top of page
Abstract Background
Wavy Abstract Background

The Limitations of Air Gapping in SCADA Systems

Overview

Air gapping is a widely recognized security measure used in Supervisory Control and Data Acquisition (SCADA) systems to prevent unauthorized access from external networks. The principle behind air gapping is to physically isolate critical operational technology (OT) environments from IT networks and the internet, thereby reducing the risk of cyberattacks. However, as this case study illustrates, air gapping does not eliminate cybersecurity risks and can give organizations a false sense of security.

Air Gap

Server

Internet

Background

In 2024, a large company, referred to as “TargetCo,” employed air gapping as a primary security measure for its SCADA systems managing critical infrastructure. TargetCo believed that this separation from the internet and corporate network ensured their systems were immune to cybersecurity threats. However, a subsequent incident revealed several vulnerabilities inherent to relying solely on-air gapping for security

Incident Description

Despite air gapping, TargetCo's systems were compromised when an insider threat emerged. An employee inadvertently introduced malware into the SCADA environment through a removable USB device used to transfer operational data from a connected system. The malware was designed to exploit known vulnerabilities in the SCADA software and bypassed various security measures in place.

 Six Key Findings

Conclusion

The incident at TargetCo serves as a cautionary tale that underscores the limitations of air gapping as a standalone security solution for SCADA systems. While air gapping can reduce surface exposure to cyber threats, it does not negate all risks. Organizations must adopt a comprehensive cybersecurity strategy that includes regular threat assessments, insider threat mitigation, robust physical security measures, continuous monitoring, and patch management, alongside air gapping, to truly protect their critical infrastructure.

Six Recommendations

As cybersecurity threats continue to evolve, organizations must recognize that a “set it and forget it” approach to security – such as relying solely on air gapping – is insufficient. A proactive and layered security strategy is essential for safeguarding critical operational technologies in today’s complex threat landscape.

bottom of page