1. Intro2. Key Insight3. Timeline4. Section 15. Challenges6. Analysis7. Section 28. Roadmap9. Closing Thoughts
Home / CyberCuriosity / Air Gap Myth: Why OT Still Needs Penetration Testing
READ:
OT/ICS Fundamentals 22-MAY-2026 · 10 min read

Air Gap Myth: Why OT Still Needs Penetration Testing

The belief that air-gapped OT networks are inherently secure and therefore do not require penetration testing is one of the most dangerous and persistent myths in industrial cybersecurity. This article dismantles the air gap assumption, explains what penetration testing actually finds in supposedly isolated environments, and makes the case for why consequence-based testing is essential regardless of network architecture.

Air Gap MythOT Penetration TestingICS Attack SurfaceNetwork Isolation AssumptionsInsider Threat
NE
NEXUS Engineering
ICS-Industrial Cybersecurity Experts
Article Details
CategoryOT/ICS Fundamentals
Published22-MAY-2026
Read Time10 min read
AuthorNEXUS Engineering
Industrial Cybersecurity Blog — 2026

WE DON'T NEED PEN TESTING — WE'RE AIR GAPPED
Air gaps erode. Testing confirms whether yours still exists.

No statement in industrial cybersecurity is more likely to precede a serious incident than 'we are air gapped.' The assumption of isolation substitutes for the verification of isolation, and in the gap between those two things, attackers have repeatedly found everything they needed.

The Core Problem

An Air Gap Is an Architecture Claim, Not a Security Guarantee

Every air-gapped network was connected to something at some point. The question is what was left behind.

An air gap, in its purest definition, is a complete physical separation between two networks with no electronic path between them. In theory, a true air gap prevents all remote network-based attacks. In practice, true air gaps are extraordinarily rare in operational industrial environments — and the environments that claim to have them are frequently surprised by what a methodical assessment finds.

The reasons are structural. Modern OT environments require data to move: historian data goes to enterprise reporting systems, engineering workstations receive firmware updates, vendor technicians need to push configuration changes, and safety system vendors perform remote diagnostics. Every one of these requirements creates a potential bridge across the supposed gap. Over time, as operational pressures accumulate, these bridges multiply, and the documentation of what is connected to what falls behind the reality of what is actually connected.

Penetration testing does not assume an air gap is false. It verifies whether the claim is true — and if it is not, it identifies every path that crosses the boundary before an adversary does.

💡

Stuxnet compromised uranium enrichment centrifuges at Natanz — one of the most physically isolated facilities in the world — via infected USB drives introduced by contractors and engineers. The air gap was real. It did not matter.

Air Gap Failures in History

When Isolation Was Not Enough

2010
Stuxnet: The Air Gap That Was Not

Stuxnet crossed the air gap at Iran's Natanz enrichment facility via infected USB drives, demonstrating that physical network separation provides no protection against removable media, compromised supply chain equipment, or insider-introduced malware.

2014
German Steel Mill Cyber Attack

Attackers used spear-phishing to compromise the business network of a German steel plant, then moved laterally to OT systems through what was believed to be an adequately segmented architecture. The blast furnace could not be properly shut down, causing significant physical damage.

2017
TRITON/TRISIS Targets Safety Systems

The TRITON attack on a Middle Eastern petrochemical facility reached the Safety Instrumented System — a component considered the last line of defence and assumed by many to be architecturally isolated. The attacker had been present in the environment for over a year before being detected.

2021
Colonial Pipeline: The IT/OT Boundary as Entry Point

While Colonial Pipeline's OT systems were not directly compromised, the ransomware attack on IT systems caused the operator to proactively shut down OT pipeline operations — demonstrating that a cyber event does not need to cross the air gap to cause operational consequences.

2024
Volt Typhoon: Pre-Positioning in Air-Gapped Adjacent Systems

CISA and NSA advisories revealed Chinese state-sponsored actors had pre-positioned in IT systems adjacent to OT networks in US critical infrastructure — waiting, with persistent access, for a moment of operational or geopolitical value to cross the final boundary.

What Pen Testing Actually Finds

What Assessors Discover in 'Air-Gapped' Environments

OT penetration testing and security assessments in environments that claim air-gap status consistently find the same categories of undocumented connectivity. Wireless access points installed by a vendor for a diagnostic session and never removed. Historian servers with dual network interfaces — one on the OT network, one on the corporate LAN — because it was operationally convenient when the system was commissioned. Cellular modems installed on remote RTUs by a field technician who needed remote access during a maintenance window and never reported the installation.

Beyond undocumented network paths, assessors find the vulnerabilities that exist inside the supposedly isolated environment: flat internal OT networks where any compromised device has unrestricted access to every other device, default credentials on every PLC and HMI, unpatched firmware with known remote code execution vulnerabilities, and engineering workstations running end-of-life operating systems because updating them would require a change management process that nobody has initiated in years.

The argument 'we do not need penetration testing because we are air gapped' makes two simultaneous errors. First, it assumes the air gap is intact and verified — which testing frequently disproves. Second, it assumes that if the air gap were intact, the environment inside it would be secure — which it almost never is. An insider, a compromised contractor, or a malicious USB device only needs what is inside the gap to cause serious harm.

Why the Myth Persists

Organisational Barriers to Honest Air Gap Assessment

The air gap myth persists not because organisations are uninformed but because the myth is operationally convenient. Believing the air gap is intact removes the obligation to do difficult and disruptive security work. These are the forces that sustain the belief.

critical

The Air Gap Has Never Been Formally Verified

Many organisations have never conducted a methodical network mapping exercise to confirm what is and is not connected to their OT network. The air gap claim is inherited from the original system design — which may be years or decades old and may never have accurately reflected operational reality.

critical

Penetration Testing Is Perceived as a Disruption Risk

OT operators rightly worry that active testing could disrupt sensitive control system communications and cause process upsets. This legitimate concern is frequently used to block all testing entirely, rather than to design a testing methodology that manages the risk appropriately.

high

Vendor and Contractor Access Is Not Tracked

Vendor technicians routinely install remote access tools, wireless adapters, and temporary network connections without formal change management. Without a systematic review of what has been installed and left behind, the air gap boundary is unknown to the asset owner.

high

The Insider Threat Is Underweighted

Air gap thinking is almost entirely focused on external attackers. It provides no defence against a malicious or compromised insider, a supply chain-compromised component, or a vendor-introduced USB device — all of which have been the initial access vector in major OT incidents.

medium

Security Budget Is Prioritised Elsewhere

Organisations that believe the air gap provides adequate protection direct security investment toward IT environments and perimeter controls. OT-specific testing, monitoring, and hardening are deprioritised on the basis that the air gap makes them unnecessary.

Air Gap Assumption vs. Verified Isolation

Verified Isolation Looks Like

  • Annual network boundary verification via passive discovery and firewall log analysis
  • Formal change management for any connection request crossing the OT boundary
  • Removable media controls with device whitelisting on all OT endpoints
  • Vendor access register with audit trail for all physical and logical access
  • Internal OT pen test scoped to insider and supply chain threat models

Air Gap Assumption Looks Like

  • Network diagram from the original system commissioning treated as current truth
  • No formal process for tracking vendor-installed connectivity
  • USB ports open on engineering workstations with no media scanning
  • No audit log of who has had physical access to OT systems and when
  • No internal testing on the grounds that external attackers cannot reach the network
Designing Safe OT Testing

How to Conduct OT Penetration Testing Without Disrupting Operations

The legitimate concern about disruption risk from OT penetration testing is manageable with appropriate methodology. OT-specific testing is fundamentally different from IT penetration testing in its tooling, pace, and scope. Active exploitation of production OT devices is rarely necessary or appropriate — the most valuable findings in OT assessments come from passive network analysis, configuration review, architecture assessment, and controlled testing on offline or staging assets.

A well-scoped OT security assessment begins with passive network discovery, which generates no traffic that could disrupt industrial communications. Architecture and configuration review identifies the same high-risk exposures — default credentials, flat networks, unpatched firmware, undocumented remote access — without touching live process control data. Where active testing is required, it should be conducted during planned maintenance windows with operations team involvement and a clear rollback plan.

The output of this assessment is not a list of theoretical vulnerabilities. It is a verified picture of what an insider, a compromised vendor, or an attacker who has already crossed the perimeter could do within the environment — and that picture is precisely what the air gap assumption was preventing anyone from looking at.

Practical Path Forward

From Air Gap Assumption to Verified Security Posture

The goal is not to prove the air gap is broken. It is to replace assumption with evidence — and to understand what security controls are actually needed given what the evidence shows.

Phase 1
Month 1–2

Verify the Boundary

Conduct a passive network discovery and firewall log analysis to produce an evidence-based map of what is and is not connected to the OT environment. Compare against official network diagrams and document all discrepancies.

Passive OT network discovery scanFirewall rule and log review for IT/OT boundary trafficWireless spectrum survey for undocumented access pointsVendor access register auditPhysical port and connection inventory on field devices
Phase 2
Month 3–4

Assess Internal Exposure

Evaluate the security posture inside the OT boundary against the insider and supply chain threat models. This is the testing the air gap assumption has been preventing — and it is the most operationally relevant assessment an OT environment can receive.

Configuration review across PLCsHMIsand engineering workstationsDefault credential auditInternal network segmentation assessmentRemovable media control verificationSupply chain component integrity review
Phase 3
Month 5–6

Harden and Govern

Address the findings from Phases 1 and 2 and establish the governance processes that prevent the boundary from silently eroding again over time.

Undocumented connectivity remediationInternal hardening based on assessment findingsFormal OT change management process for boundary modificationsAnnual boundary verification cadenceRemovable media policy and enforcement tooling
Closing Thoughts

Questions Worth Sitting With

If your organisation's security posture rests in part on the assumption of air-gap isolation, these questions deserve honest answers.

01

When was your OT network boundary last verified against the actual network traffic and physical connections present — not just the original design documentation?

02

If a vendor technician installed a remote access tool during a maintenance visit last year and did not report it, would your organisation know it was there today?

03

What would an insider with legitimate physical access to your OT environment be able to do — and has anyone ever mapped that scenario?

04

Does your current security posture provide any meaningful defence against a supply chain-compromised component or a malicious removable device — or does it rely on the air gap to handle that?

05

If your OT penetration testing programme is blocked by disruption concerns, have those concerns been formally scoped and managed, or are they being used as a blanket deferral?

An air gap that has never been verified is not a security control. It is an untested hypothesis about your network — and adversaries test hypotheses for you.
← Back to CyberCuriosity Let's Talk
Comments & Suggestions
Thoughts on this article? Corrections, questions, or additions — all welcome.
Optional — tap to rate
GDPR: Your data is processed solely to respond to your enquiry and is never shared with third parties. By submitting you consent to NEXUS Cybersecurity storing your details for this purpose only.
Sent privately — never published publicly