> But isn’t part of security realizing that there is no 100% solution? ... Air gapping cuts down on the number of interactions with the network at large.
My point is that, practically speaking, most companies don't have the discipline to actually keep an air gap up, long-term. You inevitably need to get data in and out of the air-gapped systems.
The "air gapped" networks I've seen end up not actually being air gaps. Real air gaps are inconvenient, so eventually somebody installs a dual-homed host or plugs the entire segment into a "dedicated interface" on a firewall. Even without that, contractors plug-in random laptops and new machines, initially connected to the Internet to load drivers / software, get plugged-in to replace old machines. The "air gap" ends up being a ship of Theseus.
I had a Customer who had DOS machines connected to old FANUC controllers. They loaded G-code off floppy diskettes. Eventually those broke and they started loading G-code over RS-232. The PCs didn't have Ethernet cards-- their serial ports were connected to Lantronix device servers. It wasn't ever really an air gap. It was a series of different degrees of "connectivity" to the outside world.
My point is that, practically speaking, most companies don't have the discipline to actually keep an air gap up, long-term. You inevitably need to get data in and out of the air-gapped systems.
The "air gapped" networks I've seen end up not actually being air gaps. Real air gaps are inconvenient, so eventually somebody installs a dual-homed host or plugs the entire segment into a "dedicated interface" on a firewall. Even without that, contractors plug-in random laptops and new machines, initially connected to the Internet to load drivers / software, get plugged-in to replace old machines. The "air gap" ends up being a ship of Theseus.
I had a Customer who had DOS machines connected to old FANUC controllers. They loaded G-code off floppy diskettes. Eventually those broke and they started loading G-code over RS-232. The PCs didn't have Ethernet cards-- their serial ports were connected to Lantronix device servers. It wasn't ever really an air gap. It was a series of different degrees of "connectivity" to the outside world.