A programmer walks across the shop floor with a USB stick. On it is the latest revision of a G-code program for a 2003 Mazak running a Windows 2000 HMI. The PLC behind it has no Ethernet port. The HMI cannot be patched, cannot run modern endpoint protection, and cannot join the domain. So the file moves the only way it can. By hand.
That same USB stick was in two other machines this morning. It was in a contractor’s laptop last week. Nobody tracks any of it.
This scene feels ordinary in manufacturing.
That is exactly why it is dangerous.
The machine is called air gapped.
It is not.
It is one infected USB away from a shop floor outage, with no logging, no monitoring, and no detection standing between production and whatever shows up next.
The assumption that disconnection equals protection is what keeps the workaround invisible.
At InsITe, we see this pattern repeatedly. The workaround becomes the exposure.
Air gapping made sense when shop floor systems had no reason to talk to anything. Controllers were islands. Programs were loaded once and ran for years. Security guidance emphasized isolation because it was simple and effective at the time.
That world is gone.
Today, even the most isolated machines need files. Programs change. Recipes update. Maintenance runs diagnostics. Vendors push firmware. Quality pulls data.
Every one of those actions requires a path.
When there is no sanctioned path, an unsanctioned one fills the gap.
The air gap did not disappear.
It moved.
Most plants live on a spectrum of partial connectivity, not true isolation.
Some machines use PLCs with no network capability at all. Older controllers rely on serial connections or proprietary backplanes. These are genuinely isolated at the controller level.
The HMI sitting on top of them is a different story.
Some machines run PLCs that communicate over networks using protocols designed before authentication existed. Modbus TCP. Older EtherNet/IP. Unauthenticated OPC. Anything on the same VLAN can read from or write to them.
Air gapping became a compensating control for a protocol problem.
Others run HMIs and control PCs on operating systems that have been out of support for a decade or more. Windows 2000. XP. 7. Sometimes even older. The OEM ties the OS to proprietary drivers and control software. Replacing the OS often means replacing the controller. Replacing the controller often means replacing the machine.
The price tag is hundreds of thousands of dollars. Sometimes more.
So the machine stays.
And the workaround stays with it.
The cybersecurity exposure in these environments is not the absence of a network cable. It is the presence of undocumented connections.
Removable media moves between systems with no controls.
Vendor laptops connect for service calls and leave behind whatever they brought.
Engineering workstations reach into OT environments using domain credentials.
Temporary network bridges become permanent.
Remote desktop sessions remain long after their original purpose is forgotten.
None of this shows up on a network diagram.
Which means most organizations believe they are protected by an air gap that no longer exists.
Every one of these paths has been the entry point for an OT incident somewhere in the last several years. The pattern has not changed. Only the assumptions have.
When the perimeter is a USB port, the perimeter has no visibility, no audit trail, and no clear owner.
Unsupported operating systems cannot run modern endpoint protection. They cannot be patched. They cannot enforce modern authentication. Compensating controls must live somewhere else: on the network, at the file transfer point, or at the access path.
If those controls are not in place, there are no controls.
This is why “it’s air gapped” no longer ends the conversation with auditors, insurers, or security teams. It opens it.
Hope is not a control.
Protection starts with knowing what is there.
We call this foundation-level visibility. Nothing else works without it.
Manufacturers need to know which machines run which operating systems, how files actually move to them, and who touches those paths. Inventory is the foundation. Without it, everything else is guesswork.
Removable media must be treated as the perimeter it has become. That means scanning, control, tracking, and defined transfer points.
Segmentation must match reality. Not one flat OT network, but zones based on criticality, operating system support, and actual data flows.
Legacy systems require compensating controls that do not rely on the operating system itself. Network-based monitoring. Allow lists. Brokered vendor access through jump hosts with multifactor authentication. Logging at every connection point.
And someone has to be watching.
Detection has to live where incidents actually start.
The manufacturers who handle this well are not the ones who disconnected the most.
They are the ones who can answer a simple question with confidence.
What touched my shop floor this week, and how do I know?
They know which machines run which operating systems. They know how files move. They know who connected, when, and why.
Where air gaps exist, they are real.
Where bridges exist, they are documented and monitored.
The legacy machines still run. The OEM limitations still exist. But the workarounds are no longer invisible, and the risk is no longer compounding in the dark.
If air gapping is still the primary security story for the shop floor, a few questions are worth sitting with.
If these questions feel uncomfortable, that discomfort is useful. It points directly to where risk is already accumulating.
These answers do not require a budget cycle. They require a walk through the plant and an honest look at what is happening in practice, not what the diagram says.
Air gapping was a real strategy for a real era.
That era ended quietly, while machines kept running and workarounds kept growing.
The cybersecurity work ahead for most manufacturers is not about connecting things that should stay disconnected. It is about seeing the connections that already exist, putting controls around them, and replacing invisible workarounds with intentional, monitored paths.
The shop floor is already connected.
The real question is whether those connections are deliberate, visible, and protected.
Protection no longer comes from disconnection.
It comes from design.