The Myth of the Air Gap: How Misconfigured Industrial Networks Are Wide Open

TLDR: Air-gapped industrial control systems are rarely as isolated as they seem, often relying on insecure network segments or physical access points that attackers exploit with ease. This talk demonstrates how poor credential hygiene and lack of network visibility allow attackers to pivot from standard IT environments into critical infrastructure. Security professionals must stop assuming air gaps exist and start treating industrial networks as high-risk, interconnected environments that require strict access control and continuous monitoring.

Air-gapping is the security industry’s favorite security blanket. We tell ourselves that if a system is physically disconnected from the internet, it is immune to the remote exploitation techniques that plague our web applications. This assumption is dangerous. It creates a false sense of security that allows organizations to neglect basic hygiene, like patching, credential rotation, and network segmentation. The reality is that air gaps are frequently bridged by convenience, whether through a rogue Wi-Fi access point, a misplaced USB drive, or a misconfigured VPN tunnel.

The Reality of Industrial Network Exposure

The research presented at DEF CON 2025 highlights a recurring theme in industrial security: the gap between the theoretical security of an air-gapped system and the practical reality of how these systems are actually managed. Attackers are not looking for complex zero-day exploits to compromise a power plant or a manufacturing facility. They are looking for the path of least resistance, which almost always involves exploiting the human element and the inherent trust placed in internal network segments.

Using Shodan, researchers have consistently found hundreds of thousands of Modbus and MQTT instances exposed to the public internet. While these protocols were never designed with security in mind, their exposure is a direct result of misconfiguration. When an industrial control system is connected to a network that also hosts standard office equipment, the boundary between the IT and OT environments effectively vanishes.

Pivoting Through the Network

The most effective attacks on these systems do not start with a direct exploit of the PLC. They start with the compromise of a standard workstation. Once an attacker gains a foothold on a machine that has access to the internal network, they can begin scanning for industrial protocols.

Consider the scenario where an attacker gains access to a laptop that is used by a technician to manage both office email and industrial equipment. If that laptop is infected with malware, the attacker can use it as a pivot point. The attacker does not need to bypass a firewall if the technician is already authorized to communicate with the industrial network. This is a classic case of Broken Access Control, where the system assumes that any traffic originating from a trusted internal IP address is legitimate.

The Danger of Poor Credential Hygiene

SSH keys are another major vector for lateral movement. Many organizations store private keys in shared, poorly secured folders, assuming that because the network is "internal," the keys are safe. This is a critical failure in Identification and Authentication.

If you are a pentester, your engagement should focus on finding these "convenient" shortcuts. Look for:

• Shared network drives containing SSH keys or configuration files.
• Technician laptops that are dual-homed across IT and OT networks.
• Unmonitored Wi-Fi access points in sensitive areas.

When you find these, you have found the bridge. The impact of exploiting these misconfigurations is severe. An attacker who can send commands to a PLC can alter operational parameters, potentially leading to physical damage or safety hazards.

Defensive Strategies for the Real World

Defending these environments requires a shift in mindset. You cannot rely on the physical isolation of your systems. Instead, you must implement a defense-in-depth strategy that assumes the network is already compromised.

1. Strict Network Segmentation: Use firewalls to enforce granular access control between IT and OT networks. Only allow necessary traffic, and ensure that all communication is authenticated and encrypted.
2. Visibility and Monitoring: You cannot protect what you cannot see. Implement robust logging and monitoring to detect anomalous traffic patterns, such as a sudden spike in DNS requests or unauthorized attempts to access industrial protocols.
3. Credential Management: Treat SSH keys with the same level of security as passwords. Use passphrases, store keys in secure hardware modules, and never share them across different environments.
4. Threat Modeling: Conduct regular threat modeling exercises to identify potential attack paths. Assume that your "air gap" will be breached and plan your defenses accordingly.

The era of relying on physical isolation is over. Attackers are sophisticated, and they are patient. They will wait for the one technician who plugs in a personal USB drive or the one misconfigured router that exposes an internal network to the internet. If you are responsible for the security of these systems, your goal should be to make the attacker's job as difficult as possible by removing the easy wins. Stop betting on air gaps and start building systems that can withstand a breach. The next time you see a technician watching a soccer match on a laptop plugged into a critical control network, remember that you are looking at a potential entry point for a major incident.