Why Are OT Security Myths Still Being Taught?

There are ideas in OT security education that have been displaced by real-world consequences yet are still being taught without the necessary nuance and grounding. The most durable of these is the air gap. Close behind is the idea that vendor remote access is safe because the vendor is trusted. 

You can still find both presented as foundational protective controls in mainstream curricula, vendor whitepapers, and certification study guides. The Purdue model diagrams in introductory ICS courses still draw the boundary between Level 3.5 and the plant network as if it were a wall rather than a turnstile.  

SANS ICS410 — the most widely taken OT security course in the world, and the foundation for the GICSP certification — covers defensible architecture, segmentation, and removable media controls competently, but the “air-gapped” framing persists in field practice and in the way the material is summarized and resold by third-party training providers downstream. Walk into almost any plant and ask the controls team how the DCS is protected, and you will still hear the phrase. 

The persistence is striking because the field data has been pointing the other way for over a decade. Dawn Cappelli, director of OT-CERT at Dragos, put it bluntly in late 2024: in years of incident response across industrial sectors, her firm has never found an organization that is truly air gapped. The Waterfall Security analysis is harsher — it argues that true air gaps largely disappeared in the late 1990s, when plants began connecting industrial systems to enterprise resource planning software. What replaced them was not better security. It was a vocabulary. 

The numbers tell the same story. Threat intelligence indicates that roughly 85 percent of attacks on OT environments start with an IT breach, after which attackers pivot into industrial networks or disrupt OT indirectly through the IT systems it depends on. Only about 13 percent of incidents use OT-specific attack methods. Translation: the dominant attack pattern is not one that the air gap, even a perfectly maintained one, would stop. The boundary attackers are crossing is the same boundary the training material says is solid. 

And the consequences are no longer theoretical. The number of facilities suffering cyber-induced physical disruptions jumped 146 percent in 2024, from 412 impacted sites to 1,015. Dragos documented 1,693 ransomware attacks against industrial organizations in 2024, an 87 percent year-over-year increase. Of the ransomware incidents Dragos responded to, 75 percent led to a partial shutdown of operational technology and 25 percent led to a full shutdown. These are not edge cases. This is the working environment defenders are being trained for. 

Both ideas — the air gap and the trusted vendor connection — are comforting precisely because they are responsible for real breaches and provide critical foundational knowledge. For the complete novice, they simplify a difficult subject, and the simplification feels more useful than the truth until the moment when it does not. 

The air gap that never was 

Stuxnet should have ended the air gap myth in 2010. The Natanz enrichment facility was as close to a real air gap as any industrial environment in the world. It was a nation-state nuclear facility with no direct internet connection, no vendor VPN, and operational security procedures that most civilian plants will never match. 

Stuxnet crossed the gap anyway. The worm rode in on USB drives — Symantec’s dossier traced the initial infections to five Iranian contractor organizations whose engineers carried laptops and removable media into the facility — and propagated through Siemens Step 7 engineering workstations until it reached the S7-300 and S7-400 controllers that managed the centrifuge drives. The Institute for Science and International Security’s analysis, working from IAEA inspection data, estimated that roughly 1,000 centrifuges at Natanz were taken out of service in late 2009 and early 2010, about ten percent of the operational fleet. The attack disguised itself by replaying recorded normal sensor values back to the operator interface while the centrifuges destroyed themselves. 

Stuxnet used four zero-days at once. A single zero-day was worth six figures on the gray market at the time; burning four in one payload was the unambiguous signature of a state actor. But the zero-days were not the lesson. The lesson was the delivery method. The most expensive offensive cyber capability ever publicly attributed was carried into one of the most secure facilities on earth by a person with a USB stick. 

What Stuxnet demonstrated is not that air gaps are hard to maintain. It is that air gaps, in the way most people use the term, do not exist. A practical control system has to be programmed. Programming requires software. Software gets updated. Updates get transferred on media, or on laptops, or on USB drives carried by engineers who need to do their jobs. Each of those transfers is a gap crossing. An air gap is not a physical property of the network. It is a discipline of transfer, and like any discipline, it is only as strong as its weakest execution. 

The useful concept is not an air gap. It is a controlled data diode, or a rigorously managed transfer process with integrity checks at every step — the kind of regime that NIST SP 800-82 describes and that almost nobody fully implements.  

Training that teaches air gaps as a protective control leaves practitioners unprepared for the moment when they discover the USB drive, the service laptop, or the dual-homed historian that has been quietly bridging the gap for years. 

Trusted vendors and their untrusted infrastructure 

The parallel myth involves vendor remote access. The pattern is familiar. A major equipment vendor is granted remote access for diagnostics and support. The vendor is reputable, their engineers are skilled, and the business case for the access is clear. The access is described in architectural documents as controlled and monitored. In practice, the controls are often limited to the vendor’s authentication, the monitoring is limited to logs nobody reviews, and the infrastructure on the vendor’s side is outside the plant’s visibility entirely. 

The 2021 Colonial Pipeline incident showed the cost of that blind spot in dollars — a single legacy VPN account, no MFA, $4.4 million in ransom, and a week of fuel shortages on the U.S. East Coast. The 2023 CyberAv3ngers campaign against Unitronics PLCs showed it in scale. 

The CyberAv3ngers campaign, attributed by CISA to the Iranian Islamic Revolutionary Guard Corps, began the weekend of November 25, 2023. The Municipal Water Authority of Aliquippa in Beaver County, Pennsylvania, which serves about 6,600 customers, discovered that a booster station regulating water pressure for Raccoon and Potter Townships had been taken over. The HMI displayed a defacement message — “You Have Been Hacked. Down With Israel. Every Equipment ‘Made In Israel’ Is CyberAv3ngers Legal Target.” The booster station alarm fired immediately. The operators reverted to manual control. There was no impact on drinking water. 

That is the part that gets reported. The part that matters for training is how they got in. 

The attackers did not use a zero-day. They did not phish anyone. They scanned the internet for Unitronics Vision Series PLCs running on default TCP port 20256, authenticated with the default password “1111,” uploaded their own logic, and walked away with the HMI. Censys later counted roughly 149 internet-exposed Unitronics devices in the United States; a Shodan search at the time of the attack found over 200 in the U.S. and more than 1,700 globally. CISA’s joint advisory with the FBI, NSA, EPA, and Israeli National Cyber Directorate identified at least 75 compromised devices across multiple U.S. critical infrastructure sectors in the campaign that followed Aliquippa, with at least 34 in water and wastewater. 

The entry path was a product that had been deployed, presumably with vendor guidance, in a configuration that placed the PLC directly on the internet with a four-digit default password.  

This is not a story about a sophisticated adversary. The campaign required less skill than the average teenager’s first Minecraft server compromise. It is a story about a field deployment pattern that a training program focused on air gaps and trusted vendors would have entirely missed. 

The defender who understood the myth would have been looking inward, at network segmentation. The defender who understood reality would have started with an internet-wide scan of their own PLCs, because that is what the attacker started with. 

Replacing myths with working mental models 

The remediation is not better slogans. It is a different kind of exercise. 

Courses worth taking now walk practitioners through Stuxnet’s USB-based propagation and the CyberAv3ngers default-credential campaign as working case studies, then move into simulation exercises that require learners to find the actual transfer paths and the actual remote access connections in an environment modeled on a real plant. 

The goal is to replace the comforting concept with a usable mental model: an explicit inventory of every media transfer into the OT environment, an explicit inventory of every vendor connection, a documented justification for each, and the technical controls and monitoring that make those boundaries real rather than rhetorical. 

The questions a graduating practitioner should be able to answer on day one in the plant are not abstract.  

• How many USB ports are active across the engineering workstations and HMIs, and which of them are kiosks with controlled scanning? 

• How many vendor connections are open right now, who authorized each, and when was the last time anyone reviewed the access logs? 

• How many PLCs in this organization are reachable from the public internet, and who runs the scan to find out — your team, or someone in Tehran with a port scanner and a list of default passwords? 

A defender who has been told that air gaps work will not look for the USB drive. A defender who has been told the vendor is trusted will not audit the vendor’s jump host. A defender trained against the real incidents will do both, on the first week of the job, before anything happens. 

That is the standard the threat landscape now demands. The curriculum has some catching up to do — and at CyberEd.io, we are doing our part. 

Our OT security tracks are built around the incidents that actually happened, not the architecture diagrams that should have prevented them. Learners walk through Stuxnet’s USB propagation path step by step, then move into a simulated plant environment and have to find the transfer paths themselves. They study the CyberAv3ngers campaign with the CISA advisory open, then run an exposure scan against a lab network seeded with the same misconfigurations Aliquippa had on November 25, 2023. They inventory vendor connections, audit jump hosts, and write the access justification document — the one that should already exist in every plant and almost never does. 

The goal is not to graduate practitioners who can recite the Purdue model. It is to graduate practitioners who, on their first week in a real plant, know to ask where the USB drives are, who has remote access right now, and which PLCs answer to a port scan from the open internet. The defenders who ask those questions on day one are the ones who find the problems before the adversary does. 

Get in touch with our security experts to learn more about CyberEd.io OT specific training.  

References: Symantec, W32.Stuxnet Dossier (2011); Langner, To Kill a Centrifuge (2013); Institute for Science and International Security, Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? (December 2010); CISA Alert AA23-335A, IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors (December 2023, updated 2024); Dragos, 8th Annual OT Cybersecurity Year in Review (2025); Waterfall Security and ICS STRIVE, 2025 Threat Report (2025); SANS Institute, State of ICS/OT Cybersecurity 2024; Censys analysis of internet-exposed Unitronics devices; Dragos OT-CERT public statements (2024); Claroty Team82 analysis of the Unitronics campaign.