A lot has been written about Stuxnet, one of the big revelations was the malware had jumped an air-gap. The on-going debate is whether air-gaps work, or would joining the networks in a controlled way REDUCE the vulnerability.
A recent article in the NY Times claims:
The vast majority of targeted computer attacks now start with a malicious e-mail sent to a company employee. Now evidence suggests that the same technique could be used to attack watersheds, power grids, oil refineries and nuclear plants.
This cannot be allowed to happen, here I explore the issue in a little more detail.
Nexor have just released a briefing paper Air-Gaps, Firewalls and Data Diodes in Industrial Control Systems looking the issues around segregating industrial control system networks. What works best: Air Gaps, Firewalls or Data Diodes?