I wasn't at AusCERT this year, but watching the Tweet-stream and chatting to fellow Vulture Darren Pauli kept me clued-in, and I was interested to hear that Eugene Kaspersky thinks air-gaps are a good way to protect SCADA systems.
Because you won't convince the industrial sector to reverse the cost savings it got from connecting to the Internet, a bit of extra work is required. Kaspersky particularly mentioned blocking all but essential control traffic from the network, thereby forcing things like software updates to be carried out by humans on sneakernet.
To stop someone idly plugging in a malware-infected USB to a Windows machine, he added the refinement that everything go through some other system on the way. In other words, copy the update to a Linux or OS X machine, swap to a different USB, and copy it back off (presumably with some kind of malware test on the way).
All of which is well and good, and I agree wholeheartedly, but there's this to consider: Why not air-gap all the things? Why are Eugene's attitudes expressed solely in terms of a particular business?
Kaspersky's argument was simple: air-gapping critical systems from the internet makes them more expensive to successfully attack than the return the attacker can expect. That leaves only a small handful of nation-state targets – Stuxnet's targeting of nuclear centrifuges, for example – where the nation-state attacker is acting on motives deeper than simple cost-benefit.
For most targets, he argued, air-gapping (say) a SCADA control from the Internet is sufficient: it makes it too expensive to try and bring down a power station, or whatever.
But doesn't the same argument also apply to most of the home systems that Internet-of-Things enthusiasts want us to connect to the Internet?
For example, over at NakedSecurity, Sophos has posted this description of how to secure an Internet-connected baby monitor.
Here are the key steps:
- Turn off remote access to your home broadband router – and, since we know how hopeless these devices are, pray that it's not vulnerable to external attack;
- Use a strong password on the broadband router;
- WiFi also needs a strong password;
- Patch the broadband router regularly;
- Webcams also need strong passwords.
Oh, and the IP-connected baby monitors also need strong passwords.
It's good advice - but it's way too hard for most people.
In case you hand't noticed, all but one of the suggestions apply to devices other than the baby monitor – quite apart from beyond most users' clue or care-factor.
Whereas: an air-gap is easy, and can be put thus: “don't connect baby monitors to the Internet, and if the brand you're looking at won't work without Internet access, buy a different brand”.
The problem is, a huge effort out among the tech sector wants to eliminate all possible air-gaps between citizens' technological gadgets and the Internet.
Try turning off data access on your smartphone, for example: it will probably complain incessantly that it can't connect to Google or Apple.
Every “quantified self” device on Earth assumes there's no air-gap to the Internet – because data-collection is the name of the game, and what keeps the device cheap.
And so it goes for connected homes, WiFi light bulbs, Smart TVs, storage and all the rest. The industry is turning a blind eye to its own inability to secure anything, and pushing users to connect the whole lot to the Internet.
Maybe an air-gap is better. Perhaps you don't actually need to get separation anxiety just because you left the house and you're worried that your washing machine or air-conditioner will get lonely. Perhaps it's a better idea to relinquish the reassurance that your oven and fridge are still pinging the app on your smartphone, and air-gap them.
It's easy to do, after all: when you buy the gadget, whatever it might be, you need only ignore its demands that you configure it to access your WiFi network.
In a few years, if he's paying attention, Eugene Kaspersky will take to the stage and tell homes to air-gap their critical systems, wherever they can. And I'll be applauding. ®