Air-Gapping Is Dead — What Pragmatic OT Governance Looks Like in 2026

The End of a Sound Strategy

Air-gapping was never a poor idea. For the environments it was designed for, it was the right answer. OT systems historically operated on proprietary protocols, ran on assets with lifecycles measured in decades, and had no operational reason to communicate with corporate IT networks. Physical and logical separation gave security teams a credible boundary they could monitor and defend. The strategy was coherent because the underlying assumption was true: the two environments had nothing to say to each other.

That assumption started to erode quietly. Not through a strategic decision to connect IT and OT, but through a series of incremental operational choices, each made in isolation and each entirely reasonable at the time. A mining operator installed a remote access gateway to allow an OEM to service a PLC without flying personnel to site. A utilities operator connected a historian to a cloud analytics platform to enable predictive maintenance at scale. A process manufacturer integrated its DCS with its ERP to allow production scheduling to reflect actual operational state. A rail network operator enabled real-time telemetry feeds to meet regulatory reporting requirements.

None of these decisions was made by a security team. They were made by operations managers, engineering leads, and procurement teams solving specific operational problems. The connectivity they created was legitimate, operationally necessary, and in most cases permanent. But it was rarely documented in a way that was visible to the security team, rarely assessed for the risk it introduced at the boundary, and almost never reviewed once the operational purpose had been served.

The result is a structural gap between the OT security posture most organisations believe they have and the one that actually exists. Governance frameworks, asset inventories, and monitoring capabilities still assume a separation that was dissolved progressively over years. The question for 2026 is not how to restore the air-gap — that decision has already been made, irreversibly, by the operational requirements of modern industrial environments. The question is how to govern the bridge that now exists.

The Layer Where Governance Actually Fails

Before any governance model can function, it requires an accurate picture of what it is governing. In OT environments, the place where that picture is most consistently incomplete is the layer that sits between the corporate IT domain and the deep OT environment: the conventional IT infrastructure that exists within OT to support operational technology systems.

Engineering workstations running Windows. Historians storing process data. HMI servers managing equipment interfaces. Remote access gateways installed to solve a specific operational problem and never decommissioned. Patch management systems that were integrated into the corporate network years ago and have been largely invisible to the security team ever since. These are IT assets operating in OT contexts. They run conventional operating systems with conventional vulnerabilities. They are accessible from the corporate network. They connect directly to process control systems that affect physical operations.

This is the layer — sometimes called the “IT of OT” — where most OT security governance failures actually occur. It is neither fully within the corporate IT domain, where security teams have visibility and controls, nor within the deep OT environment, where operational technology protocols and asset lifecycles make conventional IT security approaches impractical. It sits between the two, often unowned from a security perspective and frequently unmonitored.

Claroty’s Team82 research (Claroty, Remote Access Tool Sprawl in OT, 2024) found that 55% of OT environments had four or more remote access tools deployed, and 33% had six or more — tools accumulated through operational decisions rather than security architecture. The same research found that 13% of the most mission-critical OT assets had insecure internet connections, with 36% of those containing at least one Known Exploited Vulnerability.

These are not assets at the edge of the OT environment. Engineering workstations and HMIs sit at the boundary between human operators and process control systems. A compromised EWS is not a network event. It is an access point to the control loop.

Orro observes, across its work with critical infrastructure operators in mining, utilities, and transport, that the IT of OT layer is almost always where the gap between assumed and actual security posture is greatest. Asset inventories are incomplete at this layer because the assets were installed by operational teams, not IT teams. Monitoring is absent or inadequate because standard IT security tooling often cannot be deployed safely in environments where network scanning can disrupt time-sensitive OT processes.

What the Bridge Audit Surfaces

The practical starting point for organisations that want to govern the IT/OT bridge rather than merely assume it is governed is a structured discovery exercise: a Bridge Audit. The purpose is not compliance attestation. It is to produce an accurate picture of the IT/OT boundary as it actually exists — every point where the corporate network communicates with the OT environment, the purpose and operational justification for each connection, the controls protecting each connection, and the connections that remain active without a current operational justification.

What organisations typically discover during a first Bridge Audit is instructive. Remote access capabilities installed for specific contractor engagements and never decommissioned after the engagement concluded. Connections established by operational teams to solve problems at speed, without going through a formal change management or security review process. Network segments that allow lateral movement between IT and OT zones, protected by firewall rules appropriate for corporate IT environments but not configured to inspect OT protocol traffic. Credentials shared across multiple operational teams for remote access tools that were intended for a single purpose and a defined timeframe.

The connectivity revealed through a Bridge Audit is almost always more extensive than the CISO or security team expected — and almost always less extensive than the operations team feared. From an operational perspective, the connectivity exists because it solves real problems. From a security perspective, the governance question is not whether the connectivity should exist, but whether it is documented, justified, appropriately controlled, and actively monitored.

The Bridge Audit is the governance foundation. Without it, an organisation is designing controls for an environment it does not fully understand. ASD’s ACSC guidance for critical infrastructure operators (ASD’s ACSC, Annual Cyber Threat Report 2024–25) explicitly identifies maintaining an up-to-date inventory of OT assets and their supporting systems as a key preparatory step — a recognition that visibility is the precondition for everything else. With over 190 notifications sent to critical infrastructure entities in FY2024–25, a 111% increase on the prior year, the urgency behind that guidance is not theoretical.

Why IT Governance Frameworks Do Not Translate Directly

The instinct to apply existing IT governance frameworks to OT environments is understandable. The tools and disciplines are familiar, the documentation is extensive, and the alternatives require investment and adaptation. The instinct is also consistently wrong, and wrong in ways that experienced OT practitioners recognise immediately.

Asset lifecycle is the most fundamental mismatch. IT governance assumes assets are replaced on cycles of three to five years and can be patched, updated, and reconfigured as security requirements evolve. A PLC, RTU, or DCS system has a lifecycle of 15 to 25 years. It may run an operating system that the vendor no longer supports. It may not be patchable without taking it offline, which in a continuous process environment carries direct operational and safety consequences. Claroty’s State of CPS Security 2025: OT Exposures report (Claroty, State of CPS Security: OT Exposures, 2025) identified over 111,000 Known Exploitable Vulnerabilities across OT devices in manufacturing, logistics, and natural resources alone, with 68% linked to ransomware groups. Patching as a primary control does not function in this environment at any meaningful scale.

Protocol specificity creates a second class of governance failure. OT environments operate on protocols — Modbus, DNP3, IEC 61850, PROFINET, CIP — that most IT security tooling cannot inspect or understand. Standard firewall rules operating at the IP and port level provide limited protection for OT traffic because the threat is not necessarily at the network layer. FrostyGoop, the ICS malware identified by Dragos (Dragos, OT Cybersecurity Year in Review, 2025) in 2024, demonstrated this directly: it used Modbus TCP to issue commands directly to industrial control devices, bypassing conventional security tooling entirely because the traffic was indistinguishable, at the network layer, from legitimate operational communication.

Safety and security also require treatment as a joint discipline in OT environments, not separate ones. A security control that triggers a system restart in an IT environment is an inconvenience. The same control applied to a DCS managing a continuous chemical process, a power generation system, or a water treatment facility is a potential safety incident. Governance frameworks that treat operational continuity as a constraint to be managed around, rather than a requirement to be designed for, create real operational risk when applied to OT without adaptation.

Orro works with organisations that have attempted to extend corporate IT governance frameworks into their OT environments and encountered the limits quickly. The frameworks are not wrong. They are not designed for environments where asset lifecycles span generations, where patching requires operational shutdown, and where a misconfigured security control can have physical consequences.

Continuous Monitoring as the Governance Enforcement Layer

A governance framework that exists in documents but is not enforced technically is not governance. In OT environments, the enforcement layer is continuous monitoring — but continuous monitoring that is appropriate to the operational environment, not a deployment of standard IT security monitoring tools into an OT context.

The requirements are specific. Passive network monitoring that captures OT traffic without injecting packets into the operational network, because active scanning in time-sensitive OT environments can disrupt process control communications. Protocol-aware inspection that can identify anomalous commands within legitimate OT traffic flows — a Modbus write command to an address that should only be read, a PLC instruction sequence that deviates from established operational patterns, an IEC 61850 command set that is syntactically valid but operationally anomalous. Asset baseline monitoring that detects when an OT asset’s behaviour changes: new network connections, unexpected process variable changes, configuration modifications that were not initiated through the change management process.

The Dragos 2026 OT Cybersecurity Year in Review (Dragos, OT Cybersecurity Year in Review, 2026) describes a consistent pattern in incident response findings: most OT incidents do not begin in OT networks. Adversaries consistently gain access through infrastructure that sits between enterprise and operational environments — engineering workstations, remote access infrastructure, identity systems — and operate undetected because defenders cannot see activity inside the industrial network. The report identified 119 ransomware groups affecting more than 3,300 industrial organisations in 2025, a 49% increase, with a significant proportion of incidents systematically misclassified as “IT incidents” because the compromised systems, SCADA infrastructure and engineering workstations, were treated as IT assets despite their direct connection to operational processes.

Detection requires OT-specific monitoring capability. Alerting must be calibrated to OT operational context, so that security events are presented to the people who can act on them, in terms they understand, with response options that are appropriate to both the security context and the operational environment. A security alert that triggers the same response playbook as an IT endpoint incident in an environment where the endpoint in question is an HMI connected to a live production line is not a security control. It is a liability.

This is where the OT SOC sits in the governance architecture: not as an extension of the corporate security operations function into OT territory, but as the continuous monitoring layer that enforces the governance framework in operational time, connecting security operations with the engineering and operations teams whose context and decisions are required to respond appropriately.

---

Pragmatic OT Governance as an Integrated Operating Model

Mature OT governance is not the theoretical separation model. It is the operating discipline required to manage the environment as it actually exists: connected, heterogeneous, with long asset lifecycles and operational continuity requirements that make conventional IT security approaches impractical in isolation.

The model has three components. The first is visibility: a complete, continuously updated picture of what OT assets exist, what they connect to, and what their current operational state is. This is not an aspirational condition — it is the foundation. Governance of an environment the security team cannot fully see is not governance. The Bridge Audit is the starting point for this visibility; Orro’s Digital Asset Discovery capability is the operational layer that maintains it continuously.

The second component is control: defined and documented policies for what crosses the IT/OT bridge, enforced technically through OT-aware controls rather than standard IT security tooling applied without modification. This means network segmentation that reflects the actual architecture of the OT environment, remote access controls appropriate to operational contexts rather than corporate IT defaults, and change management processes that capture the operational decisions that create connectivity, not just the security decisions that review it after the fact.

The third component is response: the capability to detect deviations from defined operational baselines and respond in a way that is appropriate to both the security context and the operational environment. In OT environments, response is not simply a matter of isolating an affected system. An isolation action that takes down a process control system without coordinating with the engineering team managing that process is a security action that may create a safety incident. Response in OT requires OT-aware playbooks, prepared in advance, that account for the operational consequences of each possible response action.

The practical entry point for organisations that do not yet have this model in place is consistent: start with the Bridge Audit. It surfaces the current state of the IT/OT boundary, provides the information needed to prioritise governance controls, and builds the foundation on which a continuous monitoring programme can be constructed. Organisations that are operating under the Security of Critical Infrastructure Act should be aware that asset classification obligations are client-specific — the appropriate starting point for any compliance conversation is confirmation of obligations with legal and relevant BD contacts before making specific public claims.

---

Key Takeaways: OT Governance in 2026

1. Air-gapping did not fail because organisations made poor security decisions. It failed because legitimate operational decisions — remote access for maintenance, cloud-connected analytics, supply chain integration, regulatory reporting — created permanent IT/OT connectivity that was never mapped or governed as a security boundary.
2. The most common point of OT security governance failure is the “IT of OT” layer: conventional IT assets (engineering workstations, historians, HMI servers, remote access gateways) that operate within OT environments, accessible from the corporate network and directly connected to process control systems.
3. IT governance frameworks do not translate directly to OT environments because they assume asset lifecycles of three to five years, treat patching as a baseline control, and separate operational continuity from security — assumptions that are structurally incompatible with how most OT environments operate.
4. Effective OT governance requires three integrated components: visibility into the full IT/OT boundary (including connections established outside formal change management processes), controls appropriate to OT operational contexts, and a monitoring capability that can detect anomalous activity within OT protocol traffic — not just unusual network connections.
5. For an Engineering Manager or Operations Director: if your organisation has ever connected a contractor’s remote access tool, integrated a maintenance platform with a corporate data environment, or enabled a regulatory reporting feed from an OT system, the IT/OT bridge exists. The practical question is whether it is documented, governed, and monitored.

---

If this article has raised questions about whether your organisation has a complete and accurate picture of every point where your corporate network communicates with your OT environment, whether your current monitoring capabilities can detect anomalous commands within OT protocol traffic — not just unusual network connections at the IP layer — or where to start with a Bridge Audit that produces a prioritised and actionable governance plan, Orro’s team is available for a confidential conversation. There are no obligations — just a discussion with practitioners who work in these environments every day.