Remember the movie Jurassic Park? The scientists were convinced: Their dinosaurs were safely contained. No escape. All under control.

Then comes Dennis Nedry, an employee with system access – and with just a few clicks, he disables the security system. No external attack, no advanced hacking. Just a poorly secured interface and internal access. The dinosaurs are loose.

Granted, today the scene might include a USB stick, but that wasn’t a thing in 1993 ;-).

The industrial Air Gap is often the same story: We think everything is sealed off. But small, inconspicuous pathways open doors we thought were closed for good.

The idea is tempting: Just disconnect the production environment from the internet and you're safe. No external access, no risk. Done.

In reality, this works about as well as a cardboard fence against burglars.

This article explains why the so-called "Air Gap" is often just a false sense of security – and what modern industrial cybersecurity really requires. No scare tactics, no jargon. Instead, real-world examples, clear recommendations, and one goal: helping you ask the right questions in your next meeting.

What's this about?

Many manufacturing companies believe: "As long as our machines aren't connected to the internet, we're safe."

That’s called an Air Gap – a physical or logical separation between networks. Sounds logical – but it’s dangerously oversimplified.

Why does it matter?

Today’s industrial systems are no longer isolated. And attackers know this. They exploit the quiet little connections that seem harmless in everyday operations:

• USB sticks for updates

• Remote maintenance by third parties

• Laptops that move between different customer sites

Even a short contact is enough to inject malware. Internet access is not required.

Five real-world examples

1. Infected USB stick during a controller update

A maintenance worker installs a firmware update using a USB stick. What nobody notices: the file is infected. The attacker now has silent access to manipulate the controller.

2. The service laptop as a Trojan horse

A technician connects to a packaging machine using their laptop. That same laptop was previously at another customer and got infected. The malware spreads silently.

3. Forgotten remote access (VPN)

A machine builder once set up a VPN access for remote support. It was never removed. Without strong passwords or MFA (Multi-Factor Authentication), it gets hacked. The attacker is inside.

4. Old HMI with Windows XP

An older production cell still runs an HMI system on Windows XP because it relies on outdated drivers. It’s unpatched but connected to the production network. One infected USB stick or laptop is all it takes to compromise everything.

5. Default modem access credentials

A machine includes a 4G modem for remote access. The default login is still "admin/admin." These credentials are publicly known. A botnet scans for these modems and the attacker gets in instantly.

What exactly is an Air Gap?

An Air Gap is the separation of IT (Information Technology) and OT (Operational Technology – production control). There is no physical or logical connection – no cables, no Wi-Fi, no VPN.

But in practice, you still need data transfers – for production metrics, updates, or support. That’s where the vulnerabilities emerge.

What do professionals do differently?

Modern security is layered. It’s called "Defense in Depth."

• Each zone has clearly defined roles and boundaries.

• Only approved devices and protocols are allowed to communicate.

• Every access is controlled, documented, and time-limited.

• Connections pass through secured gateways.

Segmentation – in plain language

Segmentation means dividing a network into logical zones. Like in a building: not everyone has a key to every room.

Step 1: Define zones

• Physical processes (Level 0): Sensors, actuators, drives

• Field devices / Controllers (Level 1): PLCs, IO modules

• Visualization / Operation (Level 2): HMI, SCADA

• Control / Databases (Level 3): MES, historian, quality databases

• Buffer zone (DMZ = Demilitarized Zone): Controlled data connection area between OT and IT, e.g., via firewalls, proxies, or jump servers

• IT systems (Level 4): ERP, email, office apps, file servers

• Cloud & Enterprise services (Level 5): cloud-based AI analytics, digital twins, remote access, external dashboards

For small companies, a simplified structure might look like:

• Field devices / Controllers (Level 1): PLCs, IO modules

• Visualization / Operation (Level 2): HMI, SCADA

• Combined IT systems (Level 3/4): MES or basic tools, ERP, office

• Simple buffer zone: firewall or router rule to separate production from corporate IT

Step 2: Deploy firewalls

Ideally, use industrial firewalls or Layer-3 switches between zones. Only allow specific, documented connections. Example:

• OPC UA communication allowed only from SCADA to MES – not the other way around.

Step 3: Allow only what is needed

Instead of "everything talks to everything," only clearly defined devices and ports are allowed. Block everything else.

Step 4: Enable visibility

Monitoring your network reveals when new devices or strange data flows appear. While many organizations rely on commercial tools from well-known vendors, there are also powerful open-source alternatives that are cost-effective and flexible. And increasingly, AI-based anomaly detection is becoming an important part of visibility solutions, helping to detect unusual behavior patterns faster and with less manual effort.

Examples of open-source tools:

• Zeek: powerful network analysis platform

• Suricata: real-time intrusion detection

• ntopng: intuitive network traffic visualizer

• Wireshark: detailed packet-level analysis for troubleshooting and anomaly detection

What should be avoided?

• "Flat networks" where everything is connected to everything

• Firewall rules without documentation or logs

• Permanent remote access without approval process

Getting started

Don't overthink it. You don't need to redesign your entire architecture overnight. But you do need to start asking better questions and creating visibility.

Begin with these steps:

• Map your network: What systems are connected? Where do they talk to?

• Audit your remote access paths: Who has access from the outside – and how?

• Review your update procedures: Are USB sticks still in use? Are they scanned?

• Check your firewall rules: Are they documented? Restrictive enough? Monitored?

• Start passive monitoring: Use a mirror port on a switch and feed it into a tool like Zeek or ntopng. Just observing your traffic is often a game-changer.

It's not about perfection, it's about progress.

Final thoughts

After one of my latest presentations on new EU regulations (including the Cyber Resilience Act, the new Machinery Regulation, and NIS2) someone asked me:

"Won't these regulations and increasing cyber threats discourage companies from going digital?"

My clear answer: No. Not going digital is the bigger risk.

Anyone avoiding digitalization today loses not only efficiency but also competitiveness: No transparency, no predictive maintenance, no flexibility, no supply chain resilience.

But: Digitalization requires responsibility. Turning on a new system is not enough. You must secure it too. And that is doable with common sense, clear processes, and basic technical support.

And one more thing: Real security isn’t just about firewalls and network zones. It’s about people. Especially in OT environments, where production teams often feel left out of cybersecurity decisions. Bring them in early. Listen to their concerns. And build a security culture that works for the shop floor and not just for the audit.

An Air Gap is like a medieval moat: useful against cavalry, but not against tunnels, drones, or insiders.

Security doesn’t come from isolation – it comes from control.

A good strategy:

• thinks realistically,

• ensures visibility,

• and allows only what’s truly needed.

Further reading

• NIST SP 800-82: Guide to Operational Technology (OT) Security

• MITRE ATT&CK for ICS – Tactics and Techniques

• ISA Global Cybersecurity Alliance – Resources

• US Department of Energy – Cybersecurity Capability Maturity Model (C2M2)