Beacon Security
Network Security

Air Gaps in OT: The Myth of Network Isolation

June 15, 20259 min readBy Beacon Security Team

The Comfort of Isolation

For most of the history of industrial control systems, isolation was the primary security strategy. If your SCADA system had no connection to the corporate network, no internet access, and no remote connectivity, the logic went, then the attack surface was effectively zero. A threat actor would have to physically enter the facility to reach the control systems.

This was never entirely true, and it is less true today than it has ever been. But the mental model has proven remarkably durable. Decades of engineers, plant managers, and even some security professionals have anchored their confidence in OT security to the assumption of isolation, often without systematically verifying that the isolation they assumed actually existed.

The result is a pattern that repeats across industries: organizations discover, during a security assessment or after an incident, that their supposedly air-gapped OT network has a dozen connections to the corporate IT network that nobody documented, a cellular gateway installed by a vendor during a maintenance window, a wireless access point added for operational convenience, and a contractor VPN that has been running for three years without anyone's knowledge.

Why True Air Gaps Are Rare in Modern Facilities

The economic pressure toward connectivity has been relentless. Digital transformation, Industry 4.0, predictive maintenance, remote operations, real-time production data for ERP systems — every one of these initiatives requires data to flow between OT and IT environments.

The connections accumulate over time:

Historian connections. A process data historian that was originally deployed within the OT network becomes more valuable when business analysts can access it from the corporate network. The "simple" extension of historian data access to the IT network creates a bidirectional network path.

Vendor remote access. Every major automation vendor offers remote diagnostics and support services. When a critical system fails at 2 a.m., the fastest path to resolution is often a vendor remote session. These connections are often implemented with minimal security controls and, once established for emergency access, remain in place indefinitely.

Manufacturing Execution System (MES) integration. Production scheduling, quality data, work order management — the data flows between MES and process control systems require network connectivity. The integration pathways are often designed for data reliability without security as a primary consideration.

Corporate Wi-Fi bleeding into OT areas. In manufacturing facilities where corporate Wi-Fi access points are installed throughout the building for employee mobility, the signal extends into areas adjacent to or including process control equipment. Devices that connect to corporate Wi-Fi and then physically move into OT areas create wireless bridges.

Temporary connections that become permanent. A laptop connected to both the corporate network and an OT device for a one-time troubleshooting session. A portable data logger with cellular connectivity. A USB drive carried between environments. Each is a temporary connection that, once made, opens a pathway.

The Attack History of "Isolated" Systems

The history of OT security incidents includes numerous cases where supposedly isolated systems were compromised through unexpected connectivity vectors.

Stuxnet and USB propagation. The most famous OT attack in history targeted a facility that was genuinely air-gapped in its network architecture. Stuxnet spread via USB drives carrying the malware between networked IT systems and the OT environment. The attack demonstrated that physical media could bridge any network air gap if personnel move between environments.

The sophistication of Stuxnet's USB propagation was notable: it exploited Windows zero-day vulnerabilities to execute automatically when a USB drive was connected, and it spread silently across USB-connected devices. But the fundamental insight — that people carrying portable media between environments is an air gap attack vector — was not new. It was simply dramatically demonstrated.

Cellular gateways as covert entry. Multiple documented incidents have involved cellular modems or gateways installed in OT environments — sometimes by vendors without explicit authorization — that provided remote access pathways completely outside any network monitoring scope. An attacker who discovers a cellular-connected device on an OT network through passive scanning has found a direct path that bypasses every network security control.

Wireless protocol bridging. Industrial wireless technologies — WirelessHART for instrument monitoring, ISA100.11a for field device communication — operate in frequency bands that can be received by equipment well outside the intended coverage area. A receiver positioned outside the facility perimeter may be able to intercept or inject communications to field devices.

Engineering laptops as bridges. Perhaps the most common real-world air gap violation is the dual-use engineering laptop: a device that connects to the corporate network for email and document access, then connects to the OT network for programming, configuration, or maintenance. If that laptop is not properly isolated between uses — cleaned, configuration-verified, or maintained as a dedicated OT device with no corporate connectivity — it is a bridge between the two environments.

What Organizations Actually Have Instead of an Air Gap

A realistic description of the "air-gapped" OT network in a typical industrial facility circa 2026:

  • One to four documented connections between OT and IT, typically historian feeds and MES integrations
  • Two to eight undocumented connections, including older historian pathways, vendor remote access that was never formally removed, and network equipment with management interfaces accessible from both environments
  • At least one wireless access point within range of OT network equipment, either authorized for field operator tablets or unauthorized and undetected
  • A removable media problem: USB drives, SD cards, and laptops that cross the IT/OT boundary regularly without controlled inspection procedures
  • Cellular connectivity on at least one RTU, edge device, or management system, often installed by a vendor and not monitored by the OT security program

This is not a characterization designed to alarm. It is a reasonably accurate description of what a thorough connectivity assessment reveals in environments that were believed to be well-isolated.

Building Security That Assumes the Air Gap Has Failed

The practical implication of the air gap myth is a security design philosophy shift: stop building security on the assumption of isolation and start building it on the assumption that connectivity exists and must be managed.

Discover and Document All Connections

The first step is knowing what connections actually exist, not what documentation says should exist. This requires:

  • Passive network monitoring to observe which devices communicate with which, including any traffic crossing expected boundary points
  • Active connectivity mapping using network scanning and topology discovery to identify all network paths, including those that should not exist
  • Vendor access audit: a systematic review of all remote access pathways, including dormant VPNs, cellular connections, and vendor-managed devices
  • Wireless survey: a RF survey to identify all wireless access points and determine their coverage areas and network connections

Every connection discovered becomes an item to either formally document and secure, or to terminate.

Apply Defense-in-Depth Regardless of Isolation Claims

Security controls should be layered throughout the OT environment rather than concentrated at a single network boundary that the entire security posture depends on:

  • Firewall rules that restrict communication between different OT network zones, not just between OT and IT
  • Authentication requirements on engineering protocol ports, not relying solely on network location
  • Logging and monitoring within OT zones, not just at the perimeter
  • USB and removable media controls at the endpoint level, not just at network access points

If the perimeter fails — and the evidence suggests it frequently does — these inner controls limit what an attacker can do with the access they have obtained.

Removable Media as a Security Domain

USB drives and portable media deserve dedicated policy and technical controls that most organizations do not currently have:

  • A formal removable media policy for OT environments: what types of media are permitted, who is authorized to use them, what inspection procedures apply
  • Technical enforcement: USB port control via device management tools on Windows-based OT workstations, or physical port blockers on devices where software controls are not feasible
  • Dedicated media scanning stations: standalone malware scanning systems at the boundary of OT areas where removable media must be inspected before use inside the OT environment
  • Dedicated OT media: USB drives that are purchased, registered, and used exclusively in OT environments and never connected to IT systems

The Stuxnet vector — removable media bridging between IT and OT — remains active. Documented OT incidents still involve malware introduced via USB.

Wireless Discipline

Wireless networks in and around OT areas require active management:

  • Survey and document all wireless infrastructure within range of OT areas
  • Implement wireless intrusion detection to identify rogue access points and unexpected wireless devices
  • Policy prohibiting the use of personal wireless devices in OT areas unless specifically authorized
  • Technical isolation between corporate Wi-Fi and OT network segments even when sharing physical infrastructure

Vendor Access as a Managed Program

Every vendor connection should be treated as a controlled, time-limited, monitored access event — not a standing pathway that exists because it was convenient to set up once:

  • Inventory all vendor remote access mechanisms
  • Terminate any that are not actively required
  • For continuing vendor access requirements, implement a formal access management process with time-limited credentials and session monitoring

Accepting the Reality

The most important shift is cultural rather than technical: accepting that OT environments are not isolated and designing a security program accordingly. Organizations that continue to operate on the assumption that their OT network is air-gapped are choosing not to look — and are building security governance on a premise that an adversary with moderate reconnaissance capability can disprove in an afternoon.

Accept that connections exist. Find them, document them, and manage them. Build security that assumes the boundaries will be crossed and focuses on limiting the damage when they are.

Beacon Security provides OT connectivity assessments, removable media program design, and network architecture reviews that reveal the actual connectivity posture of industrial environments. Contact us to find out what is actually connected in your OT network.

Back to All Articles
Industrial infrastructure
OT Cybersecurity Experts

Your OT Environment Deserves
Expert Protection

IT security tools were not built for Modbus, OPC, or safety-rated controllers. Get a dedicated OT cybersecurity team that understands industrial protocols, control system architecture, and the operational constraints of your environment.

Book an Assessment+91 98259 94220
IEC/ISA 62443 Aligned
NIST 800-82 Compliant
OTCC Ready
ECC Aligned
Zero Operational Disruption