For the last few days I have watched debates over networks \”not being air-gapped\” even where everyone assumed they were. It got me thinking. What would an ideal air-gapped OT network actually look like? Here are the five hard criteria, and why almost no plant meets them.

For the last few days, I have watched several debates online over networks “not being air-gapped” even where everyone involved assumed they were. It got me thinking. What would an ideal air-gapped OT network actually look like?

I did some research and arrived at five criteria. Let me warn you up front: almost no plant I have ever assessed meets all five. Which is the real point of this article.

The five criteria

1. No device in the network has ever accessed the internet, even for updates

This is where most assumed-air-gapped networks fail. During assessments, we repeatedly find that machines have had short-lived internet exposure for antivirus updates, Windows patches, or vendor diagnostic tools. “Just for a few minutes” is still internet exposure. During those few minutes, you were not air-gapped.

2. No smart or wireless devices in the network

Industry 4.0 and IIoT are pushing wireless sensors, smart meters, and cloud-connected gauges into industrial networks at an accelerating rate. Every one of them opens a new attack surface. An air-gapped network, strictly interpreted, cannot include a single wireless device that speaks to anything outside the air gap.

3. No USB or removable media crossing the boundary, ever

This is the most commonly violated rule. USB drives and CDs get used for transferring production reports, vendor patches, logs, backups. Every one of those transfers is a bidirectional data path. Stuxnet, the canonical example, spread almost entirely via USB into supposedly isolated Iranian centrifuge networks. If you allow removable media, you are not air-gapped. You are intermittently connected with a long interval.

4. No remote access, not even for emergencies

“Just a quick VPN for the vendor to fix the HMI logic” breaks your air gap for the duration of that session, and often longer if credentials or keys stick around. An air-gapped network, strictly, allows physically present engineers only.

5. Reports are generated manually or on isolated machines

Sometimes we find machines randomly connected to OT switches that are being used to create production reports and sending those reports to the corporate network. The moment that cable exists, the plant is connected to the enterprise, and through the enterprise, to the internet.

The honest truth about air gaps today

If you apply all five criteria strictly, probably fewer than 1% of industrial plants in the world are air-gapped.

That is not a failure of the plants. It is the reality of modern industry. Production planning, ERP integration, predictive maintenance, regulatory reporting, customer logistics, supply-chain visibility: all of these require data to flow between OT and IT. You cannot run a competitive manufacturing operation in 2026 and maintain a strict air gap. The economics do not work.

What to do instead: controlled connectivity

Since strict air gaps are not realistic for most, the question becomes: if you are going to be connected, how do you manage the connection?

Five practical principles:

• Micro-segment the business side.Treat every IT-to-OT interface as a controlled, monitored choke point. Not a VLAN. A real policy-enforcing boundary with logging.
• Micro-segment the OT side.Do not let IT/OT connectivity infect the whole OT network. Contain connectivity to the specific OT zones that need it (usually just the data historians and engineering workstations).
• Use an IDMZ.The Industrial DMZ exists precisely because we have accepted that pure air gaps are fiction. It is the buffer between the trusted OT zone and the less-trusted enterprise zone. No traffic crosses directly. Sessions terminate and re-initiate in the IDMZ. (See my article on Understanding the Industrial DMZ.)
• Authenticate and encrypt every cross-zone conversation.No unauthenticated Modbus traversing your IDMZ. Two-way authentication between source and destination resources to protect against MITM and replay attacks.
• Controlled access by authorised users.Named identities, session recording, time-limited access, MFA.

The uncomfortable reframing

Instead of telling your auditor “our network is air-gapped” and hoping no one asks about the USB policy, tell them: “our network is segmented with controlled connectivity, and here are the controls on every crossing.” It is honest, it is defensible, and it matches reality.

An overstated air gap is worse than no air gap at all, because it leads to controls being neglected on the assumption that nothing can cross.

RelyBlue’s OT network assessments specifically look for claimed-but-violated air gaps and help you either truly isolate or properly control. Request an assessment.