Pratum Blog

Security for Air-Gapped Control Equipment

An air gap, at least in terms of networking, is a method of isolating computers or networks and preventing them from making external connections, either physically or wirelessly. Air gapped computers or networks may be used for various means: to separate information systems operating at different classification levels; isolating equipment from electronic eavesdropping measures; developing sensitive applications; or even just isolating manufacturing equipment and controllers to meet certain industry and safety standards. As a security measure, air gapping can be effective, but history shows it is not fool-proof. Think Stuxnet.

Some industries, such as manufacturing, have equipment and associated controllers that are not connected to the Internet, other computers, or networks, but still have operating systems that require patches. The equipment controllers may need information, such as CNC programs and design specifications, loaded onto them from external sources. If portable drives, such as a USB thumb drives, are used to transfer updates and information onto the controllers, there are several administrative, technical, and physical controls to consider to help mitigate and control risks.

1. Risk Management and Assessments.

Portable drives are very user-friendly, but can also be risk multipliers. Any time the portable drive is inserted into the manufacturing equipment controller, the risk of introducing malware onto the system increases. Ensure portable drives are ones that have been sourced from a reputable location, and ensure policies and procedures are in place to address access controls and how the portable drives may be used. Define which systems the drives may be used with, who may use them, and the purposes for which they may be used. Also, ensure that risks associated with air-gapped equipment and associated controllers are considered and documented.

2. Asset Management and Media Protection.

Like other storage devices, an organization should control and track portable drives. Add drives into the asset inventory before first use and inventory them periodically thereafter. Ensure that each drive is marked with appropriate information, such as content sensitivity/classification level, distribution and usage restrictions, and inventory control numbers. Store the portable drives in locked containers if not being used. Also, consider checking-out the drives only when needed and only to authorized persons, or assign each drive to a specific user.

3. System and Information Integrity.

Due to the risks associated with the insertion of portable drives onto air-gapped assets, certain technical controls should be considered. Use end-point protections on any system into which portable drives may be inserted. Scan the drives for malware before insertion into the equipment controllers. Implement other technical measures to prevent unauthorized programs and code from being installed.

4. Physical Security.

Implementing appropriate physical security controls are part of the equation. Only authorized users should be permitted access to the portable drives, manufacturing equipment and associated controllers. Install physical covers over controller connection points (e.g., USB port) and lock them if the ports are not in use (acknowledging appropriate port block products may not be available for all applications). If permitted by the business, use video surveillance of the manufacturing area to capture recordings of persons accessing and using the equipment.

There are definitely many considerations when securing air-gapped computers, networks and equipment controllers, and these considerations could apply outside the manufacturing industry as well. Other business factors and needs will obviously be part of the decisions made regarding the controls that are implemented and maintained. An air gap is in itself a security measure, but one easily overcome. As with other components of your information security program, continue to determine risks by evaluating vulnerabilities, threats, likelihood of attack, and impacts, and use this information to determine if the security measures in place are still appropriate and working as expected.


The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.