Air-Gapped OT Security: USB Malware, Recovery Testing, and Resilience

An air-gapped OT network is an industrial control environment with no direct internet or untrusted-network connection, used in plants, utilities, SCADA systems, and safety-critical infrastructure to reduce exposure while still relying on controlled transfer paths such as removable media, manual imports, or gateways. The uncomfortable truth is that the air gap is less a wall than a workflow. It blocks the easy attacks, not the determined ones. The real test is not whether the plant is isolated on a diagram, but whether it can detect, contain, and recover when the isolation is inevitably bridged.
As laid out in Acronis’ recent discussion of air-gapped OT protection, the modern air gap sits at the collision point between old industrial reality and new cyber risk. Honeywell’s 2024 USB Threat Report sharpened the point: USB-borne malware is not a nostalgic threat from the Stuxnet era, but an active and increasingly specialized delivery mechanism for industrial environments. NIST’s OT security guidance and IEC 62443’s recovery requirements point in the same direction: resilience has to be engineered inside the plant, not outsourced to a cloud console that the plant cannot reach.

Engineer scans a control kiosk in a futuristic industrial plant with holographic system diagrams and security status.The Air Gap Still Matters, but It No Longer Gets the Final Word​

Air gapping remains one of the strongest architectural controls available to industrial operators. If a system cannot be reached from the internet, the commodity attack surface shrinks dramatically. Drive-by exploitation, mass scanning, stolen VPN credentials, and cloud-console compromise all become less useful against a network that is genuinely disconnected.
But “genuinely disconnected” is doing a lot of work. Modern factories, refineries, water systems, pharmaceutical plants, and power facilities do not run as sealed museum pieces. They receive software updates, calibration files, recipes, historian exports, engineering changes, vendor support, quality reports, and compliance evidence.
That means data still crosses the boundary. It may cross slowly, manually, and with paperwork, but it crosses. The attacker’s problem becomes harder, not impossible.
The industry has known this since Stuxnet, but the lesson keeps needing to be relearned because the myth of isolation is so convenient. It lets executives believe that old systems are protected by distance. It lets engineering teams defer painful modernization. It lets auditors accept a network drawing as a security argument.

Removable Media Became the Industrial Attack Bus​

Honeywell’s 2024 USB Threat Report found that 51 percent of malware observed in its industrial USB telemetry was designed to spread via USB, up from 9 percent in 2019. That is the sort of statistic that should end the casual use of “air-gapped” as a synonym for “safe.” Attackers have followed the workflow.
The reason is obvious: USB sticks are not edge cases in OT. They are how files move when networks do not. They carry patches, reports, PLC logic, configuration exports, antivirus updates, license files, and vendor diagnostics.
Threat researchers have repeatedly documented campaigns built around this reality. Zscaler ThreatLabz reported that North Korea-linked APT37 used USB-capable implants to reach air-gapped systems. ESET documented GoldenJackal tooling against air-gapped government targets in Europe between 2022 and 2024. Kaspersky has reported APT31-linked activity aimed at industrial organizations in Eastern Europe, including implants designed to abuse removable drives.
None of this requires cinematic hacking. It requires patience, logistics, and an understanding of how industrial maintenance actually works. A contractor laptop, a vendor update package, a shared engineering workstation, or an undocumented wireless interface can become the bridge.

The Purdue Model Is a Map, Not a Moat​

The Purdue Reference Architecture remains useful because it gives defenders a vocabulary for separation. Levels 0 through 2 contain the physical process, controllers, sensors, HMIs, and local control. Level 3 houses site operations. Levels 4 and 5 reach into enterprise IT and the outside business world.
In practice, however, most plants live somewhere between textbook segmentation and operational improvisation. A “fully isolated” cell may still receive files by USB. A “segmented” production network may have a vendor jump path. A “temporary” maintenance modem may survive three turnarounds and become invisible institutional furniture.
This is where air-gap security often breaks down. The formal architecture says one thing; the work process says another. Engineers do what keeps the line running, and security teams often discover the real topology only after an incident or an asset inventory project.
That does not make the Purdue model obsolete. It makes it insufficient by itself. The control objective is not merely to draw boundaries, but to understand every mechanism that crosses them.

Cloud-Native Security Is Often the Wrong Shape for the Plant Floor​

Many enterprise security products assume connectivity as a design condition. The console lives in the cloud. The detection model expects frequent signature updates. The endpoint agent phones home. The backup repository is remote. The restore workflow assumes an IT administrator sitting at a modern machine with modern drivers and modern identity services.
Inside an air-gapped OT environment, those assumptions collapse. A plant may not allow outbound connections at all. Maintenance windows may be rare. Systems may run Windows XP, Windows Server 2003, or old Linux kernels because the certified OEM application depends on that exact stack.
This is not negligence in the ordinary IT sense. It is the economics of industrial uptime. If a machine tool, batch system, packaging line, turbine controller, or HMI stack was validated with a specific operating system and application build, changing it can be expensive, risky, and sometimes contractually constrained.
The security consequence is stark: tools designed for corporate IT often arrive in OT as partial controls. They can inventory some assets, protect some endpoints, or back up some servers, but they fail at the exact moment the plant needs them most — when the network is isolated, the hardware is obsolete, and the operator on shift needs recovery more than a dashboard.

Recovery Is the Security Control Everyone Notices Too Late​

Industrial cybersecurity conversations often start with prevention. That is understandable, but in OT the business question is brutally practical: how fast can the site return to safe production?
IEC 62443-3-3 makes this explicit through requirements around control system backup and recovery. NIST SP 800-82 Rev. 3 similarly frames OT security around safety, reliability, and operational constraints, not just confidentiality or malware detection. The shared premise is that resilience is not a slogan; it is a tested capability.
Backups in this context are not generic file copies. A useful OT backup must capture the system image, application state, configuration, drivers, and dependencies needed to resurrect an HMI, SCADA server, historian, or engineering workstation. It must also be restorable when the original hardware is gone, because twenty-year-old industrial PCs do not politely wait for procurement.
That is why dissimilar-hardware restore matters. A backup that can only return to the same dead machine is a weak promise. A recovery process that requires a specialist from corporate IT at 3 a.m. is another weak promise.

Acronis Is Selling Resilience Where the Cloud Cannot Reach​

Acronis’ pitch for Cyber Protect for OT is that the product was built for this uncomfortable middle ground: industrial endpoints that need backup, anti-ransomware, local management, and recovery without assuming internet access. The company says Cyber Protect can run in air-gapped environments, use local storage targets, and support legacy Windows and Linux systems common in OT.
The important claim is not merely “backup.” The important claim is locality. Acronis Cyber Protect Local is positioned as an on-premises management console that can operate inside the OT network without a cloud dependency. For plants that cannot or will not connect production systems to outside services, that is not a convenience feature; it is the admission ticket.
Acronis also emphasizes Active Protection, its behavioral anti-ransomware capability, as usable offline. In an air-gapped network, that distinction matters because signature freshness is always contested. A tool that needs constant cloud intelligence to remain useful may be operationally incompatible with the environment it is supposed to protect.
The company further points to One-Click Recovery and Universal Restore for operator-led restoration and dissimilar hardware recovery. Those features speak directly to the OT failure mode that keeps plant managers awake: a fragile workstation dies, the replacement hardware is not identical, the OEM image is old, and every hour of downtime costs real money.

Certification Helps, but It Does Not Magically Secure the Plant​

Acronis also highlights IEC 62443-4-1 certification, which concerns a supplier’s secure product development lifecycle. That is a meaningful procurement signal, particularly in industrial environments where supply-chain trust has become a board-level issue. It says something about how the vendor builds and maintains the product.
But certification is not deployment quality. A certified supplier can still be misconfigured. A good backup platform can still be pointed at the wrong assets. A recovery plan can still fail if no one tests it.
This distinction matters because OT buyers are under pressure to turn frameworks into purchase orders. IEC 62443, NIS 2, NERC CIP, and GxP obligations all create demand for auditable controls. Vendors naturally map their products to those obligations.
The sober reading is that Acronis’ OT story aligns well with the direction of industrial resilience requirements, especially where local recovery and legacy support are non-negotiable. The less sober reading would be to treat the platform as a substitute for asset discipline, removable-media governance, and recovery drills. It is not.

The Six Controls That Survive Contact With Isolation​

The strongest air-gapped OT programs are boring in the best possible way. They do not depend on one heroic appliance, one perfect firewall rule, or one mythical absence of connectivity. They layer controls around the actual ways data and people move.
The first control is verified asset inventory. A plant cannot protect or recover what it does not know exists. Inventory should include PLCs, RTUs, HMIs, SCADA servers, historians, engineering workstations, jump hosts, network gear, removable-media stations, and any wireless or cellular capability that may have escaped documentation.
The second is strict removable-media control. That means sanctioned USB devices, scanning and sanitization stations, disabled ports where practical, and logging that can reconstruct what entered the environment. The goal is not theatrical USB bans that operations will route around, but a controlled path that users can actually follow.
The third is offline-capable behavioral protection. Air-gapped endpoints still face ransomware, destructive malware, unauthorized encryption, and suspicious process behavior. Detection that works without cloud lookups is essential because the plant cannot depend on a live internet brain.
The fourth is air-gap-native backup and recovery. Local image-based backups, protected storage, malware scanning before restoration, and operator-friendly restore workflows are practical controls, not luxuries. A recovery plan that only works in the corporate network is not an OT recovery plan.
The fifth is inbound-file sanitization. Vendor updates and transferred files should be checked against hashes, scanned behaviorally where possible, and stripped or rebuilt when content disarm and reconstruction is appropriate. The boundary should treat every import as a controlled exception.
The sixth is local management. Security tooling should be manageable from inside the OT environment. If the plant has to break its own isolation to administer its protection stack, the control has already lost part of the argument.

Compliance Is Finally Catching Up With Operational Reality​

Industrial regulation has increasingly converged on a practical point: continuity and recovery are security outcomes. NIS 2 requires measures around business continuity, backup management, and disaster recovery for covered essential and important entities. NERC CIP includes recovery planning for the bulk electric system. GxP environments care deeply about data integrity and validated restoration.
IEC 62443-3-3’s SR 7.3 and SR 7.4 requirements for backup and recovery fit naturally into this world. They recognize that industrial systems must be able to preserve and reconstitute control capability. NIST SP 800-82 Rev. 3 gives defenders language for compensating controls where patching and modernization are constrained by safety, certification, or vendor support.
This is where the Acronis argument is strongest. Air-gapped backup is not a niche backup architecture; it is a compliance-enabling technical foundation. If a plant cannot prove it can restore critical systems, its paper policies will not survive serious scrutiny.
The same logic applies to procurement. Industrial buyers increasingly need evidence that suppliers follow secure development practices, support legacy systems, and can operate in constrained environments. A cloud-only security architecture may look modern in enterprise IT and still be a poor fit for a validated production cell.

The Air Gap Forces Security Back Into the Physical World​

The modern cybersecurity industry often speaks as if all environments are variations of the same cloud-managed estate. OT proves otherwise. Here, security is entangled with shift work, spare parts, vendor contracts, safety cases, regulatory validation, and machines that were never designed to be internet-adjacent.
That is why operator-led recovery is more than a usability feature. In a plant incident, the person closest to the affected system may not be a backup administrator. They may be an automation engineer, a maintenance technician, or a shift supervisor under pressure to restore a process safely.
Good OT tooling respects that reality. It minimizes the number of decisions required during a bad night. It documents the restore path. It validates the backup. It gives non-specialists a controlled way to recover without improvising.
This is the larger lesson of air-gapped data protection: the best controls are the ones that match the operational tempo. A system that is theoretically elegant but practically unusable will become shelfware, and shelfware does not recover a plant.

The Plant-Floor Version of Resilience Is Narrower and Harder​

The useful lesson from Acronis’ air-gap argument is not that every OT site should buy one product and declare victory. It is that air-gapped resilience has a different shape from enterprise resilience, and the differences are not cosmetic.
  • Air-gapped networks reduce exposure, but they still depend on controlled transfer paths that attackers can target.
  • USB malware remains a serious industrial threat because removable media is built into normal plant workflows.
  • Cloud-managed security and backup tools often fail in OT because they assume connectivity, modern operating systems, and IT-led recovery.
  • Effective OT recovery requires image-based local backups, tested restoration, malware checks before restore, and support for dissimilar hardware.
  • Compliance frameworks increasingly reward evidence of recoverability, not merely claims of isolation.
  • Acronis Cyber Protect for OT is notable because its core claims address the specific constraints of air-gapped plants: offline protection, local management, legacy support, and operator-led recovery.
The air gap is not dead, and pretending otherwise would be as foolish as trusting it blindly. Its future is as one layer in a more honest architecture: isolated where possible, monitored at every crossing, backed up locally, recoverable by the people on the floor, and tested before the incident proves the paperwork wrong.

References​

  1. Primary source: Acronis
    Published: 2026-07-04T01:40:11.600040
  2. Related coverage: developer.acronis.com
  3. Related coverage: securityscientist.net
  4. Related coverage: zscaler.com
  5. Related coverage: eset.com
  6. Related coverage: hendryadrian.com
  1. Related coverage: securityaffairs.com
  2. Related coverage: digitalteamsix.com
 

Back
Top