In industries where OT security and industrial cybersecurity are of utmost importance, air-gapping is considered the last word in risk mitigation. But this does not equal resilience.
In fact, some of the most sensitive “crown jewel” sectors, such as weapon systems, energy infrastructure, manufacturing control networks, and transportation infrastructure, require continuous exposure management more than cloud-native companies ever will.
What is exposure management?
Let’s begin with the most obvious question:
Exposure management (and the related term exposure assessment) is the process of constantly discovering assets, evaluating vulnerabilities and misconfigurations, and prioritizing remediation based on real-world risk, not static severity scores.
At its most basic level, exposure management is a cycle:
- Discover: Identify all assets, identities, connections, and dependencies.
- Assess: Evaluate vulnerabilities, weaknesses, and misconfigurations in context.
- Prioritize: Remediate what is truly reachable and impactful.
Whereas traditional vulnerability management tends to create long, flat lists of CVEs, exposure assessment links technical vulnerabilities to business risk.
It asks: Can this actually be exploited? And if so, what does it lead to?
This approach is just as important (if not more so) in air-gapped and operational technology (OT) environments.
Isn’t Exposure Management Only For Cloud-native Organizations?
This is the most enduring myth in industrial cybersecurity.
The story goes like this: exposure management is for dynamic, internet-facing, cloud-rich environments. OT environments are different. They are isolated. They are stable. They don’t change much.
But here’s the truth:
- Air-gapped environments still have software.
- Software still has vulnerabilities.
- Removable media, maintenance laptops, and contractors still provide paths.
- Insider and supply chain threats don’t magically go away because an environment doesn’t have a public IP address.
In many industrial environments, patch cycles are measured in months or years. Legacy systems are still in use well past end-of-life. Visibility is siloed across IT, engineering, and operations groups.
The effect is concentrated, hidden risk.
Busting the myth that OT environments don’t need exposure management begins with this understanding: isolation reduces external noise, but it magnifies the effect of what is hidden.
Why ‘Crown Jewel’ Environments Need Exposure Management Most
In regulated or classified sectors, protecting the most valuable and sensitive assets is not negotiable. These are the systems that:
- Control physical processes
- Handle sensitive national or industry data
- Facilitate mission-critical operations
- Embody systemic operational technology risk
The irony is that these sectors are also the ones that often struggle with OT visibility issues:
- Inadequate asset discovery
- Poor centralized logging
- Manual, paper-based risk management
- Tool fragmentation across enclaves
Exposure management mitigates these blind spots via structured, repeatable processes, even in disconnected networks.
The objective is not to modernize everything overnight. It is to bring disciplined, risk-driven decision-making to sectors where fixing everything is neither possible nor advisable.
How Do You Implement Exposure Management In Air-gapped Environments?
Let’s walk through this step by step.
1. Secure asset discovery without violating sovereignty
The first problem in air-gapped security is asset discovery.
Asset discovery in IT and cloud infrastructures is typically done through APIs and remote scanning. In OT and classified environments, asset discovery must comply with:
- Data residency rules
- Uptime requirements
- Tight change management processes
Typical approaches to secure asset discovery in these environments include:
- Passive network scanning
- Authenticated local scanning
- Config and firmware inventory scanning
- SBOM consumption for embedded and industrial software
The guiding tenet: local visibility, controlled, and auditable.
Tools that support on-premises deployment and offline operation (including platforms that support on-prem and government-centric deployment models) prove that exposure management is not dependent on cloud-based transmission of sensitive data.
High security should not mean blind spots.
2. Assess exposure in operational context
Not all vulnerabilities are created equal in industrial cybersecurity.
The presence of a high-value CVE on an isolated engineering workstation is not equivalent to a vulnerability on a human-machine interface (HMI) system that is accessible from a production line.
To manage vulnerability exposure in industrial systems on a continuous basis, it is necessary to:
- Map vulnerabilities to targeted OT assets
- Understand boundaries of network segmentation
- Establish identity and privilege relationships
- Integrate threat intelligence for known exploited vulnerabilities
Contemporary vulnerability exposure platforms focus on contextual risk analysis, not simply severity. In air-gapped networks, the context may be obtained from:
- Network topology maps
- Firewall and zone rules
- Identity and access control policies
- Local logging and event data
The challenge becomes: Can this vulnerability be exploited from a plausible attacker’s path in this enclave?
3. Prioritize using risk-based OT prioritization
Patching in OT is more than a technical exercise. It is a business choice.
Downtime could mean production shutdowns. Firmware upgrades could necessitate vendor acceptance. In a defense sector context, system re-certification might be required.
Risk-driven OT prioritization helps ensure that constrained maintenance windows are allocated where they are most valuable.
From addressing 1,000 CVEs by score, to the 20 vulnerabilities that provide plausible paths to critical infrastructure systems
This is where vulnerability management and vulnerability assessment meet: risk has real-world implications. It is associated with reachability, impact, and mission consequence.
Does Zero Trust Apply To Air-gapped OT?
Yes, and perhaps in a cleaner fashion than in internet-facing environments.
Air-gapped security can already enforce strict access control and role separation. This discipline can be extended to:
- Application allow-listing
- USB device management
- Privilege minimization
- Segmentation validation
This is consistent with Zero Trust.
Operational technology security does not mean abandoning modern security frameworks. It means adapting them to environments where uptime and sovereignty are of highest importance.
How To Secure OT Without Breaking Data Sovereignty
The issue of data sovereignty is valid, especially in the public and critical infrastructure sectors. Exposure management can be achieved while upholding sovereignty by:
- Using analytics engines at local sites
- Exporting only aggregated, non-sensitive data
- Keeping offline vulnerability feeds through controlled updates
- Integrating remediation processes with internal ticketing systems
The basic model, discover, assess, prioritize, does not necessarily need cloud dependency. It needs structured data and sound analysis.
This is why exposure management for air-gapped systems is not a contradiction. It is an evolution.
The Future Of OT Attack Surface Management
Industrial systems are no longer static.
- The convergence of IT and OT is accelerating.
- Remote monitoring and predictive maintenance are expanding.
- Software-defined supply chains are emerging.
The attack surface for OT is expanding, even within facilities that are formally not connected to the public internet.
Exposure management and exposure assessment offer a way to navigate this shift without compromising operational integrity.
High-security environments should be leaders in risk reduction, not laggards based on misconceptions about tooling.
Visibility Is Not Optional
Air-gapping is a strong control. However, it is not a tactic by itself.
The highest-risk environments (defense, industrial control systems, energy, and manufacturing) should receive the same level of risk prioritization as cloud platforms.
Exposure management is far from a cloud trend; it is a risk discipline.
Done correctly:
- It maintains data sovereignty.
- It honors operational constraints.
- It enhances protection for critical assets.
It turns OT visibility issues into actionable intelligence.
Ultimately, the objective is straightforward: we need to move from patching everything, to fixing what matters.
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications. She is also a regular writer at Bora.
