venoym (8/12/2014)

---

K. Brian Kelley (8/11/2014)

---

venoym (8/11/2014)

---

I have to question the "myth" of the Air-Gap that is referenced. A proper Air-Gap or Data Diode for SCADA systems provides a level of protection that cannot be denied.

It provides an additional level of protection. I'm not denying that. However, the way most SCADA systems have been built, what's behind that data diode is ripe for the picking. You can't add additional layers of protection without breaking the system. Why do they have that attitude? Because they trust the air gap/data diode is the be all/end all. It isn't. It's just a broke and outdated idea in infosec.

I realize this will probably fall on deaf ears. If you rely on only the Data Diode/Air Gap, you deserve to fail, and will fail. An Air-Gap/Data Diode is required by Federal Regulations for Nuclear. Consider, you can't take a system that is a hodgepodge of equipment from every decade back to the 1970's and expect to run the latest and greatest IDS/IPS and anti-malware on every device. Most devices in a SCADA system are simple PLC/firmware devices that only know "point A and set points X, Y and Z". Servers and workstations need to be protected by Best Practices regardless of Air-Gap.

To blanketly state that a Data Diode/Air-Gap is broken and outdated Information Security is disingenuous at best. They work as long as you continue to do the other Cyber Security Best Practices in addition. Like anything, they are a tool to be used and used properly. Similar to the use of NULLs or GOTO, there are valid and GOOD uses of them (Yes, I realize that half of the people reading this just tuned out, but seriously... do some objective research). Finally I'll state that you do NOT want a Nuclear plant to have its control and protection systems to have a 2 way connection to the Internet.