Air Gap - Physische Netzwerkisolierung für hochsichere Systeme

Air Gap refers to the physical and logical isolation of a computer system or network from insecure networks such as the Internet or a corporate LAN. An air-gapped system has no network connection—neither wired nor wireless. Data can only be exchanged via physical media (controlled, often prohibited) or special hardware interfaces.

Air Gap Concept and Areas of Application

High-Security Areas

Nuclear weapons systems and military command systems
Nuclear facilities (uranium enrichment, reactor control)
Classified government networks (Top Secret / SCI)
Voting systems (voting computers in some countries)

Industrial Control Systems (SCADA/ICS)

Power supply control centers
Water treatment plants
Chemical plants (explosion/disaster protection)
Gas distribution

Financial Sector

Cold storage for cryptocurrencies (offline wallets)
High-security CA root keys (Certificate Authority)
HSM key material for critical systems

The Reality of Physical Air Gaps

> A true air gap is extremely complex to operate.

Unresolved Issues with Air Gap Operations:

How do software updates get in? (USB risk!)
How do logs/monitoring data get out?
How is data exchanged with the outside world?

This is why air-gap solutions are often compromised:

USB: controlled, but a risk (Stuxnet!)
One-way data diodes: data out, nothing in (Waterfall Security)
USB whitelisting: only known, verified USB devices
Manual data transfer: paper, printed reports

Stuxnet: The first known air-gapped attack

Target: Iranian nuclear program (Natanz uranium enrichment facility) Air-gap: Control computers completely disconnected from the internet

Chain of attack:

Infection: Stuxnet-infected USB drive in supplier network
Autorun on Windows (CVE-2010-2568, LNK vulnerability)
Propagation: Stuxnet replicates to all USB drives on the network
3 months later: infected USB drive enters the Natanz network
Stuxnet detects Siemens S7-315 controllers + specific frequency converters
Payload: Centrifuges spin too fast/slow → mechanical destruction
Camouflage: SCADA software displays normal values while the attack is underway

Technical Brilliance:

4 zero-day exploits simultaneously (unprecedented!)
Stolen code-signing certificates (Realtek, JMicron)
PLC rootkit (never seen before!)
Years of sabotage without detection

Lessons:

Air gap ≠ security if removable media are allowed
Supply chain attack: infect suppliers rather than the target directly
Insider threat: Person unintentionally brings in a USB drive

Additional air-gap attack vectors

Acoustic channels

Fansmitter (2016, BGU):

Malware on an air-gapped PC controls CPU load → fan speed
Fan noise varies → data encoded in frequency
Smartphone 8 m away: Microphone receives → decodes data
Transfer rate: ~900 bits/min (very slow, sufficient for key exfiltration)

DiskFiltration (2017):

Positioning hard drive read heads → vibration noise
HDD noise as data channel (SSD: no noise!)

Electromagnetic Channels

USBee (2016):

USB cable as antenna: Software emits electromagnetic radiation
Software-Defined Radio (SDR) receives at a distance of 10 m
Transfer rate: ~80 bit/s

TEMPEST / Van Eck Phreaking:

CRT/LCD monitors emit electromagnetic radiation
Remote reconstruction of screen content
NSA TEMPEST standards protect against this (shielded cables, rooms)

Optical Channels

LED-it-GO:

HDD LED flashes data (when malware controls hard drive access)
Camera from 100m away: LED flashing pattern → data
Effective against all laptops with visible LEDs

aIR-Jumper:

Infrared LEDs (often built into surveillance cameras)
Camera with IR LED = data transmitter (IR is invisible!)

Thermal attacks

BitWhisper (2015):

Two computers without a network connection, but located close to each other
CPU load generates heat → thermal sensor of the neighboring system
Very slow (~8 bits/hour)

Implications for Air-Gap Design

No USB: Physically block or disable USB ports
No smartphones: Electronics-free zones around air-gap systems
Faraday cage: Electromagnetic shielding of the room
No visible LEDs (or cover them)
No cables crossing the air-gap boundary

Practical Air-Gap Implementation

Actual Requirements

Physical separation: no Ethernet cables, no Wi-Fi adapters
USB deactivation: BIOS/UEFI level, epoxy in USB ports
Optical drives: read-only (CD-ROM) only, or disabled
Bluetooth/Wi-Fi chips: physically removed or disabled
Keyboard/mouse: PS/2 instead of USB (or dedicated, certified hardware)

Data Injection (Data INTO the system)

Data diode (single direction): enables one-way data flow
Verified USB process: hash verification, antivirus, approval
Paper → handwritten transcription: extreme, but secure
Optical data diode: laser transmits, no reception possible

Data outflow (data FROM the system)

Data diode (reverse): Logs and monitoring data out
Printer: Print results

Data diodes (Waterfall Security, Owl Cyber Defense)

Hardware solution: physically only one direction possible (optical)
Data can flow FROM secure to insecure zone (logs/monitoring)
Return channel: physically not possible
Application: energy utilities, military

Root CA Air Gap

Root CA keys NEVER connected to the internet:

Offline CA system for root certificate signing
Public certificate: issued and copied forward
Private key: remains on air-gapped system in a safe
Ceremony: formal CA key ceremony with witnesses

Air-Gap vs. Segmentation

Feature	Air Gap	Segmentation	Zero-Trust
Network	No connection	Firewall/VLAN	Least privilege
Connectivity	Physically separated	Logically separated	Per session
Data transfer	Manual/diode	Filtered	Controlled
Operational overhead	Very high	Medium	High
Protection	max. (physical)	high (logical)	high (IAM)
Attacks	USB, EM, acoustic	Pivoting	Cred. Theft
Deployment	Critical Infrastructure, Military	Standard IT	Cloud/Remote

When to choose what

Air Gap: Regulatory requirement, extreme threat situation
Segmentation: Standard corporate network (IT/OT separation!)
Zero-Trust: Cloud environments, remote work
Hybrid: OT network air-gapped + IT network zero-trust (common!)