back to article Air gaps have been 'shattered’, says new Indian policy on power sector security

India has announced a new security policy for its power sector and specified a grade of isolation it says exceeds that offered by air gaps. “The much hyped air gap myth between information technology (IT) and operational technology (OT) systems now stands shattered," the policy states, before going on to offer a slightly odd …

  1. Potemkine! Silver badge

    The artificial air gap created by deploying firewalls

    Typical IT illiterates bragging

    The policy also requires any activity on the sole internet-connected system to be done "through an identifiable whitelisted device followed by scanning of both for any vulnerability/malware". Even that device can only connect to whitelisted IP addresses.

    If India is able to produce a device detecting 0-day vulnerabilities, congrats.

    1. adam 40

      Simples!

      That device is very simple, it has a red light that comes on when there is a 0-day in a piece of kit.

      The light is, of course, permanently on.

      1. teknopaul

        Re: Simples!

        Someone needs to invent really high bandwidth one way digital path. Something that is at the physical layer one way, and with sufficient error checking that you don't need to ACK.

        Or does such a thing exist?

        I have worked in many systems where one would be beneficial but never seen one deployed.

        1. Cybersaber

          Re: Simples!

          Silliness aside, unidirectional connections are actually quite old. Printer cables They're used in all sorts of applications. You're looking at one right now. It's tiny little grid of lights that makes up your display. Printer cables were originally unidirectional serial.

          A unidirectional connection (either way) doesn't really help solve the security problems they're trying to solve.

          1. DS999 Silver badge

            Re: Simples!

            Sure it does. If you have a one way connection you can get all the monitoring data out and therefore accessible remotely, while only allowing input from a properly air gapped device.

            The reason power companies and other utilities connect their stuff to networks is to allow monitoring. What's the point of a fancy system that can detect faults if it needs someone on location to learn about the fault? They not only want their employees to know about the fault and be able to quickly access all the relevant diagnostic data, they want third parties who made that fancy system to be able to find out about the fault and get that data too.

            Now I'm sure there are some that like being able to make changes remotely, and there's no help for them, but for the majority who would be happy with just getting all the data out and willing to accept getting data in being requiring an on site presence this would be a good solution. I mean, if the alarm that's raised indicates some sort of actual outage in a power company it is going to require someone on site to replace the broken equipment anyway.

            1. Ace2 Silver badge
              Joke

              Re: Simples!

              What if we used blockchain?

          2. Anonymous Coward
            Anonymous Coward

            Re: Simples!

            There are optical versions of these one way printer cables widely used out there. Look up unidirectional network on Wikipedia. However a plethora of carbon and silicon based side channels should make you very mindful.

            1. DS999 Silver badge

              Re: Simples!

              Side channel attacks are also one way - you can't use them to input data into a system, only to learn something about it.

              Human "side channels" are no more of a problem with a computer based system than one based on mechanical buttons and levers. If you can trick someone into pressing the wrong button, you can make bad things happen.

              1. Anonymous Coward
                Anonymous Coward

                Re: Simples!

                True. Unless the supply chain had been deemed of sufficiently high value to discreetly enable something value-add.

        2. thames

          Re: Simples!

          They're called "data diodes". They're an off the shelf product from several suppliers.

          1. Anonymous Coward
            Anonymous Coward

            Re: Simples!

            > They're called "data diodes". They're an off the shelf product from several suppliers.

            And there are even projects online to build cheap data diodes using pairs of Raspberry Pis with a serial cable strung between them, not simply a USB-to-USB connection but using either real serial ports or USB-to-actual-RS232-and-back-to-USB as with RS232 you can connect the Tx (transmit) wire in one direction but not in the other direction so ensuring unidirectional connectivity.

            1. stiine Silver badge
              Facepalm

              Re: Simples!

              Ha. You've just asked for a printer spooler hack that's controlled by morse code or the on/off of DTE... i pity you.

            2. -tim
              Coat

              Re: Simples!

              You can also cut 3 of the 4 pairs of an ethernet cable for the same effect. You will have to tell the driver that it is in a odd state with no sync but that is usually an parameter to ifconfig or its replacement. You can extend the technique to make Y cables that listen to one host and talk to two or more devices the same way as twisted pair ethernet is still technically a shared bus with typically just two ends.

        3. Swarthy

          Re: Simples!

          Webcam pointed to the monitor's screen?

  2. Anonymous Coward
    Anonymous Coward

    Pandora = Germany?

    Country that makes your firewalls = country that hacks stuff quite legally

    You know these laws they pass that let them legally compel backdoors in any system, and legally hack any system, and then shortly after, they sign a cyber cooperation treaty so they can sell that as a service to their buddies worldwide. And then you go put their crap on your network? Knowing they can or already have backdoored it?? Do not do this.

    It's not just 5 eyes countries, Australia and UK, its Germany too:

    https://cpj.org/2021/06/german-law-government-surveillance-hacking-journalists/

    ("German law increases government surveillance and hacking powers, removes protection for journalists")

    I was trying to figure out who was behind the Pandora papers, a country that hates the Czech President, hates Tony Blair, King of Jordan, has high taxes , is known for its hacking (Crypto AG + various Swiss hacks), was not featured heavily on the list, has a legalized hacking law and just had an election to make it more left wing.

    Germany, fits that bill. I think they did it.

    The motive would be to raise more tax in other nations, rather than lower it at home, and also take a big side swipe at the UK to ensure it stays "on message" regarding high taxation EU.

    If it was a country, like Germany, then it represents a state backed cyber attack.

    1. Anonymous Coward
      Anonymous Coward

      Re: Pandora = Germany?

      Loooool, tin foil hat much?

      Yeah everything is back doored, or it isn't then its mirrored onto a dark fibre, no big deal the SNR is so high that unless your looking for something specific you won't see it, run wireshark/tcpdump on your desktop, then multiply that noise by every device on your lan, then multiply by every customer on your isp, then multiply by every isp and that's what nation state level network surveillance looks like...

      Nope just bogstandard whistle blowing in my opinion, it's always someone about to get caught with hand cookie jar. Burn it all down then claim immunity

      1. Anonymous Coward
        Anonymous Coward

        Re: Pandora = Germany?

        "Nope just bogstandard whistle blowing in my opinion"

        Impossible. Coordinated leaks across 14 different companies? So 14 whistleblowers in 14 companies simultaneously and in coordination releasing their wares....

        No way, it's a state attack. The question is which state.

        I'm ruling out Russia because many of the leaders targetted are Putin friendlies. I ruled out China because the targets aren't their preferred enemies and includes Hong Kong. UK, the usual hacker? Nope, blantant attacks on UK leaders like Blair. Australia? Testing out their new legalized hacking laws? No, because they're in UK's surveillance group and UK was targetted. Israel? Attacking friendlies? No chance, too much risk of backfire.

        Germany, ahhh.. yeh... I can see that.

        It's not just the hack, its the propaganda op needed. Tony Blair buying a trust that owns a Marylebone office, instead of buying the office directly from the trust and incurring extra property taxes? I mean that's not a thing without the innuendo needed to pump it. Nobody pays more tax than needed. See IR35 contractors for details of that.

        "Czech President buys 26 million euro property in Monocao via a trust", again, so what? He's a successful businessman worth billions and disclosed he owns hundreds of millions in property assets which must be somewhere! Without the innuendo of "didn't mention it [this specific property] on his political disclosure form".... to whom? The paparazzi? Monaco would certainly have him registered. When he goes to his holiday home, does he blindfold his security so they don't know where it is? It's ridiculous without the innuendo.

        That's a state op.

        1. Anonymous Coward
          Anonymous Coward

          Re: Pandora = Germany?

          More evidence popping up today pointing to Germany.

          That global minimum corporation tax rate Ireland just signed up to was pushed by Germany and France:

          https://www.reuters.com/world/china/germanys-scholz-greets-us-move-work-global-corporate-minimum-tax-rate-2021-04-06/

          "I'm in high spirits that with this corporate taxation initiative, we'll manage to put an end to the worldwide race to the bottom in taxation," said German Finance Minister Olaf Scholz, a firm backer of the initiative."

          German corporate tax is 30%, its the highest among the larger OECD countries. With only Columbia higher at 31%, and France only a little lower at 28.4%.

          Total payroll tax among OECD countries... Germany is second only to Belgium. A clear incentive to try to force up taxes in other OECD countries.

          Clear motivation there. Uncompetitive countries, drowing in taxes, trying to drag the other OECD members down with them.

          Notice the low number of frenchies on the Pandora papers? Yet french property tax is between 7% and 10% of the purchase price... you'd think there would be a lot of French rich people simply wrapping property in trusts to be bought and sold freely, both in France and every other high property transfer country. Yet not in the Pandora papers.

        2. Anonymous Coward
          Anonymous Coward

          Re: Pandora = Germany?

          Will bite, can see your fixated on Germany...

          "Impossible. Coordinated leaks across 14 different companies? So 14 whistleblowers in 14 companies simultaneously and in coordination releasing their wares"

          Who says all the leaks came at once, just because they have been collated and released as such by the goto info dumping journalist cabal, think its far less fanciful that 14 disgruntled employees (or less if there is a common sub contractor or 2) reached out via signal or similar to any number of member journalists

          Why not 14 separate leaks? Bigger impact by aggregation, protection of sources, confusion of exfiltration timeline.

          Another possibility more likely than your hypothesis is a ransomware gang either following through with threats to leak, or disaffected member leaks the crown jewels

          The rest just sounds like your making connections you want to see

    2. Anonymous Coward
      Anonymous Coward

      Re: Pandora = Germany?

      Quote: ".....a state backed cyber attack....."

      *

      @AC

      *

      Please.....get real. Remember the Snowden business. Or GCHQ hacking Belgium (yup...our enemy Belgium!):

      - Link: https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/

      *

      EVERY MODERN STATE is doing this! Why pick on Germany? Look in the news -- USA, China, Turkey, Vietnam, UK, Russia................................and on and on.

      *

      Oh......I forgot.......most of these state-based attacks are carefully disguised to APPEAR to be the work of others............so who knows if this one wasn't the US pretending to be Turkey pretending to be Germany! I think we should be told!!!

  3. ColinPa Silver badge

    what can go wrong?

    The great wall of china was rendered useless when the baddies bribed a door keeper to let them in. I am expecting problems to occur because of human behaviour - "What harm will there be if I copy this amusing document around my work colleagues". I'll bring it in on a USB device.

    1. Pascal Monett Silver badge

      Re: what can go wrong?

      Humans always are the weakest link. If the Internet-facing computers can only access whitelisted web pages, and if they are, essentially, on a private web, then there likely won't be very many amusing documents to copy to the colleagues.

      Of course, said amusing document can always be mailed from home.

    2. Anonymous Coward
      Anonymous Coward

      Re: what can go wrong?

      Glue gun the USB sockets if you give a shit, can be non destrucivly removed, cheaper and more effective than socket locks, ohh and put the padlock through the loop on the chassis lid...

      But yeah pay the grunts enough to make bribes less attractive and make the consequences severe

      This though is just a political greasy pole doc, for someone wanting a promotion, complete unworkable chod, maybe Amber "hashtags" Rudd took a consultancy gig and offered her insight here...

      1. G40

        Re: what can go wrong?

        +1 for ‘chod’, new to me.

    3. aregross

      Re: what can go wrong?

      It sounds to me that something has already gone wrong, they've discovered it, and are trying to make sure it doesn't happen again.

    4. jmch Silver badge

      Re: what can go wrong?

      There's always *something* that can go wrong, but all things considered it's a very sane national policy that other countries could do well to have a look at themselves.

  4. Peter Galbavy

    Sounds, based purely on the article, like yet more "cargo cult science" (based on Feynman's description) as IT security.

    1. Arthur the cat Silver badge
      Unhappy

      yet more "cargo cult science" as IT security

      It's the cheapest and most common form. Sadly.

  5. steelpillow Silver badge
    Facepalm

    "something that sounds a lot like an actual air gap"

    Couldn't have said it better myself. This shattering advance is exactly the precautions I found in use, and helped implement repeatedly, daily for may years in the 1990s and 2000s. Mind you, I never did power stations.

    Oh, the fun when we would find a WiFi hub sneaked into the secure zone for sysadmin's convenience, on the grounds that it was an air gap! Obtaining and installing patches at max speed was the usual excuse, but gaming engines often proliferated on the more favoured workstations...

    1. Arthur the cat Silver badge

      Re: "something that sounds a lot like an actual air gap"

      Oh, the fun when we would find a WiFi hub sneaked into the secure zone for sysadmin's convenience, on the grounds that it was an air gap!

      To deal with that you install the hungry shark filled tank gap and insist the offending employees test its effectiveness.

    2. nijam Silver badge

      Re: "something that sounds a lot like an actual air gap"

      > something that sounds a lot like an actual air gap

      Ironically, a security technique that is easily bridged by social engineering.

      1. stiine Silver badge

        Re: "something that sounds a lot like an actual air gap"

        Not only social engineering. You forgot to mention simple stupidity and/or negligence.

  6. Mike 137 Silver badge

    Bureaucrats pronounce

    ""The artificial air gap created by deploying firewalls

    As several others have rightly indicated - a firewall is not an air gap.

    However quite a lot of research has found ways of breaching real air gaps (commonly via infiltration of inconspicuous kit) so there is a genuine problem. To quote Major General Jonathan Shaw (Late Head of Cyber Security, MoD) “...about 80 per cent of our cyber problems are caused by what I call poor cyber hygiene.” That's commonly the greatest weakness, both against cyber attack and other accidents, and is how such infiltration takes place.

    All you need is a removable storage device that jumps the gap. A colleague once set up a secure comms unit in a war zone. The red and black systems were the statutory 1 metre apart, but on returning a month or so later he found a USB stick hung from the ceiling between them on a length of elastic.

    1. fandom

      Re: Bureaucrats pronounce

      "he found a USB stick hung from the ceiling between them on a length of elastic."

      The people who have to get the actual job done will find a way to get it done.

      And they are not usually willing going to work longer hours they can't afford for "cyber hygiene".

      And yes, many disasters stem from that, but then, how many time has someone here boasted about telling the users 'no, you can't do that'.

      "Life finds a way"

      1. teknopaul

        Re: Bureaucrats pronounce

        That is pretty obscure, obscurity.

  7. Anonymous Coward
    Anonymous Coward

    Didn't Work for Iran, did it?

    I think they increased the air gap to a rock gap and the US and Israel spooks still got them!

    The human factor was still there even when that factor may have faced some blood curdling penalties!

    1. Anonymous Coward
      Anonymous Coward

      Re: Didn't Work for Iran, did it?

      Didn't MOSSAD manage to cross the air gap to the top Iranian nuke guy using AI and a concealed machine gun?

      1. stiine Silver badge

        Re: Didn't Work for Iran, did it?

        Many times.

  8. a_yank_lurker

    Shysterly Ignorance

    This sounds like something a typical, ignorant shyster over here would write. A lot nonsense trying to sound impressive. Good security practices are to:

    1. Limit user privileges to what they need and no more.

    2. Properly set up routers, gateways, etc. including any software

    3. Isolate equipment that does not need to be connected to other systems. Do not fall for the convenience trap of 'gee it would be nice for manglement to monitor remotely' when they will not. Sneaker net is still very useful in many situations.

    4. Keep systems patched especially those that are Internet facing.

    1. Anonymous Coward
      Anonymous Coward

      Re: Shysterly Ignorance

      @a_yank_lurker

      Quote: "...Sneaker net is still very useful ..."

      Yup.....true......but BEFORE you plug that USB memory stick into your air-gapped computer, it's always a good idea to be sure that you know what's ALREADY on it! If I remember rightly, someone found a "lost" USB stick in the parking lot and decided to use it "at work".......this is the alleged vector for Stuxnet!!!

  9. Blackjack Silver badge

    I have an idea, why not take things that actually didn't use to need Internet to work, like toasters, and make it so they can work perfectly fine offline?

  10. John Savard

    But

    Hasn't it already been known that actual air gaps aren't secure either, because the little computers inside USB memory sticks can be taken over by hackers?

    Of course, that isn't the only threat. Even if the medium used to transfer program files to an isolated computer is secure, the files, ultimately obtained from the Internet, can, of course, have been corrupted with malware. So going to the trouble of building a "secure" computer that has to be fed data on punched cards, say, is a waste of effort.

    So what should India be doing, then?

    For starters, build their own USB sticks which have validated firmware which cannot be updated externally. That solves one problem.

    Next: have an air gap around the facilities that develop software for their power generation systems. That way you avoid supply-chain attacks.

    And then you use sneakernet to get the software from the developer to the power station.

    The fact that employees will not be able to browse the Internet on their lunch breaks may be viewed as unreasonable hardship. But as long as their work computers don't have USB ports available, they could still browse the Internet on their own smartphones.

    Oh, wait. There's this thing called the COVID-19 pandemic, and so everyone is working from home.

    In that case, you will have to settle for a "virtual air gap", insecure though it may be. However, a more secure virtual air gap is possible. Basically, the work-from-home computer connects to the server through a VPN, but in addition, neither the work from home computer (supplied by the employer, not the employee's home computer) can't connect to the Internet in any other way, it can just use the VPN to go to the office server.

  11. hoola Silver badge

    Hmm

    All well and good but increasingly we are seeing more and more software and hardware that simply will not run if it cannot phone a friend.

    So much now just assumes an Internet connection is available it is ridiculous. Yes you can use proxies and so on but the server or software still needs an Internet connection.

    Then add in where they persist in talking to some dynamically changing collection of AWS buckets or Azure.

    On one hand the threats are constantly becoming more sophisticated yet on the other hand, the software we are obliged to use appears to have more holes and need Internet access to work.

    How about taking some of the cloudy crap out and concentrate on making a core product do what it needs to do, well?

    Never going to happen because we are in a race to the bottom on quality driven by "Agile" fix it later if we remember working practices and interfaces developed with the assumption that an "App" on a mobile phone is all that is required.

    Sorry, like others I have been in this too long and only see increasing quantities of feature-infested shite come out that does nothing properly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like