Beacon Security
Network Security

Air Gaps in OT: The Myth of Network Isolation

September 25, 20259 min readBy Beacon Security Team

The Comfort of Isolation

Ask a plant engineer about cybersecurity, and you'll often hear some version of the same reassurance: "Our control systems aren't connected to anything. We're air-gapped." They say it with confidence, the kind that comes from years of institutional memory and a genuine belief that the systems they manage are walled off from the outside world.

That belief is understandable. For most of the history of industrial control systems, isolation was the primary security strategy. If your SCADA system had no connection to the corporate network, no internet access, and no remote connectivity, the logic went, then the attack surface was effectively zero. Physically enter the facility or go home.

This was never entirely true. And it is less true today than it has ever been. The mental model has proven remarkably durable, but what Beacon Security finds again and again during OT assessments is a jarring gap between the isolation engineers believe exists and the connectivity that actually does. Organizations discover, during an assessment or after an incident, that their supposedly air-gapped OT network has a dozen connections to the corporate IT network that nobody documented, a cellular gateway a vendor installed during a maintenance window, a wireless access point added for operational convenience, and a contractor VPN that has been quietly running for three years. Every single one of them a door that nobody knew was open.

Why True Air Gaps Are Rare in Modern Facilities

The economic pressure toward connectivity has been relentless. Digital transformation, Industry 4.0, predictive maintenance, remote operations, real-time production data feeding ERP systems, every one of these initiatives requires data to flow between OT and IT environments. The business case is always compelling, and each connection tends to be approved individually without anyone stepping back to assess the cumulative picture.

The connections accumulate quietly over time.

Historian connections. A process data historian that was originally deployed within the OT network becomes more valuable when business analysts can access it from the corporate side. The "simple" extension of historian access creates a bidirectional network path, one that often receives far less security scrutiny than its actual risk warrants.

Vendor remote access. When a critical system fails at 2 a.m., the fastest path to resolution is a vendor remote session. These connections are typically implemented in a hurry, with minimal security controls, and once established for emergency access, they tend to stay in place indefinitely. Nobody removes the door they might need again someday.

MES integration. Production scheduling, quality data, work order management, the data flows between Manufacturing Execution Systems and process control systems require network connectivity. The integration pathways are typically designed for data reliability, with security an afterthought, if it was a thought at all.

Corporate Wi-Fi bleeding into OT areas. In manufacturing facilities where corporate Wi-Fi access points are installed throughout the building for employee mobility, the signal extends into areas adjacent to or including process control equipment. Devices that connect to corporate Wi-Fi and then move physically into OT areas create wireless bridges that no firewall rule can stop.

Temporary connections that become permanent. A laptop connected to both networks for a one-time troubleshooting session. A portable data logger with cellular connectivity. A USB drive carried between environments. Each one is a "temporary" connection that opens a pathway, and those pathways have a way of outlasting their original purpose by years.

The Attack History of "Isolated" Systems

The history of OT security incidents reads, in part, as a catalog of air gaps that turned out not to be air gaps.

Stuxnet and USB propagation. The most famous OT attack in history targeted a facility that was genuinely air-gapped in its network architecture. Stuxnet spread via USB drives carrying the malware between networked IT systems and the OT environment. The attack demonstrated that physical media could bridge any network air gap if personnel move between environments, that the human being carrying the USB drive is part of the attack surface whether or not any cables are connected.

The sophistication of Stuxnet's USB propagation was remarkable, but the core insight was not new. It was simply demonstrated more dramatically than anyone had seen before.

Cellular gateways as covert entry. Multiple documented incidents have involved cellular modems or gateways installed in OT environments, sometimes by vendors without explicit authorization, that provided remote access pathways completely outside any network monitoring scope. An attacker who discovers a cellular-connected device on an OT network has found a direct path that bypasses every firewall and IDS rule in the facility.

Engineering laptops as bridges. Perhaps the most common real-world air gap violation is the dual-use engineering laptop: a device that connects to the corporate network for email and documents, then connects to the OT network for programming, configuration, or maintenance. If that laptop crosses between environments without proper isolation procedures, it is not a bridge in a metaphorical sense. It is a literal bridge, carrying whatever it picked up on one side into the other.

What Organizations Actually Have Instead of an Air Gap

When Beacon Security conducts connectivity assessments at facilities where operations teams believe they are air-gapped, a fairly consistent picture emerges:

  • One to four documented connections between OT and IT, typically historian feeds and MES integrations
  • Two to eight undocumented connections, including older historian pathways, vendor remote access that was never formally removed, and network equipment with management interfaces reachable from both environments
  • At least one wireless access point within range of OT network equipment, either authorized for field operator tablets or unauthorized and undetected
  • A removable media problem: USB drives, SD cards, and laptops that cross the IT/OT boundary regularly without controlled inspection procedures
  • Cellular connectivity on at least one RTU, edge device, or management system, often installed by a vendor and not monitored by anyone in the security program

This is not a worst-case characterization. It describes what thorough connectivity assessment reveals in environments that were genuinely believed to be well-isolated. The engineers who believed their facilities were air-gapped were not careless or negligent. They simply never had a systematic way to verify what they assumed.

Building Security That Assumes the Air Gap Has Failed

The practical implication is a security design philosophy shift: stop building security on the assumption of isolation and start building it on the assumption that connectivity exists and must be managed. Here is what that looks like in practice.

Discover and Document All Connections

The first step is knowing what connections actually exist, not what the documentation says should exist. This requires passive network monitoring to observe which devices are communicating with which, active connectivity mapping using network scanning and topology discovery, a systematic vendor access audit covering dormant VPNs and cellular connections, and an RF survey to identify all wireless access points and their coverage areas.

Every connection discovered becomes an item to either formally document and secure, or to terminate. There is no third option.

Apply Defense-in-Depth Regardless of Isolation Claims

Security controls should be layered throughout the OT environment rather than concentrated at a single network boundary that the entire security posture depends on. Firewall rules that restrict communication between different OT network zones, not just between OT and IT. Authentication requirements on engineering protocol ports, not relying solely on network location. Logging and monitoring within OT zones, not just at the perimeter. USB and removable media controls at the endpoint level.

If the perimeter fails, and the evidence suggests it frequently does, inner controls limit what an attacker can do with the access they have obtained.

Removable Media as a Security Domain

USB drives and portable media deserve dedicated policy and technical controls that most organizations do not currently have. A formal removable media policy for OT environments covering what types of media are permitted, who is authorized to use them, and what inspection procedures apply. Technical enforcement via device management tools or physical port blockers. Dedicated media scanning stations at the boundary of OT areas where removable media must be inspected before use inside the environment. And ideally, dedicated OT media, USB drives that are purchased, registered, and used exclusively in OT environments and never connected to IT systems.

The Stuxnet vector, removable media bridging between IT and OT, remains active. Documented OT incidents still involve malware introduced via USB. The attack surface that broke the Natanz centrifuges in 2010 is alive and unmanaged in most industrial facilities today.

Wireless Discipline

Survey and document all wireless infrastructure within range of OT areas. Implement wireless intrusion detection to identify rogue access points and unexpected wireless devices. Prohibit personal wireless devices in OT areas unless specifically authorized. Maintain technical isolation between corporate Wi-Fi and OT network segments even when sharing physical infrastructure.

Vendor Access as a Managed Program

Every vendor connection should be treated as a controlled, time-limited, monitored access event, not a standing pathway that exists because it was convenient to set up once. Inventory all vendor remote access mechanisms. Terminate any that are not actively required. For continuing vendor access, implement a formal access management process with time-limited credentials and session monitoring. Treat vendor access the same way you would treat physical access by an outside contractor: logged, scoped, and revoked when the work is done.

Accepting the Reality

The most important shift is cultural, not technical: accepting that OT environments are not isolated and designing a security program accordingly. Organizations that continue to operate on the assumption that their OT network is air-gapped are choosing not to look, and they are building their entire security posture on a premise that an adversary with moderate reconnaissance capability can disprove in an afternoon.

Accept that connections exist. Find them, document them, and manage them. Build security that assumes the boundaries will be crossed and focuses on limiting the damage when they are.

Beacon Security provides OT connectivity assessments, removable media program design, and network architecture reviews that reveal the actual connectivity posture of industrial environments. Contact us to find out what is actually connected in your OT network.

Back to All Articles
Industrial infrastructure
OT Cybersecurity Experts

Your OT Environment Deserves
Expert Protection

IT security tools were not built for Modbus, OPC, or safety-rated controllers. Get a dedicated OT cybersecurity team that understands industrial protocols, control system architecture, and the operational constraints of your environment.

Book an Assessment+91 98259 94220
IEC/ISA 62443 Aligned
NIST 800-82 Compliant
OTCC Ready
ECC Aligned
Zero Operational Disruption