In the world of Operational Technology (OT), isolation is often seen as a shield. Air-gapped networks, disconnected systems, and remote industrial sites offer a comforting illusion: if it’s offline, it’s safe. But as attackers grow bolder and more creative, this assumption is being quietly but consistently dismantled.
Today, offline does not mean untouched. From malware planted via USB to contractors walking into remote substations with outdated credentials, threats to air-gapped or low-connectivity environments are rising—and they’re harder to detect, investigate, or contain. In fact, some of the most damaging OT incidents in recent years have happened in environments thought to be secure simply because they weren’t online.
It’s time to reconsider what security means when networks are silent.
The belief that offline systems are inherently secure is rooted in a pre-digital mindset—one where threats were mostly external and digital perimeters were clear. But modern OT ecosystems are messy. Portable media, third-party vendors, and inconsistent operational discipline mean that even isolated networks are regularly breached, often unintentionally.
Let’s look at some recent examples that underscore just how vulnerable “offline” really is.
In 2022, a cyberattack on Iran’s Khuzestan Steel Company caused significant operational disruption. The attackers, reportedly a hacktivist group, used a USB-based delivery mechanism to plant malware into the ICS network—an environment that was largely disconnected from the internet.
This incident is telling for two reasons: first, it shows that air-gapping didn’t stop the attack; second, it reveals how physical access combined with weak internal controls can be just as dangerous as an external breach.
In Oldsmar, Florida, a small municipal water utility saw its control systems accessed remotely through TeamViewer, still enabled on a system connected to its ICS. While this wasn’t fully air-gapped, it reflected a broader pattern: OT systems are often only partially offline, and when they are exposed, they’re often protected by weak or outdated remote access protocols.
The issue wasn’t just the remote access—it was that no secondary verification was required, no access accountability was enforced, and there was little real-time visibility.
The 2022 Industroyer2 attack on Ukraine’s power infrastructure echoed the original 2016 attack—but with a more subtle playbook. Rather than relying on real-time remote control, attackers planted code to trigger at a later time, allowing them to operate within partially disconnected environments.
This shows how adversaries are adapting to the constraints of OT: when they can’t maintain persistent connections, they pre-load malicious logic and let the system execute it without needing further interaction.
In all these cases, one thing stands out: the lack of reliable, accountable identity controls in environments that can’t depend on a live network. Traditional authentication systems—passwords, static credentials, even SMS-based MFA—simply don’t apply when the system is disconnected or the user is in a mine 300km from the nearest signal.
Contractors reuse old credentials. USBs pass malware invisibly. Remote access tools stay active for months. And security teams can't trace who did what, or when.
The issue isn’t just connectivity—it’s trust. Who’s accessing your systems when no one’s watching?
To secure air-gapped or intermittently connected OT systems, we need to abandon the idea that isolation is sufficient. We need identity and access mechanisms that:
Importantly, these mechanisms must integrate with existing infrastructure, not assume that legacy OT environments can be replaced or fully modernized overnight.
swIDch’s OT authentication solutions were built with exactly this kind of environment in mind—offline-first, identity-centric, and secure by design.
Air-gapped systems aren’t going away. Many OT environments will always be partially or fully offline—for good operational reasons. But the myth that disconnection equals protection is increasingly dangerous.
Recent incidents show that even without an internet connection, attackers can infiltrate, disrupt, and damage critical systems. In fact, the lack of visibility and control in these environments often makes them easier targets.
It’s time to acknowledge the truth: even isolated systems need identity. And even in silence, we must know who’s knocking at the door.
--------------------
swIDch will continue its quest to innovate and pioneer next-generation authentication solutions. To stay up-to-date with the latest trends sign up to our newsletter and check out our latest solutions.