The Air Gap in OT: Is It Real or Myth?

By /

Featured Image
We didn’t lose the air gap—we gave it away.

At the start, OT systems weren’t connected to anything:
– No Internet.
– No cloud.
– No remote vendors.
Isolation wasn’t a security strategy—it was just how things worked.

But we changed that. One small connection at a time:
– Needed a dashboard? Connect to IT.
– Needed remote support? Add a VPN.
– Needed to export reports? Drop in a modem.

Now, most ICS environments that claim to be air-gapped… aren’t.

Real-World Lessons

  • 2013 → HAVEX
  • 2021 → Colonial Pipeline
  • 2023 → Cyber Av3ngers

Don’t Trust the Perimeter. You Need:

  • Passive monitoring in OT
  • Logging of all remote access
  • MFA and hardened endpoints
  • Deep inspection at IT/OT boundary

Assume you’re connected. Then secure like it.

🔗 OT SIEM Leveling Guide 1-60

You Should Know:

1. Passive Monitoring in OT

Use tools like Wireshark or Zeek to inspect OT traffic without disrupting operations:

zeek -i eth0 -C  Monitor traffic on interface eth0
tshark -i eth0 -Y "modbus"  Filter Modbus traffic

2. Logging Remote Access

Ensure all remote sessions (SSH, RDP) are logged:

 Enable SSH logging in /etc/ssh/sshd_config
LogLevel VERBOSE
SyslogFacility AUTH

3. Hardening Endpoints

Disable unnecessary services on Windows OT systems:

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

4. Deep Packet Inspection (DPI)

Use Snort or Suricata to detect malicious traffic:

suricata -c /etc/suricata/suricata.yaml -i eth0

5. Air-Gap Verification

Check for unintended network connections:

netstat -tulnp  List active connections
iptables -L -v -n  Inspect firewall rules

What Undercode Say:

The myth of the air gap persists because convenience often trumps security. Modern OT systems are rarely truly isolated—vendors, contractors, and operational demands erode the perimeter. Instead of relying on isolation, implement:
– Network segmentation (VLANs, firewalls)
– Strict access controls (RBAC, Zero Trust)
– Continuous monitoring (SIEM, IDS)

Key Commands for OT Security:

 Check for rogue devices (Linux)
arp-scan --localnet

Verify file integrity (Critical for ICS)
sha256sum /path/to/firmware.bin

Monitor process behavior
ps aux | grep -i "scada"

Expected Output:

A secure OT environment requires visibility, logging, and proactive defense—not blind trust in isolation.

Prediction:

As OT systems increasingly integrate with IT and cloud platforms, attacks like HAVEX and Colonial Pipeline will escalate. Organizations must shift from “air-gapped” assumptions to active defense strategies.

🔗 Further Reading: ICS/OT Security Best Practices

References:

Reported By: Zakharb New – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: