Mind the Gap: Why Your “Air-Gapped” SCADA System Is a Myth

Editor’s Note: This article is courtesy of Mick D’Angelo, Director of Solutions Consulting, Asimily. We welcome his insights in this in-depth exploration of ICS security.

The logic behind an air-gapped SCADA system is straightforward: physically isolate your operational technology (OT) and industrial control systems from internet-connected networks, and you eliminate the attack surface. For static, unchanging environments, that reasoning holds. The problem is that modern industrial environments are neither static nor unchanging.

The gap between air-gap theory and operational reality is where most OT compromises begin. In practice, human decisions, operational requirements, and third-party dependencies constantly create pathways across the physical divide. When an air-gapped system is compromised, it is usually not due to a sophisticated remote exploit. More often, someone carried the threat through the front door.

The five attack vectors below represent the most common routes through an air gap, each rooted in operational reality rather than theoretical exploits. Against each, Asimily’s Proactive Cyber Asset Defense Platform provides specific, named capabilities that close the exposure without disrupting operations.

1. The Sneakernet (USBs and Removable Media)

The Threat Vector

Even completely isolated SCADA networks require updates. PLCs need new logic files, HMIs need patching, and engineers need to export logs. The most documented air-gap breach in history, Stuxnet, did not arrive over a fiber optic cable. It arrived on a USB drive. When an employee connects an infected drive to a secure workstation, the isolation is gone.

The Asimily Defense

When a device deviates from its established baseline (for example, a PLC receiving a configuration change or executing an unapproved firmware command from a removable file), Asimily flags the anomaly and alerts the responsible team in real time. Behavioral baselining covers every IoT, OT, IoMT, and IT device without agents or active scanning.

Configuration Control

Configuration Control captures a Golden Configuration State for every connected device and compares continuously against it. A firmware modification or configuration change introduced via USB surfaces immediately as a delta against that baseline, with a complete audit trail for incident response. Unlike generic anomaly detection, this is a device-level baseline comparison that persists across reboots and firmware updates and produces the evidence chain required for post-incident forensics.

2. Third-Party Vendor Laptops

The Threat Vector

Industrial equipment requires specialized maintenance. When a third-party technician arrives to calibrate a turbine or troubleshoot a controller, they connect their own engineering laptop directly to your OT network switch. The security posture of that device is outside your control. What matters is detecting what it does the moment it connects to your network.

The Asimily Defense

Every device connecting to your OT environment is discovered, classified, and baselined the moment it appears on the network, without agents and without disrupting operations. When an unmanaged or unauthorized device connects to an OT network segment, Asimily detects it, profiles its behavior, and flags any communication that falls outside expected patterns. By integrating natively with industrial firewalls and Network Access Control platforms, Asimily can trigger isolation rules to contain the device automatically.

Segmentation Orchestration for Vendor Access Zones

Policy Auto-Recommendation generates least-privilege segmentation policies for vendor access zones derived from observed device behavior. A contractor laptop connecting to an OT segment can be automatically confined to the specific protocols and destinations required for the maintenance task, with all other communication blocked. Policy Simulation validates the impact against real observed traffic before the rule goes live, so the operations team can confirm the policy does not disrupt adjacent workflows.

3. Shadows in the Architecture (Accidental Bridges)

The Threat Vector

Complete isolation is operationally inconvenient. Executives want real-time production dashboards. Engineers want to troubleshoot PLC logic remotely. This friction creates shadow connections: a workstation configured with dual network cards bridging corporate IT and OT, or a cellular modem plugged directly into a control panel to bypass the physical distance to the plant floor. Each one is a genuine air-gap breach that the organization does not know exists.

The Asimily Defense

Asimily builds communication profiles for every connected device based on observed traffic, documenting exactly which protocols, ports, IP addresses, and domains each device uses. When a device in a restricted OT zone attempts cross-zone or external communication outside its established profile, Asimily detects and alerts in real time. Shadow connections do not stay hidden.

Segmentation Orchestration and Policy Simulation

Asimily’s Segmentation Orchestration identifies unauthorized cross-zone communication patterns and generates segmentation policies to prevent them. Policy Simulation tests the impact of those policies against real observed traffic before any rule is deployed, so operations teams can confirm that a shadow connection is blocked without disrupting legitimate workflows running in the same segment. Continuous Segmentation then maintains those policies automatically as the environment changes.

4. Supply Chain Contamination

The Threat Vector

Supply chain compromise reaches the OT environment before the device is even connected. When a sophisticated threat group compromises a hardware manufacturer, software vendor, or firmware repository, the malware arrives pre-installed. The day the compromised controller is connected, the dormant threat activates. The device passed every receiving inspection because the compromise occurred before it left the factory.

The Asimily Defense

ATT&CK Analysis cross-references actual device behavior against the MITRE ATT&CK for ICS framework, drawing on Asimily Labs research and 15+ threat intelligence sources, including CISA KEV, NVD, ICS-CERT, and vendor SIRTs. ATT&CK Analysis determines whether the technical prerequisites for exploitation exist in this specific network topology, so supply-chain-introduced vulnerabilities are evaluated for actual exploitability rather than theoretical CVSS score.

ProSecure for Pre-Purchase Supply Chain Risk

Before a device is purchased, ProSecure provides a security comparison of device models, OS variants, firmware versions, and known vulnerability profiles from the same manufacturer. A procurement team can assess whether the Windows 10 variant of a controller carries meaningfully lower risk than the Windows 8 variant before the purchase order is signed, not after the device is on the network. ProSecure’s database is built from observed behavior across every device Asimily has ever seen in production environments worldwide.

Configuration Control for Post-Delivery Detection

Once a potentially compromised device is connected, Configuration Control captures its Golden Configuration State. Any deviation from that baseline (a hidden configuration change activating dormant malware, an unexpected firmware module loading, or an unauthorized process starting) is detected and flagged with a full audit trail. The baseline is also the documented recovery point if the device must be restored after a confirmed supply chain incident.

5. Side-Channel Exploitation (Advanced Persistent Threats)

The Threat Vector

While rare and typically associated with nation-state espionage, side-channel attacks against air-gapped systems have been demonstrated in research and in the field. Malware can manipulate system fans, thermal sensors, or motherboard components to emit subtle acoustic, thermal, or electromagnetic signals that a nearby compromised device can capture and decode. The key prerequisite: the malware must first infect the target device.

The Asimily Defense

ATT&CK Analysis identifies the top 1% of vulnerabilities that are truly exploitable in the specific network topology, so teams can close the initial exploit path before an attacker establishes the foothold that side-channel exfiltration requires. By the time a sophisticated actor attempts to manipulate physical hardware behavior, the prior compromise that makes it possible has already been detected and contained.

Risk Simulator

Before any remediation action is taken, the Risk Simulator models the expected risk reduction of applying a specific segmentation rule, configuration change, or patch. Teams can evaluate the efficiency of proposed mitigations before committing time and resources, and produce defensible evidence for why the prioritization decisions were made in the order they were.

Visibility You Can Act On

An air gap is only as secure as every human decision made around it. The five vectors above share one root cause: operational convenience erodes physical isolation over time. The durable answer is continuous, authoritative visibility into every device, protocol, and communication across your IoT, OT, IoMT, and IT estate, combined with the ability to act on that visibility without disrupting the operations that depend on it. Stricter discipline helps, but it cannot scale to catch every shadow connection or contaminated device.

Asimily’s Proactive Cyber Asset Defense Platform delivers exactly that. Configuration Control maintains Golden Configuration State baselines for every connected device. ATT&CK Analysis reduces your vulnerability set to the exploitable 1% that actually requires action. Segmentation Orchestration generates and enforces least-privilege policies derived from observed device behavior. Native packet capture provides the forensic capability that no other connected device security platform offers.

When something crosses your air gap, Asimily sees it.

SEE WHAT IS CROSSING YOUR AIR GAP: Request a Custom Demo of the Asimily Platform today.