Air Gap

Description

An air gap attack is an attack that travels into a network architecture even though it is network wise isolated to the rest of the world. To succeed with such an attack, a piece of malware needs to be brought into the internal network environment more or less by hand. Such cases can be when computers or portable media are first connected to external networks and then, later, connected to the internal network. There are several probabilities to consider regarding this; first the probability of an externally connected computer being infected and then how often that same computer is connected to the inside network. Another case is when externally developed software or updates are being taken from the outside and installed/updated on the inside.

Talking about isolated environments, protected by air gaps, we often mean highly sensitive environments related to critical infrastructure like power plants and similar appliances. However, as we shall see in the next sections, bringing potentially infected pieces of equipment into an internal network zone, might give the attacker a short cut deep into internal network zones, bypassing several network based protection mechanisms.

But for now, we start by looking at a traditional air gap environment and how to represent an attack targeted at it.

Model

When modeling the air gap, we have not connected the “Ext GW” to the “External Zone” network. An “External Gateway” probably does not even exist, otherwise there would not be an air gap. Then we have connected the attacker to a separate host that we imagine have been, more or less deliberately, infected by malicious software introduced by the attacker. (Connection between the attacker and the “Infected Host” is “Compromise”. Then we add a Router object representing the air gap, short-circuiting the (non-existent) external gateway.

Modeling an Air Gap
Modeling an Air Gap

Attack Vector Attenuation

So far, we have set up a router representing an air gap and let it have perfect parameters; the malware on the infected host’s side will not be able to enter the internal zones. Bridging an air gap is considered a hard thing to achieve, even though it is not impossible. Therefore, we want to introduce some hopefully small probability that this might happen. To achieve this, please select the firewall connected to the air gap router object and look at the defenses of it.

Settings of a Perfect Firewall
Settings of a Perfect Firewall

 

As we can see, the defense Enabled is set to On (by default) and the defense KnownRuleSet is also set to On (for this particular firewall).

Consider the case when employees connect equipment they have previously connected to foreign network zones to the internal network zones say once a year. Then the malware has managed to bypass the perfect air gap that often (1/365=0,003), which means we can set the “Enabled” defense of the air gap to 1-0,003=0,997.

Settings of a Sometimes Bypassed/Bridged Air Gap
Settings of a Sometimes Bypassed/Bridged Air Gap

 

In other words; during 0,3% of the time, the air gap will not be functional but instead a bypass route from the infected host to the internal network zones protected by the air gap.

Conclusions

In the above set-up, the air gap router is actually the business or IT security rule saying that no external equipment may be connected to any internal network zones. Therefore, the firewall connected to the air gap router shall be perfect; KnownRuleSet=On. The access control connected to it shall also be perfect and the necessary network administration zone shall also be isolated and not connected to anything else. According to the securiCAD logic, this router is then impossible to traverse. The malware on the infected host will not be able to reach the internal zones.

When introducing the attack step attenuation set up, using the “Enabled” defense of this perfect router we have added, the extra router is acting as a “valve” deciding how probable we estimate this type of attack to take place.