Air-gapped OT networks are not connected to the internet. They are still connected to people. Technicians plug in laptops. Vendors bring USB drives. Operators authenticate (or do not authenticate) at HMI terminals. Every one of these is an attack vector that network isolation does not address. Zero Trust applies here. But most Zero Trust tools assume cloud connectivity, which air-gapped networks do not have.
What Does Not Work in Air-Gapped Environments
Cloud identity providers. Azure AD, Okta, and Google Workspace require internet connectivity for authentication. If your identity provider is in the cloud, your air-gapped network has no identity layer.
Cloud-managed firewalls. Palo Alto Prisma, Zscaler, and similar platforms route traffic through cloud inspection points. In an air-gapped environment, there is no route to the cloud.
SaaS SIEM platforms. Splunk Cloud, Microsoft Sentinel, and other cloud SIEMs cannot receive logs from a disconnected network. Your audit trail stays local or does not exist.
Agent-based endpoint protection. Even if your OT devices could run agents (most cannot), those agents typically need cloud connectivity for signature updates, policy pushes, and telemetry collection.
What Works
On-Premise Identity Enforcement
Deploy an identity gateway inside the air-gapped network. All user authentication happens locally. MFA tokens (TOTP) work offline. The policy engine runs on-site with no external dependency.
Access Gate runs entirely on-premise. Its identity gateway, policy engine, session proxy, and log storage all operate within the local network. No data leaves the perimeter.
Network-Layer Access Control
Instead of relying on endpoint agents, enforce access control at the network layer. An overlay network with proxy enforcement verifies identity and authorizes every session before it reaches the OT asset. The device does not need to participate in authentication.
Local Session Logging
Capture session logs on-premise. Store them on the appliance or forward to a local SIEM over syslog. Every connection is logged with user identity, timestamp, source, destination, protocol, and payload.
Software-Defined Segmentation
Create microsegments without switch reconfiguration. An overlay network builds logical boundaries on top of the existing physical network. Each asset or asset group gets its own segment with its own access policy. No VLAN changes, no recabling, no switch firmware updates.
The Air-Gap Paradox
The paradox of air-gapped security: the gap protects against remote attacks but creates blind spots for local threats. Without an identity layer, you do not know who is accessing what inside the gap. Without logging, you cannot reconstruct an incident. Without segmentation, a compromised device can reach everything on the flat network.
Zero Trust inside the gap addresses all three: identity verification for every session, audit logging for every connection, and microsegmentation to limit lateral movement.
Deployment Considerations
No internet for updates. Software updates must be applied manually via secure media. Access Gate supports offline update packages.
No cloud for management. Multi-site management requires a local management plane. Access Gate supports site-to-site management over encrypted tunnels between air-gapped locations.
Classified environments. Air-gapped networks in SCIF or classified environments have additional handling requirements. Access Gate has no cloud dependency and stores all data locally.
For more Zero Trust OT resources, architecture guides, and comparisons, visit the Zero Trust for OT Networks hub.
