The Air Gap That Wasn't

That stark assessment from Dragos, the leading authority in operational technology security, should make every industrial organization pause. If you're counting on physical separation to protect your OT networks, you might be relying on a security control that disappeared 25 years ago.

The traditional understanding is simple: air-gapped networks have no physical connection to other networks. No cables, no wireless links, no data flow except through manually carried USB drives. It's the gold standard of network isolation, used in nuclear facilities and military systems where compromise isn't an option.

But according to Waterfall Security Solutions, true air gaps "largely disappeared in the late 1990s" when organizations began connecting industrial systems to enterprise resource planning software. What replaced them wasn't better security but carefully managed mythology.

The numbers reveal just how thoroughly the air gap has dissolved. According to SANS Institute's 2024 survey, 52% of organizations now use OT-specific monitoring, up from just 33% in 2019. This dramatic increase highlights the growing interconnectedness and visibility needs of OT environments that were once considered isolated.

When security firm Claroty surveyed organizations during the COVID-19 pandemic, 65% reported their IT and OT networks had become more interconnected, not less. The operational pressures of remote work, combined with decades of gradual convergence, have eroded whatever isolation once existed.

Even more telling: security researchers using Shodan, a public search engine for internet-connected devices, can easily find industrial control systems exposed online. These aren't sophisticated hacking techniques or zero-day exploits. These are systems visible to anyone with a web browser.

The supposed air gap gets breached through three primary channels, and none of them require advanced persistent threats or nation-state resources.

Engineering workstations represent the most common bridge. These computers sit on OT networks but need regular updates, vendor support and access to technical documentation. According to Dragos analysis, these workstations create persistent connections between supposedly isolated networks, often without anyone formally documenting or monitoring those links.

USB drives serve as the classic vector, proven devastatingly effective by Stuxnet in 2010. That malware used USB drives to jump the air gap at Iran's Natanz nuclear facility, ultimately destroying 1,000 centrifuges. ESET research shows that all 17 documented air-gap malware frameworks rely on USB drives as their primary infection method. One hundred percent USB dependency tells you everything about where the vulnerability actually lies.

Vendor remote access creates the third shadow current. Equipment suppliers install DSL lines or cellular connections for remote diagnostics and support. According to Waterfall Security Solutions, many organizations don't fully understand all the remote access pathways vendors have established into their OT networks. These access points, intended as temporary solutions, rarely get logged or monitored. More critically, they're rarely removed after the vendor support session ends.

The consequences aren't theoretical. In 2019, Norsk Hydro faced a ransomware attack that entered through a phishing email, costing the company $70 million and forcing weeks of manual operations. The incident created what the company described as "severe safety risks" as operators reverted to paper-based processes in a modern industrial facility.

Colonial Pipeline's 2021 breach began in IT systems but forced the shutdown of OT operations, cutting fuel supplies to the U.S. East Coast. The attack demonstrated how the practical convergence of IT and OT creates real-world vulnerability regardless of theoretical network boundaries.

According to Fortinet's 2025 Operational Technology Security Report, 50% of organizations experienced at least one cybersecurity incident in their OT systems. The average cost of industrial breaches sits at $5.56 million, with recovery times measured in weeks, not days.

Part of the challenge stems from definitional confusion that creates dangerous miscommunication. As Waterfall Security Solutions explains, modern CISOs use "air-gapped" to mean "not directly Internet-routable," while operational leadership interprets the same phrase as "completely isolated."

When a CISO tells the board "our industrial network is air-gapped," they mean traffic can't route directly to the public internet. The board hears "no attack path exists." This gap between technical precision and strategic understanding produces what Waterfall calls "serious errors in risk management."

The reality: almost nothing is truly air-gapped anymore. Darktrace research reveals that many organizations believing they have completely isolated systems actually have "unknown points of IT/OT convergence," connections they don't know exist. You can't defend what you can't see, and you can't see what you haven't inventoried.

The air gap concept worked when everything surrounding it was tightly regulated and controlled. In military and intelligence applications with comprehensive physical security, restricted personnel access and carefully audited data transfers, physical isolation provides meaningful protection.

Most industrial environments don't operate under those constraints. The same operational efficiency that drives business success requires connectivity, vendor access, data sharing with enterprise systems and real-time visibility into production processes. Each of these requirements chips away at isolation.

The question isn't whether air gaps work in theory. The question is whether yours actually exists. Organizations need to audit their OT connectivity reality, not assume isolation based on outdated network diagrams or inherited assumptions.

According to Armis, an OT security vendor, they "often hear from new clients that there's nothing to worry about because their OT is air-gapped." But when deploying monitoring tools to verify that claim, they "quickly find vulnerabilities." The pattern repeats: assumed isolation, actual connectivity, discovered risk.

The path forward requires honest assessment. Map every connection between IT and OT, including engineering workstations, vendor access points, temporary links and data flows. Monitor those connections continuously rather than auditing them once. Assume breach as the baseline rather than hoping isolation will hold.

The air gap you think protects you likely dissolved when someone connected an engineering workstation to check email, when a vendor installed remote diagnostics or when enterprise systems needed production data. The protection isn't gone because security failed but because operational reality evolved while the mental model stayed frozen.

Verify your connectivity reality. The alternative is discovering it exists when attackers already have.