{
	"id": "9aa28635-df19-47c2-8e76-991221de16db",
	"created_at": "2026-04-06T00:06:43.521964Z",
	"updated_at": "2026-04-10T13:12:29.887536Z",
	"deleted_at": null,
	"sha1_hash": "9bd112ec7275e5fa8bbc92a1963b90042d7b3b53",
	"title": "Mind the (Air) Gap",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 863232,
	"plain_text": "Mind the (Air) Gap\r\nPublished: 2021-05-13 · Archived: 2026-04-05 17:14:38 UTC\r\nFollowing the ransomware incident impacting Colonial Pipeline operations in May 2021, many parties asked how\r\nsuch a disruption, impacting one of the main arteries delivering refined petroleum products to the Eastern and\r\nSoutheastern United States, could occur. Based on information available, the intrusion did not directly impact\r\nIndustrial Control Systems (ICS) within Colonial’s environment. Instead, the company itself initiated a controlled\r\nshutdown of operations as a precautionary matter to prevent critical ICS-related and product tracking or billing\r\nsystems from being impacted by the ransomware event. Yet even though the criminal entities responsible did not\r\nor were unable to directly modify, disable, or otherwise disrupt ICS equipment, Colonial operators and defenders\r\nbelieved there was a non-zero chance such action could take place.\r\nBased on the above circumstances, many persons asked a seemingly simple question: why were critical control\r\nsystem devices even accessible from Colonial’s IT network in the first place, resulting in the precautionary\r\nshutdown? This question brings ICS-related security back to the discussion of the “air gap.” Frequently lauded as\r\nan impenetrable standard in securing sensitive networks but nearly always misunderstood, an air gap – physical\r\nseparation and lack of any connectivity between the sensitive network and all other networks – provides a\r\ndeceptively easy solution for network defense. Yet further exploration of just what an air gap entails and how to\r\nactually implement one rapidly demonstrates that, although applicable in certain situations, as a general security\r\npractice (even in critical infrastructure environments) this practice rapidly becomes untenable.\r\nhttps://pylos.co/2021/05/13/mind-the-air-gap/\r\nPage 1 of 4\n\nFirst, what is an air gap? As described briefly above, an air gap represents the complete, physical isolation of a\r\ngiven network from all other networks. Only through physically bridging the network, such as through the\r\nintroduction of removable media, can data flow in or out of the network in question. While not completely secure,\r\nas there are multiple known instances of self-propagating or air gap-jumping intrusions going back nearly two\r\ndecades, such absolute segmentation will defeat the vast majority of network intrusions by virtue of simply not\r\nhaving an accessible network in place. Yet as tantalizing as this seems, actual, true “air gapped” networks are\r\nexceedingly rare, and frequently contain links, whether intentional via diodes or unintentional via “shadow IT,”\r\nthat make cross-domain traffic possible.\r\nFor example, there is an assumption that classified networks, such as those used by US military and intelligence\r\ncommunities, are air gapped from the wider internet. Yet if we think of the definition of air gap – complete,\r\nphysical segmentation – it rapidly becomes clear that this is simply not possible. Short of building a completely\r\nseparate system of communication links (fiber, undersea cables, etc.) and avoiding all “over the air” transmission\r\n(satellite communications, wireless, etc.), the systems cannot be air gapped. Given that the US government does\r\nnot operate a completely parallel internet, traffic from these networks “co-mingles” on public lines. While the\r\ntraffic may be secured, and ingress and egress to on-site networks controlled via security solutions and diodes,\r\ntraffic does exist and “cross-domain” traffic is possible, even if exceedingly difficult to achieve.\r\nThe problem with the above scenario, and what prevents the creation of an actual air gap for sensitive networks, is\r\nthe distributed nature of the organizations involved. In order to enable not just networking within CIA\r\nheadquarters or the Pentagon, but to extend such communication (including sensitive communication) to ships at\r\nsea and Forward Operating Bases (FOBs) in Afghanistan, connectivity outside a plausible, possible air gap\r\nenvironment must exist. Even something as seemingly isolated as a submarine still has connectivity to a network –\r\nvia VLF signals while deeply submerged and via various over-the-air signals (connecting to various networks,\r\ntactical or otherwise) when surfaced or floating a communications buoy.\r\nhttps://pylos.co/2021/05/13/mind-the-air-gap/\r\nPage 2 of 4\n\nHowever, some environments exist where true air gaps are not only plausible, but actually required. The standard\r\nexample is reactor control for nuclear power generation. While other elements of nuclear power stations, such as\r\nthose items directly interfacing with the overall electric system, will be networked (for reasons we’ll explore\r\nshortly), reactor control systems are required to be isolated in nearly all countries that operate such facilities.\r\nCombined with significant passive engineering safety controls, the actual reactor environment is designed to be\r\noperated as a completely isolated system, with strict measures in place for the introduction of outside material\r\n(e.g., software updates). Yet this environment represents something that the overall US military network is not: a\r\nsingle, centralized, specialized environment that can meaningfully be isolated from other systems. So long as heat\r\ncan be exchanged and steam generated (indirectly, as in the pressurized water reactor), the reactor can\r\n“communicate” all that it needs to drive turbines and generate electricity with no further intervention needed.\r\nWhat about pipelines, such as Colonial? To understand why an air gap is nonsensical in this case, we need to\r\nunderstand that a pipeline consists of multiple, communicating components which must work together as a system\r\nto enable monitored, safe, reliable operations. The combination of pipeline collection, gate station, and\r\ncompressor station components must communicate to a control center to govern the entire system, with sensor\r\ndata and other feeds enabling visibility into operations. For a commercial pipeline that is thousands of miles long\r\nwith hundreds of such facilities, an “air gapped network” is simply implausible, and if implemented would likely\r\nintroduce sufficient operational friction and delay as to make operations less efficient and potentially even less\r\nsafe. Short of building an entirely self-contained, geographically distributed network for the pipeline, a true air\r\ngap is at minimum prohibitively expensive. When combined with the need to communicate with suppliers and\r\ncustomers at machine speeds during product transfer and delivery, the air gap would need to be extended even\r\nfurther to up- and down-stream environments. In short, aside from building a completely separate, dedicated\r\ninternet covering the entire oil and gas sector, along with substantial portions of electric generation, it is simply\r\ninfeasible to implement a true air gap in pipeline (and related) environments.\r\nOne key aspect of this discussion is that critical infrastructure systems are rarely single point, isolated items in\r\nphysical and network space. Like the pipeline and defense network examples above, the electric system (or “grid”)\r\nis similar in that it consists of multiple, interlocking and interdependent components from generation to\r\ntransmission to distribution to function properly. Monitoring and communication at machine speeds enable for\r\nrapid responses and corrections to worrying or damaging conditions such as frequency or phase anomalies that\r\nmay imperil synchronization, or the disruptions created through interruptions in any part of the system. While it is\r\npossible to run such systems through pure physical controls, with fully manned substations and legacy\r\nelectromechanical relays among other items, such operations are significantly less efficient, more expensive, and\r\nin most situations less safe than a modern Energy Management System (EMS) remotely coordinating multiple\r\nelements of physical grid operations with safety and protection provided by digital protective relays. As with the\r\nother examples, the only way to “air gap” this network would be to build an entire dedicated network\r\nencompassing the entire electric system, from the largest publicly listed utility company to the smallest local\r\ndistribution cooperative.\r\nWhile air gaps are largely irrelevant, impossible, and even undesirable in many instances, we must recognize that\r\nconnectivity and utilizing common infrastructure for communications still poses risks. Vocal proponents of air gap\r\nimplementation will use a false dichotomy to argue their point, attempting to convince those with less knowledge\r\nof these systems that circumstances resemble an “all or nothing” proposition between complete connectivity and\r\nhttps://pylos.co/2021/05/13/mind-the-air-gap/\r\nPage 3 of 4\n\ncomplete isolation. Yet this is ridiculous and hardly representative of reality. As discussed with the military and\r\nintelligence network situation, you can have (reasonably) secure communications with a FOB in Central Asia\r\nfrom suburban DC provided the link and its components are properly established. \r\nWhile a pipeline operator or water utility may not require that extreme level of security seen in protecting JWICS\r\nor other networks, relatively simple and widely available solutions can at least work to ensure attackers cannot hit\r\nProgrammable Logic Controllers (PLCs) directly from the internet, and limit exposure in cases like the Colonial\r\nevent. Short of deploying diodes and similar technology, robust network segmentation and authentication schema,\r\nsuch as use of a Virtual Private Network (VPN) with Multi-Factor Authentication (MFA), combined with\r\nfundamental Network Security Monitoring (NSM) will yield profound improvements in communication design.\r\nThe problem is not that PLCs and related equipment are accessible, it is that they are trivially accessible in many\r\ninstances, such as the various intrusions into water treatment facilities in the US and Israel over the past year. That\r\ncritical infrastructure devices can be enumerated via Shodan and directly accessed over the internet or from\r\ncorporate IT networks is not a sign that such devices need to be air gapped. Rather it is evidence that such\r\nnetworks must be better designed and introduce improved controls. Once adversaries demonstrate the ability to\r\nconsistently and easily subvert properly deployed VPNs and robust MFA implementation, then we as defenders\r\nand asset operators can talk about more robust solutions. Even then, something approaching the military model, of\r\nsecure and encrypted communications tunneled over public networks, will likely be preferable than a true air gap\r\nsolution necessitating the construction of a dedicated critical infrastructure network spanning continents.\r\nOverall, critical infrastructure security has problems, and the Colonial Pipeline ransomware incident shows what\r\nseveral of them look like. But instead of immediately clamoring for an absolutist remedy that would be\r\nprohibitively difficult (and likely impossible) to implement, we as defenders and decision-makers should instead\r\nconsider solutions closer-to-hand first. By applying fairly standard controls and network design principles, many\r\nof the supposed benefits of air gapped installations can be realized while also retaining the significant benefits of\r\nconnectivity and communication over existing network infrastructure.\r\nSource: https://pylos.co/2021/05/13/mind-the-air-gap/\r\nhttps://pylos.co/2021/05/13/mind-the-air-gap/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://pylos.co/2021/05/13/mind-the-air-gap/"
	],
	"report_names": [
		"mind-the-air-gap"
	],
	"threat_actors": [],
	"ts_created_at": 1775434003,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9bd112ec7275e5fa8bbc92a1963b90042d7b3b53.pdf",
		"text": "https://archive.orkl.eu/9bd112ec7275e5fa8bbc92a1963b90042d7b3b53.txt",
		"img": "https://archive.orkl.eu/9bd112ec7275e5fa8bbc92a1963b90042d7b3b53.jpg"
	}
}