Securing What Can't Be Air-Gapped: A Modern Playbook for Critical Infrastructure

Air-gaps fail in practice because business needs sneak around them: a vendor arrives with a laptop and a 4G dongle, a UPS exposes Bluetooth for commissioning, a BMS uploads logs to a cloud portal, or an engineer plugs a jump drive into a PLC. And even if you perfectly air-gapped the process network, physical and wireless entry points remain: roll-up doors, badge readers, tailgate risks, BLE maintenance radios.

The modern replacement for air-gap is intentional connectivity: explicit paths, strong identity, least privilege, constant verification, and controlled failure modes. In short: Zero Trust for facilities.

If a device can be configured, it must be governed. That includes the obvious (switchgear relays, UPS, PDUs, chillers, fire panels) and the "IT-adjacent" (switches, access points, cameras, badge readers, intercoms, out-of-band modems), plus the forgotten bits (environmental sensors, smart breakers, rooftop antennas). Put them all in one authoritative inventory with:

• Unique ID (serial + logical name), physical location, owner, and criticality.
• Management interfaces and media (Ethernet mgmt port, serial console, BLE, Wi-Fi, vendor cloud).
• Auth method (local accounts, x.509, API tokens), firmware version, SBOM where possible.
• Baseline configuration reference and last compliance date.

No inventory, no control.

Design three distinct planes, each with its own security policy:

Enforce separation with VRFs/VLANs and default-deny ACLs between planes. Where feasible, deploy data diodes / one-way gateways for high-consequence zones (e.g., process → analytics). Use 802.1X on switching to bind ports to identity and posture; unmanaged serial links terminate on hardened terminal servers in the fabric plane.

You'll find wireless management where you least expect it: BLE on UPS and PDUs, Wi-Fi on cameras and access points, sometimes LoRa/900 MHz on meters. The rules:

• Disable radios post-commission where possible, or move them to "pairing only" with physical presence.
• If a radio must remain active, fence it: dedicated SSIDs, 802.1X/EAP-TLS, hidden behind a RF-isolated cabinet if practical.
• Treat BLE keys and Wi-Fi PSKs as secrets with rotation and audit.
• Scan the RF environment quarterly; if you discover undocumented beacons, treat it as a security event.

Remote analytics, central orchestration, and 24×7 managed operations are only realistic with cloud. The question is which cloud services and how they are run. Require, at minimum:

Define golden configs for each device class (NTP/NTS, syslog/SNMP targets, allowed ciphers, login banners, failed-login lockouts, TLS only, BLE/Wi-Fi off unless required).

Enforce with configuration management as code; detect drift in hours, not quarters.

Patch on a rhythm: small and frequent beats big and rare. Maintain a pre-prod bench (spares or virtual twins) to burn in firmware before you touch production.

Keep a known-good image and an offline recovery path; never depend on the vendor cloud to recover a bricked controller.

You cannot defend what you cannot see. Stream device telemetry, events, and commands into a single, typed bus (MQTT, Syslog, OT-aware IDS) and project the essentials into your SIEM and time-series systems. Normalize around a fixed schema: timestamps, device identity, severity, correlation IDs. Build detections for the real attack paths:

• New management radio appears; BLE pairing outside maintenance window.
• Controller config drift; unsigned firmware attempted; abnormal coils/points toggled.
• East–west traffic from OT plane to Internet plane; unexpected DNS.
• Unusual badge patterns at high-security doors paired with reader disable events.

Retain enough detail to reconstruct incidents—config versions, session recordings, camera bookmarks for physical alarms—but prune aggressively elsewhere to control cost.

Design remote access so that losing it degrades you to safe local control, not to panic:

• A hardened bastion is the single external entry, with MFA and PAM, into the fabric plane. No direct inbound to OT.
• Out-of-band path (e.g., LTE) exists for break-glass but is locked behind the same controls and is off by default.
• If the vendor cloud is unavailable, local operators can maintain safe operations using cached credentials, local policies, and store-and-forward telemetry.

Regularly tabletop and physically test the failure of your remote providers: what still works, what gracefully pauses, and what you can recover from in minutes vs hours.

Security by aspiration fails at the first outage. Bake your requirements into SOWs:

• Provider must maintain SOC 2 Type II and/or ISO 27001 (and align to IEC 62443 where OT is in scope).
• 24×7 incident response with defined RTO/RPO for their platform; you are notified within X minutes of material incidents.
• Right to audit or obtain independent assessment summaries; pen test reports annually.
• Key management & crypto standards; API scopes; idle session timeouts; log retention and export.
• Background checks, secure SDLC, and offboarding controls for personnel.
• Subprocessor change notification with opt-out rights for high-risk additions.
• Data ownership and exit: you can export all logs/configs in a documented format.

Tie your physical security and logical controls together. If a mantrap tailgate alarm fires, treat it as a logical lockdown on associated consoles. If a dock door is open, inhibit badge readers deeper into the facility and escalate access approvals in software. Cameras should bookmark feeds automatically on controller alarms. Security is best when physics and software agree.

Critical infrastructure will be connected. The choice is between accidental connectivity (shadow radios, vendor laptops, undocumented clouds) and engineered connectivity (segmented planes, strong identity, audited providers, observable operations). Pick the latter.

Insist that every manageable device is in inventory and under policy. Demand SOC 2/ISO 27001 from anyone who runs your control paths. Make remote access a feature that fails safe. And rehearse it all until the difference between "normal day" and "Internet down" is an SRE note, not an incident bridge.