By Leon Poggioli
A scathing investigation into the littoral combat ship USS Manchester recently revealed that senior Chiefs had conspired to secretly install an unauthorised Starlink wifi network on the ship, in order to get around the prolonged loss of internet connectivity that is part and parcel of being deployed on a Navy ship.
Internet access is highly restricted on Navy ships for a variety of reasons, with one of the most important being operational security. By isolating a device or group of devices from connectivity outside of the network, the Navy is preventing any data from entering or exiting their environment – an approach known as “air gapping”. When done properly, air gapping is very effective in securing the network from potential cyber threats. However, the air gap only works if the network is 100% sealed. Just one external connection, in this case, a secret Wi-Fi network installed by crew members, is enough to break the seal and potentially open the network up to a whole host of cyber threats.
Air gapping is especially critical when the Navy (or other Defence personnel) are deployed in areas of the world where there is heightened political tension, and therefore greater cyber risk from nation-state actors. In this case, the USS Manchester was deployed in the West Pacific, where the US is experiencing strong political tension with China.
The US Navy didn’t locate and remove the secret Wi-Fi network for months. And that whole time, they believed their networks were properly air-gapped. A simple Wi-Fi network, which may have seemed harmless to the personnel on board, carried very serious repercussions for the security of the ship – and there is an important lesson the broader Defence and Critical Infrastructure must take away from this.
Without proper monitoring and visibility into all connected assets on the network, the only thing an air gap achieves is a false sense of security.
Therefore, the first step in fortifying air-gapped networks is gaining improved visibility – which is often challenging in operational technology (OT) environments. After all, you can’t protect what you can’t see, which means Defence organisations need total visibility into every connected asset on their networks.
To achieve this – and leave no asset under the radar – Defence organisations first need a comprehensive understanding of proprietary protocols. Operational Technology (OT), Building Management Systems (BMS), and other cyber-physical assets rely on legacy proprietary protocols that do not work with general security tools designed for more simple and modern IT environments, making them undetectable. A typical Defence environment could involve hundreds of these proprietary protocols. To properly safeguard Defence networks, security tools must be able to recognise protocols used across all OT, BMS, IoT, and other XIoT assets.
Beyond simply being able to recognise these proprietary protocols, security tools must also be able to analyse how and when these assets communicate, their connectivity paths, the processes they support, and their role within your environment’s topology. This foundational knowledge is crucial for flagging any unusual or suspicious activity on the network that could indicate a cyber attack, or in the case of the USS Manchester, negligent practices by internal staff.
Most Defence and critical infrastructure environments will feature a varied mix of both new and legacy devices that operate and communicate in different ways, spread across multiple physical locations. Unfortunately, not every security tool can provide the optimal level of visibility for these unique environments while maintaining the integrity of the network.
Organisations have historically relied on air gapping to protect their OT environments from cyberattacks. While this can still be a valid approach in some cases, these networks require consistent monitoring to validate the integrity of the air gap. Without monitoring and assurance of critical OT networks, air gaps simply provide a false sense of security. Given the increasing interconnectivity of today’s technology, air gapping is becoming a less effective method, and should not serve as the sole cybersecurity strategy in Defence and other critical infrastructure environments. It should be paired with other forms of cybersecurity to be truly effective.
(NOTE: Leon Poggioli is ANZ Regional Director at Claroty.)
For Editorial Inquiries Contact:
Editor Kym Bergmann at kym.bergmann@venturamedia.net
For Advertising Inquiries Contact:
Group Sales Director Simon Hadfield at simon.hadfield@venturamedia.net
