On 12/3/20 3:45 PM, Phillip Hallam-Baker wrote:
For that matter not even "air gapped" networks are really safe. There's
almost always some laptop or other that occasionally connects to such
networks, and malware can creep in that way.
There are viable controls but they are very expensive. At VeriSign we constructed a tier 6 SOC and kept the machines that perform offline operations in a very pricey safe along with the HSMs (see the CPS which documents all of that).
Yes but this is a far cry from the typical "air gapped" LAN which is an Ethernet switch or WiFi access point that just doesn't happen to have an upstream link (most of the time).
And for most sites the kinds of measures you employed at VeriSign (glad you did!), or really anything more than perhaps an extra lock on the gate or door, would be prohibitively expensive.
I know of sites that are part of critical infrastructure, on
concrete pads in the middle of nowhere, surrounded by a chain link
fence (if that). The fence is just to keep the nearby cows out.
Keith