WE DON'T NEED PEN TESTING — WE'RE AIR GAPPED
Air gaps erode. Testing confirms whether yours still exists.
No statement in industrial cybersecurity is more likely to precede a serious incident than 'we are air gapped.' The assumption of isolation substitutes for the verification of isolation, and in the gap between those two things, attackers have repeatedly found everything they needed.
An Air Gap Is an Architecture Claim, Not a Security Guarantee
An air gap, in its purest definition, is a complete physical separation between two networks with no electronic path between them. In theory, a true air gap prevents all remote network-based attacks. In practice, true air gaps are extraordinarily rare in operational industrial environments — and the environments that claim to have them are frequently surprised by what a methodical assessment finds.
The reasons are structural. Modern OT environments require data to move: historian data goes to enterprise reporting systems, engineering workstations receive firmware updates, vendor technicians need to push configuration changes, and safety system vendors perform remote diagnostics. Every one of these requirements creates a potential bridge across the supposed gap. Over time, as operational pressures accumulate, these bridges multiply, and the documentation of what is connected to what falls behind the reality of what is actually connected.
Penetration testing does not assume an air gap is false. It verifies whether the claim is true — and if it is not, it identifies every path that crosses the boundary before an adversary does.
Stuxnet compromised uranium enrichment centrifuges at Natanz — one of the most physically isolated facilities in the world — via infected USB drives introduced by contractors and engineers. The air gap was real. It did not matter.
When Isolation Was Not Enough
Stuxnet crossed the air gap at Iran's Natanz enrichment facility via infected USB drives, demonstrating that physical network separation provides no protection against removable media, compromised supply chain equipment, or insider-introduced malware.
Attackers used spear-phishing to compromise the business network of a German steel plant, then moved laterally to OT systems through what was believed to be an adequately segmented architecture. The blast furnace could not be properly shut down, causing significant physical damage.
The TRITON attack on a Middle Eastern petrochemical facility reached the Safety Instrumented System — a component considered the last line of defence and assumed by many to be architecturally isolated. The attacker had been present in the environment for over a year before being detected.
While Colonial Pipeline's OT systems were not directly compromised, the ransomware attack on IT systems caused the operator to proactively shut down OT pipeline operations — demonstrating that a cyber event does not need to cross the air gap to cause operational consequences.
CISA and NSA advisories revealed Chinese state-sponsored actors had pre-positioned in IT systems adjacent to OT networks in US critical infrastructure — waiting, with persistent access, for a moment of operational or geopolitical value to cross the final boundary.
What Assessors Discover in 'Air-Gapped' Environments
OT penetration testing and security assessments in environments that claim air-gap status consistently find the same categories of undocumented connectivity. Wireless access points installed by a vendor for a diagnostic session and never removed. Historian servers with dual network interfaces — one on the OT network, one on the corporate LAN — because it was operationally convenient when the system was commissioned. Cellular modems installed on remote RTUs by a field technician who needed remote access during a maintenance window and never reported the installation.
Beyond undocumented network paths, assessors find the vulnerabilities that exist inside the supposedly isolated environment: flat internal OT networks where any compromised device has unrestricted access to every other device, default credentials on every PLC and HMI, unpatched firmware with known remote code execution vulnerabilities, and engineering workstations running end-of-life operating systems because updating them would require a change management process that nobody has initiated in years.
The argument 'we do not need penetration testing because we are air gapped' makes two simultaneous errors. First, it assumes the air gap is intact and verified — which testing frequently disproves. Second, it assumes that if the air gap were intact, the environment inside it would be secure — which it almost never is. An insider, a compromised contractor, or a malicious USB device only needs what is inside the gap to cause serious harm.
Organisational Barriers to Honest Air Gap Assessment
The air gap myth persists not because organisations are uninformed but because the myth is operationally convenient. Believing the air gap is intact removes the obligation to do difficult and disruptive security work. These are the forces that sustain the belief.
The Air Gap Has Never Been Formally Verified
Many organisations have never conducted a methodical network mapping exercise to confirm what is and is not connected to their OT network. The air gap claim is inherited from the original system design — which may be years or decades old and may never have accurately reflected operational reality.
Penetration Testing Is Perceived as a Disruption Risk
OT operators rightly worry that active testing could disrupt sensitive control system communications and cause process upsets. This legitimate concern is frequently used to block all testing entirely, rather than to design a testing methodology that manages the risk appropriately.
Vendor and Contractor Access Is Not Tracked
Vendor technicians routinely install remote access tools, wireless adapters, and temporary network connections without formal change management. Without a systematic review of what has been installed and left behind, the air gap boundary is unknown to the asset owner.
The Insider Threat Is Underweighted
Air gap thinking is almost entirely focused on external attackers. It provides no defence against a malicious or compromised insider, a supply chain-compromised component, or a vendor-introduced USB device — all of which have been the initial access vector in major OT incidents.
Security Budget Is Prioritised Elsewhere
Organisations that believe the air gap provides adequate protection direct security investment toward IT environments and perimeter controls. OT-specific testing, monitoring, and hardening are deprioritised on the basis that the air gap makes them unnecessary.
Air Gap Assumption vs. Verified Isolation
Verified Isolation Looks Like
- Annual network boundary verification via passive discovery and firewall log analysis
- Formal change management for any connection request crossing the OT boundary
- Removable media controls with device whitelisting on all OT endpoints
- Vendor access register with audit trail for all physical and logical access
- Internal OT pen test scoped to insider and supply chain threat models
Air Gap Assumption Looks Like
- Network diagram from the original system commissioning treated as current truth
- No formal process for tracking vendor-installed connectivity
- USB ports open on engineering workstations with no media scanning
- No audit log of who has had physical access to OT systems and when
- No internal testing on the grounds that external attackers cannot reach the network
How to Conduct OT Penetration Testing Without Disrupting Operations
The legitimate concern about disruption risk from OT penetration testing is manageable with appropriate methodology. OT-specific testing is fundamentally different from IT penetration testing in its tooling, pace, and scope. Active exploitation of production OT devices is rarely necessary or appropriate — the most valuable findings in OT assessments come from passive network analysis, configuration review, architecture assessment, and controlled testing on offline or staging assets.
A well-scoped OT security assessment begins with passive network discovery, which generates no traffic that could disrupt industrial communications. Architecture and configuration review identifies the same high-risk exposures — default credentials, flat networks, unpatched firmware, undocumented remote access — without touching live process control data. Where active testing is required, it should be conducted during planned maintenance windows with operations team involvement and a clear rollback plan.
The output of this assessment is not a list of theoretical vulnerabilities. It is a verified picture of what an insider, a compromised vendor, or an attacker who has already crossed the perimeter could do within the environment — and that picture is precisely what the air gap assumption was preventing anyone from looking at.
From Air Gap Assumption to Verified Security Posture
The goal is not to prove the air gap is broken. It is to replace assumption with evidence — and to understand what security controls are actually needed given what the evidence shows.
Verify the Boundary
Conduct a passive network discovery and firewall log analysis to produce an evidence-based map of what is and is not connected to the OT environment. Compare against official network diagrams and document all discrepancies.
Assess Internal Exposure
Evaluate the security posture inside the OT boundary against the insider and supply chain threat models. This is the testing the air gap assumption has been preventing — and it is the most operationally relevant assessment an OT environment can receive.
Harden and Govern
Address the findings from Phases 1 and 2 and establish the governance processes that prevent the boundary from silently eroding again over time.
Questions Worth Sitting With
If your organisation's security posture rests in part on the assumption of air-gap isolation, these questions deserve honest answers.
When was your OT network boundary last verified against the actual network traffic and physical connections present — not just the original design documentation?
If a vendor technician installed a remote access tool during a maintenance visit last year and did not report it, would your organisation know it was there today?
What would an insider with legitimate physical access to your OT environment be able to do — and has anyone ever mapped that scenario?
Does your current security posture provide any meaningful defence against a supply chain-compromised component or a malicious removable device — or does it rely on the air gap to handle that?
If your OT penetration testing programme is blocked by disruption concerns, have those concerns been formally scoped and managed, or are they being used as a blanket deferral?