For every problem there is a solution that is simple, neat—and wrong.

In the wake of the ransomware attack against the Information Technology (IT)systems of the company that operates the Colonial Pipeline, and their decision to shut down pipeline operations, there has been a vigorous discussion about “air gapping” Operational Technology (OT) systems.

Before going further, let’s take a few moments to unpack the definition of an IT system vs. an OT system. 

As a general matter IT systems are those collection of computers (and software) that handle email, office productivity, billing, accounting, and payroll to name a few examples. Over the recent past, many of these IT systems have moved from being physically located at corporate headquarters, to various cloud service providers. These functions still run on computers, but not your computers. 

In contrast, OT systems, which can include Industrial Control Systems (ICS) are a collection of computers, software, and special purpose devices that “do” things in the real world, such as open or close valves, operate conveyor belts, or fill vials with medicine to name just a few examples. OT systems are used in various manufacturing, petrochemical refineries, oil drilling rigs, car assembly plants and electricity generating units, including nuclear powered generators.

In the event that IT systems are damaged or disabled due to ransomware, there can be many problems including downtime, extra expenses, unhappy customers etc. In contrast, if OT systems are damaged or disabled due to ransomware, high pressure containers of toxic materials can burn or explode, factory automation devices can malfunction, injuring or killing nearby personnel, gasoline that should flow through a pipe can be stopped, or worse yet, gasoline that should not flow, or be permitted to interact with other chemicals can be released. Disruption of OT systems can lead to catastrophic property damage and even potential mass casualty events.

So back to the controversy concerning having an “air gap” between IT and OT systems:

On May 12, 2021 Nicole Perlroth (@nicoleperlroth), New York Times Journalist, and author of "This is How They Tell Me the World Ends", wrote on Twitter:

ONE WORD: AIRGAP.

If Colonial Pipeline had confidence in their IT/OT airgap, they wouldn't have had to shut down the pipeline and we wouldn't be seeing panic buying at the pump.

IT'S THE BASICS, STUPID.

This tweet was greeted by both outrage and agreement (as is often the case with social media). So rather than hurling invectives, I thought how much better to share a very interesting and nuanced post by Joe Słowik (@jfslowik). In this piece [Mind the (Air) Gap], he describes the operational and business drivers associated with connections between IT system and OT systems. Further, Joe provides examples of the rare but actual examples of "air gapped" systems. A conclusion that can be drawn from his article is the fact that even in the uncommon scenario where there is an actual air gap, people and processes can exert influence to cause the movement of data and programs (even potentially malicious ones) between “air gapped" systems.

The posting is worth your time to read, I think you will come away with a greater appreciation of the challenges of separating OT systems and classic IT systems.