Air-gapped systems: are they truly more secure?
It is “common sense” that air-gapped systems are more secure against cyber threats. Such “common sense” has found its way into cyber security guidelines, company policies, and even national regulations. After all, a hacker cannot infiltrate a system if he/she cannot reach it. In this article, we will examine this “common sense” and discuss the cyber security implications of an air-gapped system.
An air-gapped system, by definition, has no footprint on the internet or through any other system. It does not have web applications, management consoles, or APIs exposed to the internet on public IPs or to any other systems (such as corporate systems). This naturally means that there is very limited or no attack surface on the public internet or through another system. As the result, air-gapped systems are highly resistant to mass exploitation attacks, where attackers crawl through the internet to find a specific vulnerability on a specific service to exploit. Mass exploitation attacks tend to be conducted by bots or a worm, are generally opportunistic attacks with the primary motivation being monetary, and are not targeted to a specific organisation or system.
But are air gaps therefore truly more secure and do not pose negative implications to the cyber security posture of a system?
Limitations of air-gapped systems
Firstly, no modern system is truly air-gapped. There is usually a remote access tool such as VPN, jump host, virtual desktop solution to allow for remote management. Then, there are the web apps, APIs, message queues, and proxies that exchanges data with other systems. These represents a small but significant attack surface for cyber threats.
Secondly, an air-gapped system generally has more limited internal controls. These controls include segmentation, authentication, and monitoring controls. This is due to the assumption that every system element of an air-gapped system is trusted and therefore system operators may adopt a more relaxed internal security posture.
Thirdly, an air-gapped system tends to be significantly less agile and responsive to cyber security threats. System elements of air-gapped systems are generally slower in receiving patches and updates as they are unable to receive Over-the-Air (OTA) updates. Security controls such as firewalls, endpoint anti-virus, or Intrusion Detection System (IDS) are also slower in receiving updated signatures and threat intelligence data due to the air gap. Besides that, monitoring an air-gapped environment from an external system involves sending data out to the external system, therefore diminishing the air gap. In addition, any incident response action would also have to be conducted from within the air-gap system, further limiting the responsiveness of incident response in the event of a cyber security incident.
Finally, geographically distributed systems such as the control systems for the power grid or a transport network have numerous, geographically dispersed, and publicly exposed field devices that are connected to the air-gapped system. An attacker may physically tamper with these field devices by installing a network tap, a malicious drop box, or even install a RAT (Remote Access Tool) to gain a foothold onto the air-gapped system.
In conclusion, an air-gapped system is less exposed to public and can therefore deter cyber-attacks. However, the assumption that an air-gapped system is more secure may breed complacency in the security design and operation of such systems. It is critical that security professionals become aware of the trade-offs and cyber security risk of an air-gapped system.
Contact DNV today to find out how we can help secure your critical infrastructure assets.
References
IBM: What is an air gap?
7/31/2025 7:00:00 AM