There is a false sense of security that organizations have regarding the security of their SCADA systems and most valuable assets. They feel that because they have air gapped networks, that it limits the access to the Internet and the rest of the corporate network. Even this practice is not always followed by some organization, but for this thought we will say they implemented a textbook air gapped network. So what does this leave you as far as potential attack vectors. This leaves only the human that might infect the environment either unintentionally or through convenience.
First, according the Wikipedia an air gap is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. The name arises from the technique of creating a network that is physically separated (with a conceptual air gap) from all other networks. This network is where your SCADA systems or other high value data may be segregated by having their own routers, switches, servers, workstations, applications and support with no connection to the Internet or the corporate network, other than the Human.
Secondly, assuming the target network has their key assets in a segregated network as described above. This allows the human who enters and interacts on that network by either having a workstation on their desk that is directly connected to only that network, that’s convenience. Using USB devices, it has to be physically walked into a completely different network room and the USB device has to be physically plugged in to load patches and security updates into that secured environment.
Knowing the human is the only attacker that had access into that environment. That means one will have to target the individuals that may interact with the secured network. Furthermore, one will now target individual’s social media accounts to determine their out of work interests. Start sending them phishing emails that are customized to their interests and make it very appealing for them to click on. If that does not work, they are going to need to make a physical trip to drop USB drives in the parking lots near their cars or outside of their homes. All this data can be found through OSINT techniques.
An interesting concept to protect the air gapped SCADA system or high value data network from the only infection point being the human. Perhaps we all should push the industry to start using turnstile doors, just like in data centers, that requires entry into the secured infrastructure room. A USB will plug into one of the door entry points that scans the drive for any infected files and then it sandboxes the files on the drive for any anomalies. This can also be used to make sure that no employees are walking out with files that are restricted to that environment.
This should can be done live with the help of the company’s security operations and research teams to actually test the contents of that drive and approve the entry upon completion of the scans. This security and research teams can also use the segregated 24/7 monitoring tools deployed in that environment to monitor for suspicious activity during the installation or access to the secured environment. Monitoring all aspects of the environment during interaction is key to eliminate or minimize the effects of the human threat in that environment. Although this is just a thought, it would not take much to implement the monitoring services and turnstile doors needed to secure your most valuable assets or the systems that keep the lights on.