Mind the Air Gap: Pros and Cons of Network Separation
The Singaporean Government recently completed the task of disconnecting staff computers at public healthcare facilities from the internet.
Disconnecting the staff computers from the internet, also known as internet surfing separation, network separation or air-gapping, is aimed at preventing cyberattacks, Singapore’s Deputy Prime Minister Teo Chee Heansaid at an engineering conference.
The announcement of air-gapping or network separation at the public healthcare facilities in Singapore came on the heels of a major cyberattack at the Singapore Health Services (SingHealth), the country’s largest group of healthcare institutions.
Singapore’s Ministry of Health, in a statement, said, non-medical personally identifiable information of more than 1.5 million patients who visited SingHealth’s outpatient clinics and polyclinics from May 1, 2015 to July 4, 2018 were illegally copied and transferred. The stolen non-medical personally identifiable information include name, National Registration Identity Card (NRIC) number (a unique 9-character alphanumeric code found on the NRIC issued by the Government of Singapore to citizens and permanent residents), address, gender, race and date of birth.
According to the Ministry of Health, medical information, specifically medicines dispensed, of more than 160,000 patients who visited SingHealth’s outpatient clinics and polyclinics for the same period were illegally copied and transferred. Among those non-medical personally identifiable information and outpatient dispensed medicines illegally copied and transferred by cyberattacks belong to Singapore’s Prime Minister Lee Hsien Loong.
The statement from the Ministry of Health didn’t mention who were behind the attack or how did the attackers access the data.
What Is Air Gapping?
Air gapping, also known as internet surfing separation or network separation, is the practice of isolating computers used by staff, which are connected to an internal network, from establishing a connection to the internet. It’s called air gapping as it promises that cyberattackers can’t cross the “air gap” to reach their target.
The practice of air-gapping has been in place in Singapore’s public sector since 2016. This practice, however, hasn’t been implemented in Singapore’s public healthcare facilities.
Since 2016, Singapore’s civil servants, including top government officials (though not including the staff at public healthcare facilities), haven’t been able to access the internet using government’s computers. Singapore’s air-gapping policy, however, allows civil servants to surf the internet using agency-issued (but not connected to an internal network) devices or separate personal devices.
Pros and Cons of Air Gapping
In the case of Singapore, air gapping “would have disrupted the cyber kill-chain for the hacker and reduced the surface area exposed to attack,” Singapore’s Deputy Prime Minister Teo Chee Hean said.
In air gapping, no internet connection is seen as more secure than a secure internet connection. The idea behind air gapping is to leave no windows or doors open and for cybercriminals to have no way of accessing and exfiltrating data.
Air gapping has the following disadvantages:
1. Air gapping diminishes productivity.
Even the Singapore’s Ministry of Health acknowledged that air gapping has its disadvantages. In a statement, the Ministry of Healthsaid, “There will be some inconvenience for patients and healthcare staff, as a result of the unavailability of some IT system connections that require the internet.”
Singapore’s public healthcare institutions rely on accessing other systems through the internet. These include reading of diagnostic reports from laboratories, video consultation and tele-rehabilitation, birth and death registration, referrals to our private sector partners, and the payments and claims systems.
“As a result, patients may experience a longer wait for consultations and to receive their test results, as well as delays in checking their MediSave accounts or making their claims,” the Ministry of Health said.
Critics of Singapore’s air gapping policy have viewed the move as a backtrack for an advanced city-state that has adopted the term “smart nation”.
2. Air gapping requires costs of implementation and maintenance.
The physical isolation of sensitive networks from the internet comes with a cost. Standalone servers, routers, switches and management tools are required for air gapping. Software maintenance for these standalone servers is also more time-consuming.
3. Air gapping is not 100% secure from attacks.
Another argument against air gapping is that it isn’t foolproof. Being isolated from the internet means that mundane security tools such as patches can’t be done.
The physical isolation of sensitive networks from the internet doesn’t guarantee 100% protection, for instance, from insider threats or from malicious USBs.
The classic example of an attack against an air-gapped network was that of the attack that wreaked havoc on centrifuges used at a uranium enrichment plant in Iran back in 2010. The attackers of the Iranian uranium enrichment plant used the Stuxnet, a malicious software (malware) that spreads from one computer to another via infected USB sticks.
Another malware designed to infiltrate air-gapped networks is Brutal Kangaroo, a malware believed to be developed by the US Central Intelligence Agency (CIA). Similar to Stuxnet, Brutal Kangaroo spreads from one computer to another via infected USB sticks.
Air gapping or network separation has its advantages and disadvantages. It has its place in every organization as one of the cybersecurity measures. For instance, your organization’s trade secret has to be secured in a computer or network that’s not connected to the internet. Computer or network isolation, however, isn’t enough as a cybersecurity measure.
Another preventive measure, in addition to air-gapping is by encrypting the data stored in the isolated computer or network so that malicious insiders or attackers using malicious USBs won’t be able to make use of your organization’s data as it’s encrypted.
Contact us today at 416-920-3000, if you need assistance in air gapping or isolating your organization’s network from the internet, as well as securing this network.