Removable Media Is Still OT’s Biggest Blind Spot

A plant operator plugged a personal phone into an HMI to charge it and accidentally tethered the device, giving an air-gapped control system a live internet connection. At another site, the cybersecurity lead walked through the front gate wearing a USB drive on a lanyard at a facility with a strict no-USB policy. These are not hypothetical scenarios. They were shared by practitioners with decades of OT cybersecurity experience during IIoT World’s Energy Day, and they reflect a pattern that keeps repeating across critical infrastructure.

Key Takeaways

• Air-gapped environments still require active security measures; isolation alone does not prevent breaches.
• Removable media threats go beyond USB storage to include keyboards capable of autonomous attacks, webcams, and network adapters connected via USB ports.
• Many critical infrastructure organizations still lack a formal removable media policy, even in regulated industries.
• When polled during the session, energy sector professionals ranked removable media and portable device security among their top cybersecurity concerns.

Every Air Gap Has a Door

“You need to think about the gap as another layer of protection, not the only layer,” said Itay Glick, GM of OT Security at OPSWAT, a veteran OT cybersecurity practitioner. His point challenges a belief that persists in control rooms worldwide: if the network has no internet connection, it must be safe.

The logic breaks down the moment anyone needs to update software, transfer a file, or connect a diagnostic laptop. Every air-gapped system requires some form of data transfer. Patches need to get in. Configuration files move between environments. Vendor technicians bring their own devices. Each of those touchpoints creates exactly the kind of entry that isolation was supposed to prevent.

Nick Janouskovec, who has supported cybersecurity across Emerson’s 800 or more power and water installations globally, said: “There really isn’t truly any air-gapped environment if you have to touch it and update it.”

It Is More Than USB Flash Drives

Most security conversations focus on USB storage. The actual threat surface is wider. During the session, Glick outlined several device categories that introduce risk through USB ports in OT environments:

• USB storage devices are the obvious vector, but not the only one.
• Keyboards can be programmed to execute autonomous attack sequences the moment they are plugged in.
• Webcams connected via USB can carry embedded payloads.
• Network adapters plugged into a USB port can create unauthorized network connections.
• Transient devices, such as a vendor’s laptop plugged directly into the control network, bypass the air gap entirely.

The phone-charging incident Nick Janouskovec described falls into this last category. The operator had no malicious intent. The phone needed power, there was an open USB port on an HMI, and the device’s default tethering setting did the rest. The air gap disappeared without anyone realizing it.

Three Ways Policy Fails in Practice

Technology is one part of the equation. Culture and policy are the other, and according to the panelists, they are often missing.

No policy at all. Nick shared that he has visited customer sites and asked about their removable media policy only to learn they do not have one. “Even in this day and age, that’s quite appalling,” he said.

Policy exists but is not enforced. Benjamin White, Director of Industrial Control Partnerships at OPSWAT, described the opposite problem. His example of the security professional wearing a USB on a lanyard through the no-USB gate illustrates a culture that turns written policy into dead paper.

Policy is overridden by privileged users. Nick Janouskovec described cases where administrators disabled device control applications on endpoints because they believed their admin credentials made it acceptable. “You get a little bit of hubris around that and you open yourself to making mistakes,” he said.

These are not edge cases. They represent three distinct organizational failures, and each one leaves the air gap exposed regardless of what technology sits on the network.

What Operators Can Do Now

Air-gapped environments remain mandated across critical infrastructure regulations in the Middle East, Asia, and North America. They are not going away. But treating isolation as the primary defense creates blind spots that both attackers and human error exploit.

Three practical steps emerged from the session. First, establish a formal removable media policy if one does not exist. Define what devices are allowed, where, and under what conditions. Second, enforce the policy with technology rather than relying on administrative compliance. Port control, scanning kiosks, and device whitelisting convert a written rule into an operational control that auditors can verify. Third, extend the definition of “removable media” beyond USB flash drives. Any device that connects to a USB port, including keyboards, diagnostic tools, and personal phones, should fall under the same scrutiny.

The air gap was never designed to be the only layer of protection. Treating it as one layer among many, backed by policy that is actually enforced, is the practice that keeps critical infrastructure running.

This article was written using AI tools to summarize and structure the content and edited by the IIoT World editorial team. Editorially independent.

Sponsored by OPSWAT

Special thanks to Itay Glick (GM, OT Security and Hardware Engineering, OPSWAT), Nick Janouskovec (Global Business Development Manager, Emerson), and Benjamin White (Director of Industrial Control Partnerships, OPSWAT) for their insights during the “Mind the Air Gap: How Emerson and OPSWAT Solve Critical Infrastructure Patching” session sponsored by OPSWAT, at the IIoT World Energy Day.