Accurately reduce and regulate steady or varying inlet pressures and maintain a constant, predetermined maximum outlet set pressure. Offered in spring controlled, air controlled, differential controlled and ultra-pure designs, Plast-O-Matic regulators are consistently recognized as the industry’s top performers for maximum flow with minimal drop-off from set pressure. ½” through 3”; for 4” consult factory.

You can—maybe—one day ensure that your network is truly air gapped. But what will you do when there needs to be an adjustment to the industrial process to improve quality or efficiency by an engineering consultant? Especially if it is to fix a design fault saving millions without causing downtime? What about updates and fixes to software? Remote support? Below are some reasons to consider mitigations or moving away from air gapped networks.

Image

Temporary remote access solutions create a hole through your network which introduces a serious security risk if you’re relying in any way on the air gap for security—and this is usually legitimate and approved access. Unless you do have mitigations in place in your network including firewalls enforcing the right architecture, sandboxing, deception technology, and GRC, this could be a serious threat.

It has now been proven that you can convert ram,and other hardware devices including PLCs into AM Radios to send or receive data. This was proven years ago with ICS equipment at Black-Hat Europe. In 2014, researchers demonstrated "Air Hopper" data exfiltration from an isolated computer without a modem or communications equipment to a nearby mobile phone using FM frequency. In 2015, researchers introduced GSMem, doing the same over cellular frequencies generated by a standard internal bus converting the computer into an antenna. There are now multiple Air Gap covert channels. Below are some examples:

Series PRA/PRAM features two opposing large area frictionless rolling diaphragms. Process pressure is applied to one of the diaphragms; air pressure is applied to the other. Because the air pressure can be maintained with more accuracy than the force provided by a spring, the PRA/PRAM offers greater sensitivity and less variance from set pressure than any thermoplastic pressure regulator previously available. The PRA/PRAM can be used in combination with Plast-O-Matic’s patented Stabilizer which measures downstream liquid pressure and provides continuous feedback control for even greater sensitivity and performance. Molded and machined valves in 1/4″ through 3″ and metric pipe sizes in popular thermoplastic materials with a wide range of connection types. Set range 5-125 PSI. This is a Specialty Custom product; consult factory for availability. Minimum quantities may apply.

Image

Image

Series UPRS Downstream pressure reducing valve features full shutoff design (pressure will not equalize in a no-flow condition) and the ultimate purity levels, as verified by independent test labs. BCF spigots standard; flare, sanitary, and other connection types available. 20 – 63mm sizes; Kynar 740 body. High purity CDB-16 (8 hour hot / 8 hour cold DI rinse) procedure is standard; clean and double bag in class 100 (ISO 5) clean room. Ultimate purity with excellent flow performance; set pressure range 10-100 PSI. Available with or without isolated pressure gauge.

Accurately reduce and regulate steady or varying inlet pressures and maintain a constant, predetermined maximum outlet set pressure. Offered in spring controlled, air controlled, differential controlled and ultra-pure designs, Plast-O-Matic regulators are consistently recognized as the industry’s top performers for maximum flow with minimal drop-off from set pressure. ½” through 3”; for 4” consult factory.

Physical intrusion is usually short, so the attackers will need to deploy or change some physical equipment and introduce malicious file quickly before being caught. Sandboxing and deception technology will mitigate against any malware introduced, while firewalls enforcing network segmentation, application control, and micro-segmentation will limit lateral or horizontal movement of attacker actions.

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

Series UPR Downstream pressure reducing valve features non-shutoff elastomer-free design (pressure will equalize in a no-flow condition) and the ultimate purity levels, as verified by independent test labs. BCF spigots, flare, sanitary, and other connection types available. 1/4″ – 2″ or 20 – 63mm sizes; choice of Kynar 740 or PTFE body. High purity CDB-16 (8 hour hot / 8 hour cold DI rinse) procedure is standard; clean and double bag in class 100 (ISO 5) clean room. Ultimate purity with excellent flow performance; set pressure range 5-100 PSI.

Often employees need access remotely to ICS networks, but are denied due to Air Gap dogma. This often results in “workaround” tactical solutions like mobile wi-fi hotspots to get their work done. These can end up as serious holes in your network. Assessments typically find unauthorized workaround connections in air gapped networks, and without mitigations, these can be serious holes. Control engineers don’t make these connections with malicious intent, it’s typically for operational reasons, but they certainly can be exploited for malicious reasons.

Even official company devices can be compromised when they are connected to the company network—this is how Stuxnet compromised Iran’s air gapped nuclear facilities. Usually and for various reasons, files need to be exchanged with the outside world to get patches and files from vendors or third parties, etc.

Series PR/PRH/PRHM Downstream pressure reducing valve features large area rolling diaphragm, ultra-smooth operation and isolated spring control. Molded and machined valves in 1/4” through 3” (for 4” consult factory) and metric pipe sizes in popular thermoplastic materials with a wide range of connection types. Proven design provides highest flow with minimal pressure droop. While some valves may be limited by size or material, most models provide set range of 10-125 PSI.

Most employees will attempt to connect their devices and peripherals to the network, to charge a mobile phone or transfer files using a USB drive. Some studies show that 60% of employees will insert USB drives even when found on the floor in the car park. If the drive has an official logo on it, it rose to 90 percent. Shockingly, these results are from organizations where ICS operators and staff are trained regularly on cybersecurity awareness.

Critical infrastructure is not only at risk from nation state sponsored attacks, via espionage or malicious insiders—disgruntled, lazy, or fatigued employees can also pose a serious risk. An Air Gap can’t protect against spies, criminals, disgruntled, tired, or lazy staff carrying out dangerous or malicious activities.

A malicious individual with physical access to the air gapped network (external person or internal employee) can insert malicious unseen devices into equipment. Mobile SIM cards and other communication equipment, key loggers, a preloaded RJ45 connected device so small that it is undetected can run a payload through the switch with POE (power over ethernet), or even simply by plugging a malicious laptop into a switch will pose a serious risk.

Series PRD/PRDM is a differential pressure regulator with a port for a downstream pressure sensing line. The sensing line feeds the pressure downstream of the equipment being protected to the top of the spring housing, which assists the spring in keeping the regulator open against the pressure directly at the regulator outlet. When pressure downstream begins to drop (as it would when a filter becomes more and more clogged), the regulator begins to close and becomes fully closed when the differential setting is reached. This assures against overpressure across the equipment. Molded and machined valves in 1/4″ through 3″ and metric pipe sizes in popular thermoplastic materials with a wide range of connection types. Differential set range 5-50 PSI.

By default, connected technologies are increasingly being deployed to ICS networks. Attackers or innocent employees may mistakenly access and enable communication interfaces.

Series PRHU Downstream pressure reducing valve features metal ion-free EPDM large area rolling diaphragm, ultra-smooth operation and isolated spring control. BCF spigots in 1/2″ – 3″ or 20 – 90mm sizes; Kynar 740 body and Class 100 clean/double bag procedure standard. Provides highest flow with minimal pressure droop among high purity regulators; set pressure range 10-125 PSI.

Also ICS staff being tricked into installing malware and compromising the ICS network is a very real and continuous threat. For example, ‘Allenbradleyupdate.zip’ was a ransomware file that was a fake update pretending to be from Rockwell Automation.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

If a OEM/vendor suffers an attack through their supply chain, ICS customers that purchase their equipment will be compromised, too. We have seen such an attack with widespread consequences in the USA in 2021. Again, Sandboxing and Deception technology can help mitigate this kind of attack.

Series PRS patented Stabilizer is used with Series PRA. The Stabilizer reacts to downstream liquid pressure and provides continuous feedback control to the compressed air supply, for even greater regulator sensitivity and performance. This is a Specialty Custom product; consult factory for availability. Minimum quantities may apply.

In theory, an air gap sounds like a good strategy—but it’s not that simple. A common misnomer is to assume that air gapping means that your network has no connections to another network. Assessments often prove that most assumed air gaps aren’t really air gapped.