> why is this not used in conflicts to devastating effect?
The systems with devastating impact are air-gapped. They're designed, audited, validated and then never touched again. Ports are disabled by cutting the traces on the motherboard and adding tamper protection to the case, which is in a secure facility protected by vetted people with guns, who are in a security facility protected by different vetted people with guns.
No system is perfect, but the time and effort is better spent on the generic case that the military understands well.
> The systems with devastating impact are air-gapped.
You wish. More often than not the people building these think they are very clever by using their bullet proof fire walls rather than a physical disconnect. Or SLIP over a serial port because for some reason serial ports are fine.
I've seen this kind of crap in practice in systems that should be airgapped, that they said were airgapped but that in fact were not airgapped.
And a WiFi connection even though it goes 'through the air' is not an airgap.
The same for BT and any other kind of connectivity.
An airgap is only an airgap if you need physical access to a device to be able to import or export bits using a physical connection, and the location of the device is secured by physical barriers. Preferably a building that is secure against non-military wannabe intruders.
> firewall exception to get to the air gapped system
Any system accessible with a firewall exception is not "air-gapped" by definition.
A level below that is diode networks, which are not air-gapped but provide much stronger system isolation than anything that is accessible with a "firewall exception".
Far below either of these is vanilla network isolation, which is what you seem to be talking about.
Definitely! I've worked on the design of these types of systems, there is more subtlety to the security models than people assume. Some of the designs in the wild have what I would consider to be notable weaknesses.
The most interesting subset of these systems are high-assurance bi-directional data paths between independent peers that are quasi-realtime. Both parties are simultaneously worried about infiltration and exfiltration. While obviously a misnomer, many people still call them diodes...
The entire domain is fascinating and less developed than you would think.
And even if you do get it right, there is always that one guy that takes a USB stick and plugs it into your carefully air-gapped systems. And cell modems are everywhere now, and so small even an expert could still overlook one, especially if it is dormant most of the time.
Yes, it is underfunded for sure. I have been underwhelmed by what academia has managed to produce, funding aside. It is a solvable problem but you have to give the money to the people that can solve it in an operational context, which rarely seems to happen.
It is a genuinely fun project for someone with sufficiently sophisticated skill but I suspect there is relatively little money in it, which colors the opportunity and outcomes.
The absence of clear commercial opportunity gives the domain a weird dynamic.
The systems with devastating impact are air-gapped. They're designed, audited, validated and then never touched again. Ports are disabled by cutting the traces on the motherboard and adding tamper protection to the case, which is in a secure facility protected by vetted people with guns, who are in a security facility protected by different vetted people with guns.
No system is perfect, but the time and effort is better spent on the generic case that the military understands well.