Skip to main content

When Command & Control Data Demands the Highest Level of Security

When Command & Control Data Demands the Highest Level of Security

We hear about a new data security breach on a weekly basis.

Here are just a few reports from 2017: According to cyber defense firm Cryptonite’s 2017 Healthcare Cyber Research Report, IT/hacking events attributed to ransomware by health care institutions increased by 89 percent from 2016 to 2017. In early March 2018, credit-monitoring firm Equifax uncovered another 2.5 million people exposed by its massive data breach in 2017 bringing the total number to 147.9 million. Yahoo fessed up that 3 billion accounts were hacked in 2013—three times what was first reported. Then there’s just plain sloppiness, such as when a GOP data firm misconfigured a security setting in its cloud storage service exposing nearly 200 million voter records.

It all just makes you #WannaCry.

Mitigating Risk of Data Breaches

The grim reality begs the question: how can we protect the most sensitive data from being breached? First and foremost, don’t connect the computer or group of networked computers containing highly secure data to any other computer or enterprise network—and certainly not to the internet. Enter the air-gapped system. An air-gapped system, such as that used in many military and highly classified situations, may be the most secure. The system is not connected to the outside, and it is physically isolated from the intranet. It is also limited to one or a few connected computers containing data. An air-gapped architecture isolates computers and servers, protecting them from tampering or malware while allowing control by remote operators.

Some air-gapped security systems are even designed to separate control room operators from the systems they control.

Protecting the Air Gap

While the air-gapped approach is the best first defense, it is humans who seek to breach. Additional measures can be taken to prevent this.

Beware the USB device. According to an article in the IEEE Spectrum, in June 2010 the Stuxnet Worm infected the software of at least 14 industrial sites in Iran, including a uranium-enrichment plant. Stuxnet entered the systems via a USB stick and proceeded to infect all machines running Microsoft Windows. It is reported but not confirmed that Stuxnet destroyed some of Iran’s centrifuges.

Instituting best practices for use of mobile devices, USB thumb drives, and removable media security is highly recommended for organizations wanting to protect any level of data.

The National Institute of Standards and Technology's (NIST) issued its own policies and technical requirements on USB thumb drive security, which was furnished to other federal agencies. Tops on the list is that all personally owned removable media is banned from use.

When data does need to be stored on removable media, NIST has a strict mobile device encryption policy. In addition, a removable media disposal procedure was implemented.

There are several more levels of protection, such as a cage that prevents electromagnetic radiation (EMR) from escaping air-gapped equipment, and solutions that prevent key strokes or screen images from being intercepted.

While not necessarily a matter of national security, I think I’ll write a letter to my senator suggesting a few cages are ordered to prevent our personal information being compromised over and over again.

Cindy Davis is the contributing editor of AV Technology.

Cindy Davis is the brand and content director of AV Technology. Davis enjoys exploring the ethos of experiential spaces as well as diving deep into the complex topics that shape the AV/IT industry. In 2012, the TechDecisions brand of content sites she developed for EH Publishing was named one of “10 Great Business Media Websites” by B2B Media Business magazine. For more than 20 years, Davis has developed and delivered multiplatform content for AV/IT B2B and consumer electronics B2C publications, associations, and companies. From 2000 to 2008, Davis was the publisher and editor-in-chief of Electronic House. From 2009 to present, as the principal of CustomMedia.Co, Davis developed content plans and delivered content for associations such as IEEE Standards Association and AVIXA, content marketing for Future Plc, and numerous AV/IT companies. Davis was a critical member of the AVT editorial team when the title won the “Best Media Brand” laurel in the 2018 SIIA Jesse H. Neal Awards. A lifelong New Englander, Davis makes time for coastal hikes with her husband, Gary, and their Vizsla rescue, Dixie, sailing on one of Gloucester’s great schooners, and sampling local IPAs.