The term "air-gapped network" creates a false sense of security because it suggests complete isolation. In practice, most industrial networks that operators call "air-gapped" have been incrementally bridged with data transfers, vendor access points, and emergency connections that contradict the air-gap assumption. An attacker who understands these bridges can cross them. An operator who assumes true isolation might not monitor them effectively.
A true air-gap—no network connection whatsoever, transfers only via disconnected media like USB drives—is operationally unsustainable in modern manufacturing where data flow is essential to decision-making. The compromise between isolation and operability is segmented networks with strict controls on data movement. Call them segmented, not air-gapped, and monitor the boundaries accordingly.
Anatomy of a Broken Air-Gap
We routinely find air-gapped networks that have been compromised in ways operators did not recognize. A technician uses the same laptop for maintenance at the production network and for email at home, transferring malware inadvertently. A historian server that "just collects data" is actually bidirectionally connected to a corporate network through a poorly managed data channel. A USB port for firmware updates is also used by technicians for file transfers. A backup drive is stored in a shared office where non-technical staff can access it.
Each individual bridge might seem justified: it serves a legitimate business purpose. But collectively, they create an attack surface that is not monitored, not controlled, and potentially larger than if the network were openly connected with proper segmentation and monitoring.
Controlled Boundaries Instead of Air-Gaps
- Intentional and Documented Connections: List every connection, data transfer, or access point between your OT network and the outside world. Connections should have explicit approval, documented purpose, and technical controls. Undocumented connections are security violations.
- One-Way Data Flows: Where possible, structure connections as one-directional: data flows out of OT (to historians, corporate systems) but not in (to production networks). This preserves operational isolation while allowing visibility and reporting.
- Controlled Transfer Mechanisms: If bridging requires media like USB drives or external HDDs, enforce scanning and validation procedures. Do not assume the media is clean just because it came from the production network side.
- Boundary Monitoring: Monitor every intentional bridge. Alert on unusual data volumes, unexpected files, or transfers at unusual times. A historian server that normally pulls 100 MB of data daily but suddenly pulls 10 GB is suspicious.
Communicating Risk Realistically
Calling your network "air-gapped" when it is actually segmented with data bridges can cause dangerous complacency. Operators and management might assume they do not need to monitor boundary traffic because the network is supposedly isolated. This turns a segmented network into a liability rather than a security control.
Instead, clearly communicate your architecture to stakeholders: "We operate segmented production networks with controlled data transfer points at specific boundaries. We monitor these boundaries continuously. The network is not isolated—it is intentionally connected at specific points for operational necessity, and those connections are security-critical."
If you'd like to assess segmentation and monitoring at your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.