While Air-Gaps are a good conceptual solution, in practice beyond Schneier’s single PC example, they are very hard to achieve. There is nearly always a backdoor to be found somewhere that an attacker can exploit.
Opinion is divided, as can be seen of various discussions about air-gaps, as to how to solve the issue if you do need true network separation. A report attributed to NIST suggests that when they investigated industrial control systems that claimed to be air-gapped, they in fact found on average 7 connections.
My perspective is the various backdoors are typically there because someone or some process needed access for some ad-hoc purpose. Often remote maintenance.
The issue occurs because the person or process has a need, the front door is shut, so they implement a backdoor. So I argue it makes better sense to have a controlled front door, in which legitimate access can be granted to a specific business process on an as-needs basis. If the security assurance of the perceived air-gap is needed, another option to consider is a data diode to ensure data only flows one way.
Subsequently, articles such as “Air gaps: Happy gas for infosec or a noble but inert idea?” show how even effective front door air gaps can be bypassed by side channel attacks. But I note that for these to succeed, you first need to infect the air-gapped machine (or be in close proximity) i.e., once the system is broken, it can be exploited. This only goes to confirm that an air-gap does not remove the need for good cyber-hygiene on the air-gapped system.
This does not mean air-gaps are ineffective, it just means that a suitably well motivated and resource adversary can defeat your defences. There are no perfect solutions, the critical thing is to know what you are protecting, who you are protecting it from and have a way of assessing residual risks. In this context air-gaps can be an effective defence, as can data diodes.
(The first half of this post originally appeared as comments to a blog article by Rob Ellison)
Once Upon a Camayoc 