Thursday, October 18, 2012

Air-Gap Critical Machines Already

We often hear about the prospects of "cyber-Pearl Harbor."  In such a scenario a malicious actor would attack the power grid or the financial markets and bring America to a halt.  Now a new study shows that hospital computers, even those used in patient monitoring equipment, are ridden with malware.  There's a simple solution to all of these problems: air-gap the critical machines!

In the case of hospitals there is absolutely no reason why Nurse Jones should be able to infect critical patient equipment with malware all because she wants to cruise Facebook from her cubicle (on an unpatched Win XP box running IE6 no doubt) during her lunch break.  If the patient machines were air-gaped, this would not be an issue.

Of course, the hospital will argue that they need remote access to these machines from within the hospital (say in a doctor's office down the hall or from the head nurse's desk).  That's easy to achieve without exposing the critical machines to the Internet.  It would be slightly more expensive, but the expense is nothing compared to the potential lawsuits that failing patient monitoring equipment would surely bring.

One solution would be to have two separate networks within the hospital.  The patient monitoring equipment could be connected to the nurse and doctor workstations via a LAN.  This LAN would have no physical connection to the outside Internet (either wired or wireless).  The other network would allow the workstation machines access to the Internet, but they would have zero ability to network with the patient monitoring LAN.  The two networks would be air-gaped and the network topology would be designed in such a way as to where cross-contamination would not be physically possible.  This is the technique the military uses to keep networks of different classification levels separated as seen in the image below.

Physical separation of secure government networks.

Would this require the nurses and doctors to have two separate machines on their desktop?  Well that is the safest way, but it's not the only way.  Another solution would be to have each workstation have two separate domains -- one "untrusted" domain for the Internet and non-critical work and another "trusted" domain for the patient monitoring data.  This could be achieved through virtualization.  One could either run two separate OS's in a virtual machine or utilize something like a Mandatory Access Control system (SELinux for instance).  Another option would be Qubes which enforces domain separation using a hypervisor and virtualization.  Thus in this case one could have a window on the screen that is secure and another window that is untrusted.  Neither window could interact in any way with the other (unless someone broke the virtual machine, which is possible in theory but much better than what we've got now).

These same ideas would apply to power plants and other critical infrastructure, but will these simple, yet effective, ideas be implemented in that sector?  Probably not (or at least until after something bad happens).  Why?  Because it's too simple.  The government would rather award some contractor a few billion dollars to "solve" the problem in some convoluted and ineffective manner.

Of course, it would be great if these critical patient monitoring machines (and in the case of power plants, the SCADA machines) didn't run on Windows.  But, as they say, "it is what it is" and I don't see that changing any time soon.


  1. I'm using AVG protection for a few years, I'd recommend this anti virus to all you.

  2. One need to have anti virus in their systems and I have System Center Endpoint Protection and it is really good in identifying threats to my system