Air Gaps and OT Security in the Zero Trust Era
OT security has always rested on a core assumption: if a system is physically separated, it is safe. For years, the air gap represented real certainty. No routable path, no shared infrastructure, no logical bridge — and no external attack surface to speak of. In safety-critical industrial environments, that clarity mattered.
But the industrial world faces relentless connectivity pressure. Operational data feeds enterprise dashboards. Predictive maintenance depends on telemetry aggregation. Vendors expect remote access. Even highly sensitive workloads now intersect with tightly controlled cloud environments. This creates a tension many organisations haven’t fully resolved: if cables are connected, tokens are issued, and telemetry flows outward, what does “isolated” really mean anymore?
Why OT Is Connecting More Than Ever
Industrial operators face relentless pressure to optimise uptime, reduce maintenance costs, and increase output predictability. Predictive maintenance platforms depend on streaming telemetry from PLCs and sensors into centralised analytics engines. Energy operators aggregate operational data to manage load balancing in real time. Manufacturing groups consolidate multi-site visibility into enterprise dashboards to compare performance and reduce inefficiencies.
Executives expect operational data to inform financial and supply chain decisions. In many sectors, regulators increasingly demand reporting and auditability that depend on digital traceability.
Under those conditions, a fully air-gapped architecture becomes difficult to justify for most systems. Physical separation can mean slower troubleshooting, delayed upgrades, duplicated infrastructure, and reduced operational agility. The business case for selective connectivity is often compelling.
That is the key word: selective.
But selective connectivity accumulates over time. What begins as a controlled bridge for telemetry or remote support gradually expands into a mesh of interdependencies. The industrial environment remains segmented, but it is no longer static. It is dynamically connected, and those connections continue to grow in number and complexity.
That is now the business reality. The question is how you manage the risk that comes with that connectivity once physical isolation is no longer the default posture.
Logical Segmentation Is Not an Air Gap
An air gap, in its strictest sense, is physical. The separation is literal, enforced by the absence of connectivity. Logical segmentation is different. It relies on configuration, policy, and enforcement rather than physical absence.
VLANs, firewalls, jump hosts, dedicated fibre links, identity-based access controls, and Zero Trust overlays are all powerful mechanisms for logical segmentation. But they are mechanisms that assume correctness. They assume that rules are written accurately, that credentials are scoped properly, that tokens expire as intended, and that monitoring detects misuse.
The mistake many organisations make is treating these controls as virtual air gaps. They are not. A firewall rule can be misconfigured. A segmentation boundary can be bypassed through an overlooked routing path. A privileged identity can bridge environments in seconds if governance fails. Even a “dedicated” line still represents a physical pathway that exists and can be leveraged if compromised.
Zero Trust architectures are often cited as the modern answer to isolation. Properly implemented, they reduce implicit trust and enforce strict access validation. But rather than eliminating connectivity, they manage it more strictly. Zero Trust replaces distance with identity and policy. That is a meaningful shift — but it also means that isolation now depends on the strength of identity governance, configuration discipline, and continuous monitoring.
Recent CISA guidance on adapting Zero Trust principles to operational technology makes this shift explicit. It notes that network segmentation often serves as “the primary line of defence in OT environments.” That framing is telling. It reflects a reality in which physical separation is no longer the default protection model for most systems. Instead, layered segmentation — properly designed and continuously validated — carries the burden of modern isolation.
If segmentation is the primary line of defence, then the question becomes: how mature is your segmentation strategy? Is it documented? Regularly reviewed? Actively monitored? Tested against lateral movement scenarios?
Even Air Gaps Depend on Trust
It is tempting to treat the air gap as a relic — something modern architectures and business pressures have rendered obsolete. That would be a mistake. Physical isolation remains one of the strongest security controls available. Systems that truly cannot be reached over a network eliminate entire classes of remote attack.
But physical separation has never meant immunity. It simply shifts where risk resides.
Air-gapped environments still depend on people, process, and supply chain integrity. Removable media crosses boundaries — as the Stuxnet attack demonstrated years ago in Iran. Maintenance laptops enter secure zones. Firmware updates are introduced from external vendors. Contractors plug in diagnostic equipment. Each of these touchpoints represents a moment where trust sometimes substitutes for connectivity.
This is why air gaps should not be framed as redundant — but as deliberate. They carry operational costs. They complicate maintenance, slow troubleshooting, and limit data visibility. In most industrial environments, those trade-offs are difficult to justify at scale. However, in systems where compromise carries existential or safety-critical consequences, physical isolation still deserves serious consideration.
The examples are clear: nuclear control systems, classified intelligence infrastructure, military command-and-control networks, and certain safety-critical industrial control environments where a malfunction could result in catastrophic physical harm. In these domains, the operational friction of physical separation may be fully warranted.
For most organisations, however, the question is which systems genuinely require it. That decision demands a sober assessment of sensitivity, safety impact, regulatory exposure, and national or economic consequence.
What This Means for Leaders of Industrial Operations and Security
If isolation is now more often architectural rather than purely physical, leaders need to treat it as an active control objective rather than a legacy assumption.
Map every connectivity path between IT and OT.
Don’t rely on network diagrams created years ago. Identify VPN tunnels, jump hosts, telemetry pipelines, API integrations, vendor gateways, and temporary project bridges that may have become permanent. Connectivity in industrial environments tends to accumulate quietly over time. You cannot secure what you have not fully enumerated.
Inventory identity relationships, not just IP routes.
In hybrid architectures, the most meaningful bridges are often identity-based. Service accounts, shared credentials, privileged tokens, and federated authentication pathways can connect environments that appear segmented on a network diagram. Treat identity governance as seriously as physical segmentation.
Review vendor and contractor remote access controls.
Remote diagnostics and third-party maintenance are now routine. Ensure access is time-bound, least-privileged, and logged. Remove standing credentials. Periodically verify that accounts created for “temporary” projects are no longer active. Remote access is often the most direct operational bridge across OT boundaries.
Monitor outbound telemetry flows as carefully as inbound traffic.
Many industrial organisations focus heavily on preventing inbound intrusion while overlooking outbound data paths. Telemetry streams to cloud analytics platforms, enterprise dashboards, or external partners can create indirect exposure. Validate encryption, authentication, and logging for those outbound channels.
Conduct architectural reviews when deploying Zero Trust overlays in hybrid environments.
Zero Trust can significantly improve control maturity, but layering it onto existing IT/OT architectures without a structured review can introduce unexpected dependencies. Assess not only policy enforcement but also how identity, segmentation, and monitoring interact across environments.
Treat vulnerability management as a discipline, not a schedule.
Patch management in industrial systems is fundamentally different from IT. In connected environments, updates may flow automatically through centralised platforms. In air-gapped or highly restricted environments, patching becomes a controlled logistical process: download, hash verification, malware scanning, formal approval, staged testing, physical transfer via controlled media, and revalidation before deployment. Each step matters.
Rethinking OT Security in a Connected Era
The environments that air gaps were originally designed to protect have evolved. The air gap is not dead — but it is no longer as easy to justify, and for most operational environments it is no longer the default. Organisations that manage this reality well do not treat isolation as a binary claim. They treat it as a continuously enforced control set.
Where true physical separation is warranted, they preserve it without compromise. Where connectivity is operationally necessary, they govern that gap with equal rigour — through segmentation discipline, identity governance, continuous monitoring, and regular validation.
Sustaining either model demands defence-in-depth that does not rely on network topology alone. As OT and IT continue to converge, independent validation becomes critical. DIESEC’s penetration testing and red teaming services help industrial organisations test these increasingly connected architectures under realistic adversarial conditions — identifying weaknesses across physical, logical, and procedural boundaries before they are exploited in the real world.
