Industries · Critical infrastructure

Operational networks — physically isolated by default.

Water, energy, transportation, and utilities run on always-on management paths into systems that should not be reachable from the internet at all. AirGapNet makes those paths physically absent outside scheduled windows.

Request a pilot See maintenance flow

Critical infrastructure near-miss, Florida Water 2021

Near miss

An attacker used always-on remote support to raise sodium hydroxide in drinking water before an operator caught it. The path existed because the operator needed it once a month.

Source: CISA AA21-042A

Attack surfaces

Four paths that almost never need to be reachable.

Each one carries a real operational need — and stays open between calls because no one wants to break the part that worked the one day it was needed.

Remote SCADA access

Operators keep a permanent tunnel into SCADA so they can troubleshoot from a phone. The same path remains reachable to credential-stuffing botnets 24/7.

Vendor remote support

Equipment vendors keep VPNs into PLCs and RTUs for firmware patches and diagnostics. The vendor's account is the standard pivot point in CISA advisories.

HMI / engineering workstations

HMIs need patches and the engineering workstation needs to reach them. The reverse path — from HMI back to the engineering workstation — is what attackers use to push tampered logic.

Public-facing TeamViewer / RDP

The Florida Water plant attacker used always-on remote support to raise sodium hydroxide in drinking water. The path existed because the operator needed it once a month.

How it maps

Real scenarios. Concrete fix.

Pick the scenario closest to your floor. The mapping below is what changes once AirGapNet sits on the service path.

Water treatment operator needs HMI access from home during a night shift.

AGN1 opens the path only when SMS-triggered from the operator's whitelisted phone. Window auto-closes after the agreed duration — no permanent TeamViewer.

Vendor needs to apply a PLC firmware patch during a maintenance window.

AGN2 opens the vendor path for the scheduled 90 minutes only. PLCs return to a physical break the moment the window expires.

CISA advisory requires evidence of administrative control over remote access.

AGN1 audit log on the device shows every open/close event locally, signed and timestamped. No reliance on the vendor's logging infrastructure.

Recommended setup

AGN2 on the rack. AGN1 per machine.

A typical mid-sized site uses one rack-mount AGN2 for vendor and admin networks, plus per-machine AGN1 units on the lines that matter most.

AGN2

Control room — between SCADA/HMI and external networks

Typical · 1–2 racks per site

AGN1

Per PLC / RTU — in front of high-consequence controllers

Typical · 5–20 units

AGN1

Remote operator path — between operator's home and HMI

Typical · 1 per operator

What changes

After rollout, four things stop being possible.

AirGapNet is a hardware switch, not a policy. The change is measurable from the network side, not just in process documents.

Remote access exists only during approved windows
Vendor accounts cannot reach controllers between service calls
CISA advisories on always-on remote support stop applying
Audit trail per controller, signed locally on the device

Go deeper on the Critical infrastructure angle.

Field notes

SCADA vendor accounts: why "disabled" usually isn't

Every SCADA operator has a story about a vendor account that quietly stayed up after the last service call. Why VPN + jump host leaves the path live, and what a scheduled physical window changes.

Read article

Engineering

Purdue model: which conduits actually need a physical break

The Purdue model names the layers; the conduits between them are where attackers actually move. A short map of which conduits earn a hardware break and which do not.

Read article

Industry

IEC 62443: where the standard meets a hardware switch

62443 was written for the kind of control AirGapNet provides. Which Security Requirements a relay contributes to, which it does not, and how integrators wire it into the conformity narrative.

Read article

Or read across all of it:How it works Case studies Full blog

Pilot at one site

Start with one controller, one shift.

We pick the controller with the highest exposure score in your last CISA assessment, ship a single AGN1, and run one operator-driven window with your team.

Request a pilot Other industries