

Malicious employees may take advantage of unprotected systems. Matt Chinnery, Security Consultant at Ripjar, says even if the technical setup is perfect, a single devious actor can wreak mayhem: “Users are, by nature, an unsecure source, so those who have access to Air-Gapped networks need to be securely vetted and checked. Users themselves are by far one of the biggest risks as the person is already in the organisation so has access to the protected data.” An insider can uplink a system to the internet to give colleagues on the outside full access. In ten minutes a system can be irrevocably compromised.”

Last, is the reduced access to third-party services. Air-Gapped systems can’t connect to cloud storage, third-party analytics, or transmit data to other parts of the company. The hardware really is isolated.

Niche and risky

Air-Gapping is therefore imperfect, hard to manage, and leaves systems vulnerable to devastating attacks. The Indian nuclear power plant mentioned earlier, for example, suffered a cyber attack after  a computer was plugged into an interface. This was after a spokesperson for the plant insisted Air-Gapping meant, “Any cyberattack on the nuclear power plant control system is not possible.” Oops.

Rob O’Connor, Technology Practice Lead at Insight, an Arizona-based systems integrator, can see a role for Air-Gapping, but only in the most extreme circumstances.

“Gene Spafford, a renowned professor of computer science at Purdue University once said, ‘The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then, I have my doubts.’

“Gene’s quote was from 1989, but despite how technology has advanced in the intervening thirty-five years it holds true today. Securing systems still requires a balanced approach which provides ‘just-enough’ security. Too little security is bad for obvious reasons, but too much security is costly and creates usability issues. Air-Gapping still has its place, but it’s a small niche – and not a panacea.”

Read more

Can NIS2 and DORA improve firms’ cybersecurity? – Daniel Lattimer, Area VP at Semperis, explores NIS2 and DORA to see how they compare to more prescriptive compliance models

3 cybersecurity compliance challenges and how to address them – Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy

How to set up a cybersecurity honeypot for your business – Honeypot tactics remain a widely explored aspect of business cybersecurity – here’s how to get the best out of this strategy.

Avatar photo

Charles Orton-Jones

Charles Orton-Jones is a business and tech journalist. He's a former winner of the PPA Business Journalist of the Year Award, and currently edits and Forward magazine, a journal devoted...