Air-gapped network is a network that is physically isolated from the public internet and all external networks. No wired, wireless, or cellular connectivity path exists between the air-gapped environment and outside systems. Data transfer into or out of the network requires physical media such as USB drives, optical discs, or serial console connections.
How air-gapped networks work
An air-gapped network achieves isolation by eliminating every physical and logical path to external networks. Network switches and routers in the air-gapped environment have no uplink to the corporate LAN or internet gateway. Wi-Fi radios are disabled or physically removed. Cellular modems are prohibited. The only way to introduce data is through a controlled media transfer process with documented chain of custody.
Air-gapping was historically considered the strongest form of network security. If an attacker cannot reach the network over any communication channel, remote exploitation is theoretically impossible. This assumption made air-gapping the default architecture for classified military networks, nuclear facility control systems, and high-security government enclaves.
However, the assumption that physical isolation equals security has been repeatedly disproven. The Stuxnet attack in 2010 demonstrated that air-gapped networks can be compromised through removable media. The malware propagated via infected USB drives that were carried across the air gap by personnel performing routine data transfers. Subsequent research has demonstrated exfiltration techniques using electromagnetic emissions, acoustic signals, thermal gradients, and LED status indicators on network equipment.
Beyond deliberate attacks, air-gapped networks face a more mundane security challenge: the difficulty of maintaining security tooling without internet connectivity. Most modern security tools depend on cloud services for threat intelligence feeds, signature updates, and management console access. In an air-gapped environment, these tools either fail to function or require a manual update process that is operationally burdensome and frequently neglected.
Why air-gapping alone is not sufficient
The security of an air-gapped network depends entirely on the integrity of the physical media transfer process and the trustworthiness of personnel who cross the gap. Every USB drive inserted into an air-gapped system is a potential attack vector. Every maintenance laptop brought inside the perimeter may carry malware. Supply chain attacks can introduce compromised firmware in equipment before it is installed in the air-gapped environment.
Inside the air-gapped perimeter, the network is often flat and unsegmented because the perceived isolation was considered sufficient protection. Once an attacker or piece of malware is inside, lateral movement is unrestricted. The same isolation that was intended to keep threats out also keeps security telemetry from reaching monitoring teams, allowing an attacker to operate undetected for extended periods.
Modern security architectures address these risks by layering zero-trust controls inside the air-gapped perimeter. Identity-enforced segmentation limits lateral movement. Encrypted tunnels protect data in transit even within the isolated network. Local authentication and policy enforcement operate without any dependency on cloud services.
OT and industrial context
Defense manufacturing facilities that process classified or export-controlled technical data frequently operate air-gapped networks for CNC machines, test equipment, and design workstations. These environments must still implement access controls, audit logging, and segmentation. Relying on air-gapping as the sole security measure leaves the interior network vulnerable to insider threats and media-borne malware.
Nuclear power plants operate safety-critical control systems on air-gapped networks as required by NRC regulations. Maintaining security patches and configuration baselines on these systems requires a disciplined offline update process. Self-hosted coordination servers (such as Headscale for WireGuard-based overlays) enable zero-trust networking within the air-gapped perimeter without any cloud dependency.
Compliance relevance
NIST SP 800-171 does not exempt air-gapped networks from its security requirements. Controls such as AC-2 (account management), AU-2 (audit events), and SC-7 (boundary protection) apply regardless of internet connectivity. IEC 62443 requires defense-in-depth within isolated zones, not just at the perimeter. NERC CIP classifies certain air-gapped systems as low-impact BES cyber assets that still require security controls under CIP-003. CMMC assessors evaluate compensating controls for air-gapped enclaves just as they would for connected ones.
Related terms
Access Gate connection
Access Gate supports air-gapped deployments using a self-hosted Headscale coordination server, enabling zero-trust overlay networking and microsegmentation inside physically isolated networks with no cloud dependency. Learn more at Air-gapped deployment.
