OT/SCADA Security Architecture: Why Air Gaps Fail

OT/SCADA Security Architecture: Why Air Gaps Fail, What Actually Works, and the Defence-in-Depth Architecture for Operational Technology Environments

Executive Summary

'Just air gap it' is the instinctive answer to OT security. It is partially correct and dangerously incomplete. A true air gap — no network connection whatsoever between the OT environment and any IT system or external network — eliminates the Living-off-the-Land remote access pathway that Volt Typhoon uses. But true air gaps are operationally impossible to maintain in modern CNI, and the attack surface that remains when you try is larger than most operators realise.

Stuxnet entered Iran's air-gapped uranium enrichment facility via an infected USB drive carried by a contractor with no idea what was on it. The air gap was intact. The centrifuges were destroyed. The attack succeeded because the air gap created a false sense of security without addressing the physical media pathway that remained. Every OT environment that requires vendor maintenance, firmware updates, or data transfer has the same pathway — and state actors have already demonstrated they will use it.

This paper presents the defence-in-depth architecture that actually addresses the Volt Typhoon and Sandworm threat models: genuine OT network segmentation with a hardware-enforced boundary; behavioural baselining that catches Living-off-the-Land where signature detection fails; unidirectional security gateways that make network-layer intrusion physically impossible; and zero-trust vendor access that eliminates the pre-positioned credential. None of these controls is air-gapping. All of them are more effective than air-gapping against the confirmed attack methodologies.

All technical parameters are sourced from IEC 62443, NIST SP 800-82 Rev 3, NERC CIP series, CISA advisories, and documented incident records. The architecture is specified at the level required to translate into procurement requirements and implementation plans.

1. Why Air Gaps Fail — The Four Breach Pathways

Air-gapping is the correct instinct because it addresses the correct threat: an attacker who needs network connectivity to reach the OT environment. Volt Typhoon's Living-off-the-Land technique requires network access — without a path from the compromised IT workstation to the OT SCADA server, the technique cannot deliver effects. An air gap closes that specific vector completely.

The problem is that air gaps in operational CNI environments are not air gaps — they are network-reduced environments with residual connectivity that is operationally necessary but rarely secured. Four pathways breach every 'air-gapped' OT environment in practice:

1.1 Pathway 1 — Physical Media: The Stuxnet Model

The documented case: Stuxnet entered Iran's Natanz uranium enrichment facility in 2009-2010. The facility was air-gapped — no network connection to any external system. The malware was delivered on a USB drive carried by a contractor — almost certainly a Siemens engineer performing routine maintenance on the Siemens S7 PLCs controlling the centrifuges. The engineer had no knowledge of the malware. The USB drive was legitimately used. The air gap was never violated in the conventional sense — no cable was connected, no wireless link was established. The USB drive was the pathway.

Stuxnet then spread through the facility's internal network — which existed for legitimate operational reasons — to reach the specific PLCs controlling centrifuge rotor speed. It manipulated rotor speed outside normal parameters while reporting normal values to the SCADA monitoring screens, destroying centrifuges over months before detection. The attack was operational for an estimated 12-18 months before it was identified.

Why this pathway persists: Every OT system requires periodic maintenance. Every maintenance visit creates a physical media pathway. A vendor engineer arriving with a laptop for a firmware update, a calibration tool on a USB drive, or a configuration backup on a portable hard drive represents a physical media pathway regardless of the network architecture. The pathway cannot be eliminated without eliminating vendor maintenance — which is operationally impossible for complex OT systems with specialist manufacturer support requirements.

The scale of the risk in Ireland: CISA AA24-038A confirms that Volt Typhoon has exfiltrated SCADA relay documentation from Western utility infrastructure. The IEC 62443-2-4 vendor access framework requires that all vendor access to OT systems be conducted via approved, controlled pathways with session recording. In Irish CNI, vendor maintenance access is typically managed through the vendor's own processes rather than the operator's security framework. The gap between the standard and the practice is the Stuxnet pathway.

Source: Langner, R. (2011) 'Stuxnet: Dissecting a Cyberweapon.' IEEE Security and Privacy, 9(3): 49-51. Falliere, N., Murchu, L.O. and Chien, E. (2011) W32.Stuxnet Dossier. Version 1.4. Symantec Security Response. February 2011.

1.2 Pathway 2 — Wireless and Side-Channel: The Air-Gap Bridging Techniques

Dedicated research programmes — primarily at Ben-Gurion University of the Negev under Professor Yuval Elovici — have developed and documented a series of air-gap bridging techniques that exploit physical phenomena to exfiltrate data from or deliver malicious content to air-gapped systems without any network connection. These are not theoretical attacks — they are published, peer-reviewed techniques with demonstrated proof-of-concept implementations.

AirHopper (2014): Exploits the FM radio emissions generated by GPU video processing. Malware on the target system modulates the GPU workload to encode data in FM frequencies, which are received by a mobile phone with FM radio capability within physical proximity. Data exfiltration rate: approximately 13-60 bytes per second — sufficient for keyboard input, passwords, and cryptographic keys over extended collection periods. Range: approximately 1-7 metres. Source: Guri, M. et al. (2014) 'AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones using Radio Frequencies.' IEEE MALWARE conference.

BitWhisper (2015): Exploits thermal emissions from CPU activity. Two co-located air-gapped computers — one attacker-controlled, one target — communicate by modulating CPU load to create detectable heat signatures measured by the target's thermal sensor. Data rate: approximately 8 bits per hour — extremely slow, but sufficient for command-and-control signalling. Range: 40 cm. Source: Guri, M. et al. (2015) 'BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations.' IEEE 28th Computer Security Foundations Symposium.

Fansmitter (2016): Exploits acoustic emissions from CPU cooling fans. Malware modulates fan RPM to encode data in acoustic frequencies detectable by a nearby microphone. Data rate: approximately 15-20 bits per minute. Range: up to 8 metres. Source: Guri, M. et al. (2016) 'Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers.' arXiv:1606.05915.

MAGNETO / ODINI (2018): Exploits magnetic field emissions from CPU activity. Data encoded in magnetic field variations induced by CPU workload, received by a smartphone magnetometer. Range: 150 cm. Source: Guri, M. et al. (2018) 'MAGNETO: Covert Channel between Air-Gapped Systems and Nearby Smartphones via CPU-Generated Magnetic Fields.' arXiv:1802.02317.

The operational significance of these techniques is not that they will be routinely deployed against Irish CNI — they require physical proximity to the target system, which implies prior physical access. Their significance is that they demonstrate a fundamental principle: any system that processes data and has a physical presence emits information through multiple physical channels. An air gap eliminates the network channel. It does not eliminate the physical channel. For a threat actor with physical proximity — a shadow fleet vessel near a cable landing station, a GRU-recruited insider with access to a substation control room, a vendor contractor with legitimate site access — these techniques are in the confirmed toolkit.

Source: Ben-Gurion University Cyber Security Research Center. Air-Gap Research Project. Publications available at: cyber.bgu.ac.il/air-gap. All papers cited above are peer-reviewed and publicly available.

1.3 Pathway 3 — Wireless RF Leakage: TEMPEST and Unintended Emissions

Every electronic device emits electromagnetic radiation as a side effect of its normal operation. In OT environments, SCADA workstations, HMI panels, and engineering workstations emit RF signals that encode the data being processed — keystrokes, screen content, network traffic — in the frequency domain. TEMPEST (Transient Electromagnetic Pulse Emanation Surveillance Technology) is the classified US government programme for both exploiting these emissions from adversary systems and protecting US systems from such exploitation. The NATO equivalent is AMSG 720B.

For a CNI operator relying on an air gap as a primary security control: an unshielded SCADA workstation in a substation control room emits RF signals encoding its screen content that are detectable at distances of tens to hundreds of metres by a receiver positioned outside the building — in a vehicle, a nearby structure, or a drone with an RF collection payload. No network connection is required. The air gap is irrelevant to this collection pathway.

NSA/CSS TEMPEST shielding requirements (NSA/CSS EPL — Evaluated Products List) specify room-level and equipment-level shielding standards that prevent this emission pathway. For highest-criticality OT environments — nuclear control rooms, military command systems — TEMPEST shielding is mandated. For commercial CNI in Ireland, it is not currently required by any regulatory framework, but the physical phenomenon is present regardless of regulatory status.

1.4 Pathway 4 — Legacy Equipment and Retrofitted Connectivity

The most common 'air gap breach' in operational CNI is not a sophisticated attack — it is a connectivity that was added for operational convenience and never secured. A substation installed in 2006 may have been genuinely air-gapped at commissioning. By 2012, someone added a cellular modem for remote meter reading. By 2015, the vendor was accessing the SCADA server via a VPN for remote diagnostics. By 2020, an engineer had installed a Wi-Fi router in the control room for tablet access. The air gap no longer exists but the security architecture was never updated to reflect its absence.

The County Mayo attack (December 2023) was enabled by exactly this pathway: a Unitronics PLC that was connected to the public internet via a cellular modem for remote monitoring, with no security controls on that connection beyond a factory default password that had never been changed. The utility believed it had operational remote access capability. It also had an unprotected attack pathway that an IRGC-affiliated threat actor found via Shodan in under an hour.

THE AIR GAP PARADOX: The operational pressure that drives air-gap violations is real and legitimate: modern OT systems require remote monitoring, vendor support, data transfer to IT systems for reporting, and firmware updates. An operator who physically enforces a complete air gap accepts: no remote monitoring capability; no vendor remote support (engineer on-site for every fault); no automated data transfer for billing, reporting, or regulatory compliance; no remote firmware updates. For a major utility with hundreds of substations and pump stations, this operational model is not viable. The air gap gets violated for operational reasons. The violation is not secured because the security architecture assumes the air gap still exists. This is the condition that the defence-in-depth architecture in this paper replaces.

2. The Confirmed Threat Models — What the Architecture Must Defend Against

Before specifying the defensive architecture, the threat models must be precisely defined. Two nation-state threat actors have confirmed OT-specific capabilities that define the upper bound of the threat environment for Irish and European CNI:

2.1 Volt Typhoon — Living-off-the-Land Pre-Positioning

Attribution and mandate: People's Republic of China, assessed connected to the People's Liberation Army. Confirmed by CISA, NSA, FBI, and Five Eyes co-signing of Advisory AA24-038A (February 2024). Operational mandate: pre-positioning within Western CNI for activation in a Taiwan conflict scenario. Not espionage. Not ransomware. Pre-positioning.

Technique — Living-off-the-Land: Volt Typhoon uses only tools already present on the target systems: PowerShell, WMI (Windows Management Instrumentation), PsExec, Netsh, certutil, and other standard Windows administrative utilities. No custom malware is deployed. No binary is dropped to disk that an antivirus scanner would flag. The activity is indistinguishable from legitimate system administration by signature-based detection. The only detection mechanism is behavioural — knowing what normal looks like and identifying deviations.

Confirmed dwell time: CISA AA24-038A confirms dwell times of at least 5 years in some victim environments before detection. The initial compromise used exposed internet-facing services — VPN appliances, Fortinet FortiOS, Cisco IOS — to establish initial access. Lateral movement from the IT boundary toward the OT environment used standard Windows administrative tools over months. The SCADA topology maps, relay documentation, and switchgear diagrams confirmed exfiltrated are the intelligence product of this sustained, patient, undetected campaign.

What Volt Typhoon needs to reach OT: A network path from the compromised IT workstation or VPN concentrator to the OT network. If that path is blocked by a hardware-enforced boundary, Volt Typhoon's technique cannot deliver OT effects. This is why OT network segmentation with a hardware-enforced boundary is the primary countermeasure against Volt Typhoon — not antivirus, not patching, not password policy. Architecture.

Source: CISA/NSA/FBI/Five Eyes. Advisory AA24-038A: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. February 2024. Microsoft Threat Intelligence. 'Volt Typhoon targets US critical infrastructure with living-off-the-land techniques.' May 2023.

2.2 Sandworm — ICS-Native Tool Deployment

Attribution and capabilities: GRU Unit 74455. Confirmed ICS-specific tool development capability: BlackEnergy (2015), Industroyer (2016), Industroyer2 (2022). Native implementations of IEC 60870-5-104, IEC 61850 GOOSE, DNP3, and OPC DA in Industroyer — the malware issues circuit breaker commands directly in the target system's own protocols without requiring any intermediate software layer.

October 2022 — the OT architecture lesson: The October 2022 synchronised cyber-kinetic attack used ABB MicroSCADA's own native binary — no custom malware in the OT environment. The attack worked through the SCADA system's own administrative interface. This means: the OT system accepted commands from a source that looked like a legitimate SCADA administrator. Behavioural baselining of SCADA command patterns is the detection mechanism — the attack was issuing commands at a rate and from an account pattern inconsistent with normal operational behaviour. An OT environment with a 30-day behavioural baseline would have detected this anomaly.

Industroyer2 — target-specific intelligence requirement: Industroyer2 had victim-specific relay addresses and circuit breaker identifiers hardcoded in its binary — the SCADA topology and relay documentation that Volt Typhoon has confirmed collecting from Western infrastructure. The intelligence-to-effects chain is confirmed: SCADA topology collection (Volt Typhoon) plus ICS-specific tool development (Sandworm) plus pre-positioned network access equals the October 2022 operational model applied to Western infrastructure.

Source: ESET Research. 'Industroyer2: Industroyer reloaded.' April 2022. Microsoft MSTIC. 'IRIDIUM actor expands targets.' November 2022.

3. The Defence-in-Depth Architecture — Five Layers

The architecture presented here addresses both threat models simultaneously. It does not require choosing between security and operational functionality — each layer is designed to be implemented within operational constraints rather than by imposing them.

3.1 Layer 1 — OT Network Segmentation with Hardware-Enforced Boundary

The requirement

IEC 62443-3-3 Security Level 2 is the minimum requirement for water, energy, and transport OT environments under NIS2 Article 21. SL2 requires that all communications crossing the IT-OT boundary are authenticated and that no unauthenticated protocol traffic traverses the boundary. In practice this means the OT network must be on a dedicated VLAN with no direct IP routing to the corporate IT network or to the internet.

What a firewall does and does not provide

A firewall between the IT and OT networks is a software control. It enforces rules. It can be misconfigured — a rule permitting all traffic from the IT network's subnet to the OT network's subnet is a common misconfiguration that persists for years without triggering any alert. It can be exploited — Volt Typhoon's confirmed initial access vector includes firewall appliances running Fortinet FortiOS (CISA AA24-038A). A misconfigured or compromised firewall provides no boundary protection. 

A hardware-enforced boundary — a data diode or unidirectional security gateway — provides protection that cannot be misconfigured or exploited. It enforces communication direction at the hardware layer, not the software layer. The physics of the device — a one-way optical fibre link, for example — make bidirectional communication impossible regardless of any software command or configuration change. Volt Typhoon cannot issue a command to a relay through a data diode any more than sound can travel backwards up a one-way valve.

Data Diode Specification

Waterfall Security Solutions Unidirectional Security Gateway: Industrial-grade unidirectional gateway. Data flow from OT to IT (historian data, operational reporting, metering data): permitted. Data flow from IT to OT (commands, configurations, malware): physically impossible. Architecture: send-side hardware plus receive-side hardware connected by one-way fibre. No return path exists. Certified to IEC 62443-3-3 SL3. Deployed in nuclear and military environments globally. Application: OT historian data export, operational reporting to corporate systems, SCADA data for billing and regulatory compliance. Cost: EUR 30,000-80,000 per gateway depending on data throughput requirement.

Owl Cyber Defense Data Diode: FIPS 140-2 certified. Cross-domain solution approved for US government classified network transfers. Application: highest-assurance OT environments where IEC 62443 SL3 is required. Cost: EUR 40,000-100,000.

Where bidirectional communication is operationally required: Some OT integration scenarios require bidirectional data flow — vendor remote access for diagnostics, firmware update delivery, or SCADA command acknowledgement. Where bidirectional communication is genuinely required and cannot be implemented via a data diode, the alternative is a hardware security gateway (Claroty, Nozomi Networks, or equivalent) with deep packet inspection of all OT protocol traffic crossing the boundary, full session logging, anomaly detection, and a deny-by-default rule set that explicitly whitelists only the specific command types required for each approved use case.

THE FIREWALL IS NOT THE BOUNDARY: The most common OT security architecture failure in European CNI is relying on a perimeter firewall as the IT-OT boundary control while treating everything inside the firewall as trusted. The Target 2013 model — HVAC vendor credentials pivot through the firewall to the POS network — is the direct consequence. The boundary control must be hardware-enforced. The firewall provides perimeter defence. It does not provide an OT boundary. These are different functions requiring different technologies.

3.2 Layer 2 — Zero-Trust Vendor Access

Vendor remote access is the highest-impact, most frequently exploited OT security vulnerability in the confirmed attack record: Target 2013 (HVAC vendor credentials), County Mayo 2023 (Unitronics default credentials on internet-accessible PLC), and the Volt Typhoon pre-positioned access via VPN appliances. Every case is a vendor access failure. None required a novel exploit.

Zero-Standing-Access Architecture

Zero-standing-access means no vendor holds persistent credentials to any OT system at any time outside an active, authorised, monitored session. The architecture has five components:

Privileged Access Workstation (PAW): A dedicated hardware workstation provided by the operator (not the vendor's own laptop) through which all vendor OT access sessions are conducted. The PAW has no corporate IT network access, no internet connectivity, and no USB ports enabled. It connects to the OT environment via a dedicated, logged network pathway. The vendor's session is conducted through the PAW — the vendor never has direct network access to the OT system. Requirement basis: IEC 62443-2-4, Section 4.4 (Remote Access Security).

Per-session credential issuance: Vendor credentials for OT access are generated per-session by the operator's privileged access management (PAM) system — CyberArk, BeyondTrust, or equivalent. The credentials are valid for the duration of the session only. They are automatically voided when the session is closed. No vendor holds standing credentials. This eliminates the Volt Typhoon and Target attack model: there are no pre-positioned credentials to exfiltrate and use later.

Session recording: All vendor OT sessions are recorded — full keystroke logging, screen recording, and command capture — from session open to session close. Recordings are stored on an isolated logging server with no access from the OT or IT networks. Session recordings are retained for minimum 12 months. This provides a complete forensic record of every command issued during every vendor session.

Time limitation and scope restriction: Each vendor session is authorised for a defined time window (e.g., 09:00-12:00 on a specific date) and a defined scope (e.g., firmware update of the Relay 1A controller at Substation X only). Any commands outside the defined scope trigger an alert. Any session extending beyond the defined time window is automatically terminated. This prevents vendor credentials from being used for reconnaissance activities beyond the specific maintenance task.

Access review and revocation: At contract end, all vendor accounts are explicitly voided — not just deactivated, voided — from the PAM system. A quarterly access review confirms that no standing credentials exist for vendors whose contracts have expired. This is the specific control that would have prevented the Target 2013 breach.

Source: IEC 62443-2-4:2015 — Security Program Requirements for IACS Service Providers. IEC. Geneva. 2015. CyberArk. Privileged Access Management for OT Environments. Technical White Paper. 2024. BeyondTrust. Remote Access for OT/ICS Environments. Technical Documentation. 2024.

 3.3 Layer 3 — OT Behavioural Baselining and Anomaly Detection

 Volt Typhoon is invisible to signature-based detection. There is no malware hash to detect, no known-bad binary to flag, no signature in any commercial antivirus database that identifies the attack. The only detection mechanism is behavioural: establishing what normal activity looks like in the OT environment — precisely, with statistical rigour — and alerting when deviations occur.

 The Baselining Programme

OT behavioural baselining requires a minimum 30-day learning period during which the OT monitoring system observes and records all activity without generating alerts. The 30-day period establishes normal patterns across all dimensions that will subsequently be monitored: 

• SCADA operator command frequency: how many circuit breaker commands, setpoint changes, and configuration modifications does each operator account issue per hour, per shift, per day — and at what times of day?

• Engineering workstation network behaviour: which IP addresses does each engineering workstation communicate with, on which ports, and at what times?

• OT device communication patterns: which devices communicate with which other devices, using which protocols and command types, at what frequencies?

• Vendor access patterns: which vendor accounts access the system, from which PAW sessions, at what frequency, and for what duration?

• Data volume: what is the normal volume of data transferred from OT devices to the historian server, and from the historian to the corporate network?

After 30 days, the baseline is reviewed by an OT security engineer to confirm it reflects genuine operational normal — not an anomalous period that happens to have been observed. Alert thresholds are then set at defined multiples of the baseline standard deviation for each monitored parameter. The 30-day learning period must be repeated after any significant operational change: a new SCADA system version, a major relay replacement programme, a change in operating procedures.

Alert Rules — The Volt Typhoon and Sandworm Signatures

SCADA command rate anomaly: Alert trigger: any SCADA operator account issuing circuit breaker commands at a rate more than 3 standard deviations above its 30-day baseline. Basis: the October 2022 Sandworm operation used a native MicroSCADA binary to open circuit breakers. The command rate was operationally inconsistent with normal grid operations. An operator account issuing 50 circuit breaker opens in 10 minutes during a period when no grid event would require that activity is a confirmed anomaly. Detection latency with a properly configured SIEM rule: less than 60 seconds.

Engineering workstation DNS anomaly: Alert trigger: any engineering workstation making DNS queries to domains not in its 30-day baseline whitelist. Basis: Volt Typhoon uses standard Windows DNS resolution for command-and-control communication. A SCADA engineering workstation has a narrow, stable set of DNS queries in normal operation — it communicates with the SCADA server, the historian, and the vendor update server. Any query to a new domain is a significant anomaly. This rule generated the detection events that eventually led to Volt Typhoon's identification in several victim environments.

Lateral movement from IT boundary: Alert trigger: any authentication event on an OT network device from a source IP address that is not in the OT network's approved address list. Basis: Volt Typhoon's lateral movement from IT to OT requires crossing the segmentation boundary, which generates an authentication event on the OT side. If the boundary is hardware-enforced by a data diode, this cannot occur. If it is software-enforced by a firewall, this alert is the detection mechanism.

After-hours OT access without pre-authorisation: Alert trigger: any authenticated session on any OT device outside defined operational hours (typically 06:00-22:00 on weekdays) without a pre-authorised maintenance window registered in the PAM system. Basis: state actor operations frequently occur during off-hours to avoid detection by on-shift operators. The Sandworm December 2015 operation against Ukrainian utilities included off-hours SCADA activity. An OT environment where all after-hours access requires pre-authorisation makes off-hours operation significantly harder to conduct undetected.

USB insertion on OT workstations: Alert trigger: any USB mass storage device insertion event on any OT workstation. Basis: Stuxnet delivery model. USB ports on OT workstations should be disabled by Group Policy (NERC CIP-007-6 requires disabling all unused logical ports). Where a USB port must remain enabled for legitimate operational reasons (e.g., firmware update delivery), the insertion of any USB device should generate an immediate alert to the security operations centre.

Source: CISA AA24-038A — Volt Typhoon detection indicators. ESET Research. Industroyer2 technical analysis. April 2022. Dragos Inc. Year in Review: OT Cybersecurity 2023. Dragos Inc. Hanover MD. 2024. Claroty. Global State of Industrial Cybersecurity 2023. Claroty Ltd. 2023.

3.4 Layer 4 — OT-Specific Monitoring Platforms

Standard IT security tools — antivirus, endpoint detection and response, SIEM platforms designed for IT environments — are largely ineffective in OT environments. OT networks carry protocols (Modbus, DNP3, IEC 60870-5-104, IEC 61850 GOOSE) that IT security tools do not understand. An IT SIEM platform that cannot parse IEC 60870-5-104 circuit breaker command structures cannot detect an anomalous circuit breaker open command within a normal-looking IEC 60870-5-104 session. OT-specific monitoring platforms are required.

Claroty Continuous Threat Detection: Passive network monitoring for OT environments. Learns the OT network topology, device inventory, and normal communication patterns through passive traffic observation — no active scanning that would disrupt OT device operation. Provides protocol-aware anomaly detection for Modbus, DNP3, IEC 60870-5-104, IEC 61850, BACnet, and 150+ additional OT protocols. Detects: new devices on the OT network; new communication paths between devices; changes in device firmware versions; anomalous command values (e.g., a setpoint command outside normal operating range). Certified to IEC 62443-4-2 (Component Security Requirements).

Nozomi Networks Guardian: Equivalent capability to Claroty. Also provides asset inventory management — generating and maintaining a real-time OT device inventory automatically from passive traffic observation. The device inventory addresses the County Mayo institutional finding: NCSC-IE did not have a complete picture of internet-exposed OT equipment before December 2023 because no systematic inventory existed. A Nozomi Guardian deployment generates and maintains that inventory automatically.

Dragos Platform:Specifically designed for electric utility and energy sector OT environments. Includes threat intelligence specific to the OT threat actor groups — Sandworm (ELECTRUM), Volt Typhoon (VOLTZITE), and others — with specific detection rules for their confirmed TTPs. The Dragos Platform was used in the detection and analysis of the Industroyer and Industroyer2 malware. Its deployment in Irish grid OT environments would provide threat-intelligence-driven detection specific to the actors confirmed to be targeting European grid infrastructure.

PASSIVE MONITORING — THE CRITICAL OT REQUIREMENT: Active scanning — the standard IT security technique of sending network packets to discover devices and check their status — is contraindicated in OT environments. Active scanning can cause OT devices to malfunction, restart, or drop communications. A Modbus PLC that receives an unexpected network scan packet may interpret it as a command and behave unexpectedly. OT monitoring must be passive: listening to existing network traffic, not generating new traffic. All three platforms above use passive monitoring exclusively. This is a non-negotiable requirement that differentiates OT security tooling from IT security tooling.

3.5 Layer 5 — Authentication Extension for Legacy Protocols

Modbus has no authentication. DNP3 in its base specification has no authentication. IEC 60870-5-104 in its base specification has no authentication. These protocols are the Aurora vulnerability, the County Mayo vulnerability, and the Sandworm circuit breaker command pathway — all enabled by the absence of authentication in the design of 1970s-1990s industrial protocols.

Two authentication extension standards address the two most critical protocols without requiring hardware replacement:

DNP3 Secure Authentication Version 5 (SA5) — IEEE 1815-2012 Annex A. Challenge-response authentication for DNP3 communications. The DNP3 master (SCADA server) and the DNP3 outstation (relay or RTU) exchange a cryptographic challenge before accepting commands. A Volt Typhoon operator who has compromised the SCADA server can still issue DNP3 commands — but an Aurora-class attack using DNP3 from a separate compromised device requires the cryptographic key held by the authorised master. SA5 can be implemented as a firmware update on many modern DNP3-capable relays and SCADA concentrators — hardware replacement is not required for compatible equipment. Deployment requires coordination between relay manufacturer, SCADA vendor, and protection engineering team. Basis: IEEE 1815-2012. Deployment status in European grid infrastructure: partial — some new installations include SA5 as a commissioning requirement; most legacy installations do not.

IEC 62351-5 — Authentication for IEC 60870-5 (including IEC 60870-5-104). Equivalent to DNP3 SA5 for IEC 60870-5-104 — the dominant telecontrol protocol in European grid SCADA. Provides authentication for IEC 60870-5-104 session establishment. Can be implemented as a firmware and software configuration update on compatible hardware. ABB MicroSCADA — the platform used in October 2022 Sandworm operation, deployed in Irish grid infrastructure — supports IEC 62351-5 in recent firmware versions. Deployment: partial in European grid infrastructure. Not currently mandated under CER or NIS2 but directly addressable under Article 21 risk management measures. Basis: IEC 62351-5:2013.

MODBUS — NO AUTHENTICATION STANDARD EXISTS: Modbus has no authentication extension standard. There is no IEC 62351 equivalent for Modbus because Modbus's design does not support it architecturally. The only mitigation for Modbus authentication exposure is network segmentation — preventing any unauthorised device from reaching the Modbus-enabled equipment. This is a design characteristic of the protocol, not a deployment gap. Every Modbus-enabled device in an OT environment must be protected by network architecture controls because the protocol itself cannot provide authentication. This applies to every water utility PLC, every building management controller, and every legacy energy sector RTU using Modbus in operational Irish infrastructure today.

4. The Purdue Model — Where Each Layer Sits

The Purdue Enterprise Reference Architecture (originally published in 1992 by Theodore J. Williams, Purdue University — PERA) provides the hierarchical model that organises OT network segmentation into defined levels with defined communication rules between levels. Despite its age, the Purdue model remains the governing architectural framework in IEC 62443-3-3 and NIST SP 800-82 Rev 3. Understanding it is prerequisite to implementing the defence-in-depth architecture.

4.1 Purdue Level Definitions

Level 0 — Field devices: Physical process: sensors, actuators, motors, valves, circuit breakers. Direct interface with the physical world. No network connectivity in most legacy deployments — communication via analogue 4-20 mA signals or direct wiring to Level 1 controllers.

Level 1 — Basic control: PLCs, RTUs, protection relays, DCS controllers. Executes the control logic — reads Level 0 sensors, executes programmed control algorithms, issues commands to Level 0 actuators. Communicates using Modbus, DNP3, IEC 60870-5-101 (serial), Profibus, DeviceNet, or similar field protocols.

Level 2 — Supervisory control: SCADA servers, HMI workstations, engineering workstations. Provides operator visibility of the process and allows operator intervention. Communicates with Level 1 devices using IEC 60870-5-104 (TCP/IP), DNP3 over TCP/IP, OPC DA/UA, or Modbus TCP. This is the level at which Sandworm's Industroyer and the October 2022 native MicroSCADA attack operated.

Level 3 — Site operations: Historian servers, batch management systems, site-level reporting, maintenance management. Aggregates Level 2 data for site-level operations. First level at which IT-type functionality begins to appear. The boundary between Level 3 and Level 4 is the IT-OT boundary — the most critical segmentation point in the architecture.

Level 4 — Business logistics network: Corporate IT network: ERP systems, email, office productivity tools, internet access. No operational technology functions. Connection to Level 3 must be strictly controlled and preferably hardware-enforced.

Level 5 — Enterprise network / internet: External connectivity. No direct connection to Level 3 or below is ever architecturally acceptable. All Level 5 to Level 3 data flows must traverse the IT-OT boundary with hardware enforcement.

The IEC 62443-3-3 Security Levels are applied per zone and conduit — a zone being a logical grouping of OT assets with common security requirements, and a conduit being the controlled communication pathway between zones. Each zone is assigned a Security Level (SL0-SL4) based on its criticality and the consequence of compromise. The conduits between zones carry the security requirements — a conduit between an SL2 zone (Level 2 SCADA) and an SL1 zone (Level 1 PLCs) must enforce the SL2 requirements at the boundary.

Source: Williams, T.J. (1992) A Reference Model for Computer Integrated Manufacturing from the Viewpoint of Industrial Automation. Purdue University. IEC 62443-3-3:2013 — System Security Requirements and Security Levels. NIST SP 800-82 Rev 3: Guide to Operational Technology Security. September 2023.

4.2 Where the Five Defence Layers Map to the Purdue Model

Layer 1 — OT Network Segmentation: Enforced at the Level 3 to Level 4 boundary: data diode or hardware security gateway between the site historian (Level 3) and the corporate IT network (Level 4). Also enforced at the Level 2 to Level 3 boundary where the SCADA network connects to site operations systems.

Layer 2 — Zero-Trust Vendor Access: Applied at the Level 2 boundary: all vendor access to SCADA servers and engineering workstations conducted via PAW connected to a dedicated vendor access zone, not directly to the Level 2 SCADA network.

Layer 3 — Behavioural Baselining: Applied at Level 2: monitoring of all SCADA operator commands, engineering workstation network behaviour, and data flows between Level 2 and Level 1. Alert rules specific to the SCADA platform and OT protocol suite deployed.

Layer 4 — OT Monitoring Platform: Passive monitoring deployed at Level 1 and Level 2: network taps on the Level 1 field device network (Modbus/DNP3 traffic) and the Level 2 SCADA network (IEC 60870-5-104/OPC traffic). Platform receives copies of all traffic without generating any traffic of its own.

Layer 5 — Authentication Extensions: Applied at Level 1 to Level 2 communications: DNP3 SA5 on all DNP3-capable relays and RTUs; IEC 62351-5 on all IEC 60870-5-104 capable SCADA concentrators and Level 1 controllers. Firmware update programme coordinated with relay and SCADA vendors.

5. Implementation — Sequencing, Cost, and Regulatory Alignment

5.1 Implementation Sequence — Risk Priority Order

Immediate — zero capital required: Vendor access audit: identify all standing vendor credentials to OT systems. Revoke all standing credentials immediately. Establish the zero-standing-access PAM process before reinstating any vendor access. This action costs nothing and directly closes the Target/County Mayo attack pathway. For every vendor with current standing credentials: generate a time-limited session credential on demand, conduct the session via a monitored pathway, void the credential at session end.

Phase 1 — 0-3 months: Deploy OT monitoring platform (Claroty, Nozomi, or Dragos) in passive monitoring mode on the Level 2 SCADA network. Begin 30-day baselining period — no alerts generated, logging only. Audit all USB ports on OT workstations — disable all that are not required for a specific documented operational purpose (NERC CIP-007-6). Audit all internet-facing services associated with the OT boundary — VPN appliances, remote access gateways, historian data export pathways. Indicative cost: EUR 40,000-120,000 for platform deployment and initial baseline configuration. 

Phase 2 — 3-9 months: Activate alert rules on OT monitoring platform using baselines established in Phase 1. Implement hardware-enforced IT-OT boundary: data diode for one-way historian data export, hardware security gateway for any required bidirectional integration. Deploy PAM system for vendor access management with session recording. Indicative cost: EUR 80,000-200,000 for hardware boundary controls and PAM deployment.

Phase 3 — 9-24 months: DNP3 SA5 and IEC 62351-5 authentication extension deployment: firmware update programme coordinated with relay and SCADA vendors. Aurora protection relay installation programme on transmission-critical rotating assets (see companion paper: Aurora and OT Cyber-Physical Destruction). OT asset inventory completion — all Level 1 and Level 2 devices documented with firmware version, protocol configuration, authentication status, and remote access configuration. Indicative cost: EUR 100,000-300,000 depending on number of sites and relay/SCADA platform diversity.

5.2 Regulatory Alignment — What Each Control Satisfies

IEC 62443-3-3 SL2 (NIS2 Article 21 requirement): Satisfied by: Layer 1 (network segmentation with hardware-enforced boundary); Layer 2 (zero-standing-access vendor management); Layer 5 (protocol authentication extensions where deployed). IEC 62443-3-3 SL2 is the minimum level required for water, energy, and transport OT environments under NIS2 Article 21 risk management measures.

NERC CIP-007-6 (port and service management): Satisfied by: USB port disablement audit; disable of all unused logical ports on OT devices; network access controls restricting Modbus (port 502) and IEC 60870-5-104 (port 2404) to whitelisted source IP addresses only.

CER Directive Article 12/13: Satisfied by: the complete five-layer architecture constituting an all-hazards risk assessment with proportionate resilience measures. An operator who can demonstrate Phase 1-3 implementation has a defensible CER Article 13 position. An operator who has not implemented Layer 1 (hardware-enforced boundary) and Layer 2 (zero-standing-access) has no defensible position against a NIS2 Article 21 enforcement action following an OT breach via vendor access or IT-OT pivot.

CRA (from December 2027): Satisfied by procurement standard: all OT equipment procured from 2025 onwards must include CRA compliance as a contractual requirement — no default passwords, manufacturer-provided security updates for the device lifetime, vulnerability disclosure to ENISA within 24 hours. This procurement standard is implementable now, before CRA's full application date, and prevents the default credential condition that enabled the County Mayo attack.

5.3 Cost Summary

Full Phase 1-3 implementation for a medium-scale OT environment (one to three substations or equivalent, 20-50 Level 1 devices, single SCADA platform):

• Phase 1 (monitoring deployment and vendor audit): EUR 40,000-120,000 capital; EUR 15,000-30,000 annual platform subscription.

• Phase 2 (hardware boundary and PAM): EUR 80,000-200,000 capital; EUR 10,000-20,000 annual maintenance.

• Phase 3 (authentication extensions and inventory): EUR 100,000-300,000 capital including vendor coordination costs; EUR 5,000-15,000 annual.

• Total capital over 24 months: EUR 220,000-620,000. Annual opex: EUR 30,000-65,000.

Against the HSE 2021 documented recovery cost of EUR 100 million-plus — a Tier 3 ransomware group with no OT-specific capability — and against the October 2022 Sandworm operation consequence for Ukrainian infrastructure (estimated USD 800 million in total infrastructure reconstruction costs, World Bank assessment 2023), the full Phase 1-3 implementation cost represents less than 0.1% of the consequence it is designed to prevent.

THE CRITICAL INSIGHT: The defence-in-depth architecture in this paper does not require choosing between security and operational functionality. The data diode allows historian data export — it just prevents reverse traffic. Zero-standing-access allows vendor maintenance — it just requires the session to be authorised, monitored, and time-limited. Passive OT monitoring observes all traffic without disrupting it. DNP3 SA5 and IEC 62351-5 add authentication to existing protocol sessions without replacing the protocol. None of these controls is an air gap. None of them imposes the operational constraints that make genuine air gaps unworkable. All of them are more effective against the confirmed Volt Typhoon and Sandworm attack models than an air gap that gets violated for operational reasons and never secured.

6. Conclusion

Air-gapping is the right instinct aimed at the right threat — network-delivered attacks. It fails as an implementation strategy because it cannot be maintained operationally, because it creates a false sense of security that prevents the implementation of controls that would actually work, and because nation-state actors have already demonstrated they solve the air-gap problem when sufficiently motivated. Stuxnet solved it in 2010. Ben-Gurion University has published a catalogue of solutions since 2014. The Volt Typhoon initial access technique — compromising VPN appliances and internet-facing services — exploits the connectivity that was always there beneath the claimed air gap.

The five-layer architecture addresses the confirmed attack methodologies rather than the conceptual model of connectivity as vulnerability. Layer 1 closes the network pivot pathway that Volt Typhoon uses — but with a hardware-enforced mechanism that cannot be misconfigured or compromised, not a software firewall that can be. Layer 2 eliminates the pre-positioned credential that the Target/County Mayo model exploits. Layer 3 detects Living-off-the-Land behaviour that signature detection cannot see. Layer 4 provides protocol-aware OT monitoring that IT security tools cannot provide. Layer 5 adds authentication to the protocols that Aurora, County Mayo, and Sandworm exploit precisely because authentication was never designed in.

The implementation sequence is deliberately designed to front-load the zero-capital controls — vendor credential audit and revocation — because they address the highest-impact, most immediately exploitable vulnerability in most Irish OT environments. The capital programme follows in a sequence that delivers the highest risk reduction per euro spent, starting with detection (passive, non-disruptive, immediately actionable) and progressing through hardware boundary enforcement to protocol authentication. 

The regulatory framework is now aligned with the technical requirement. NIS2 Article 21 mandates IEC 62443-3-3 SL2 — which this architecture satisfies. CER Article 12/13 mandates the risk assessment and proportionate measures — which this architecture provides. The CRA from December 2027 prohibits the default credential configuration that enabled County Mayo — which the procurement standard in Phase 3 addresses now. The question for Irish CNI operators is whether the implementation programme will precede or follow the first Sandworm or Volt Typhoon effect against Irish OT infrastructure. The intelligence picture — Volt Typhoon's confirmed collection of SCADA relay documentation from Western infrastructure, Sandworm's confirmed January 2026 attack on a NATO member's grid — suggests the timeline is shorter than most risk assessments have assumed.

References and Primary Sources

1. CISA, NSA, FBI, Five Eyes. Advisory AA24-038A: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. February 2024.

2. Microsoft Threat Intelligence. Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. May 2023.

3. ESET Research. Industroyer2: Industroyer reloaded. ESET. April 2022.

4. Microsoft MSTIC. IRIDIUM actor expands targets to include Ukraine energy sector. November 2022.

5. Falliere, N., Murchu, L.O. and Chien, E. (2011) W32.Stuxnet Dossier. Version 1.4. Symantec Security Response. February 2011.

6. Langner, R. (2011) Stuxnet: Dissecting a Cyberweapon. IEEE Security and Privacy, 9(3): 49-51.

7. Guri, M. et al. (2014) AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones using Radio Frequencies. IEEE MALWARE 2014.

8. Guri, M. et al. (2015) BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations. IEEE CSF 2015.

9. Guri, M. et al. (2016) Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers. arXiv:1606.05915.

10. Guri, M. et al. (2018) MAGNETO: Covert Channel between Air-Gapped Systems and Nearby Smartphones. arXiv:1802.02317.

11. IEC 62443-3-3:2013 — Industrial Communication Networks — IT Security for Networks and Systems — System Security Requirements and Security Levels. IEC. Geneva. 2013.

12. IEC 62443-2-1:2010 — Establishing an IACS Security Program. IEC. Geneva. 2010.

13. IEC 62443-2-4:2015 — Security Program Requirements for IACS Service Providers. IEC. Geneva. 2015.

14. IEC 62443-4-2:2019 — Technical Security Requirements for IACS Components. IEC. Geneva. 2019.

15. IEC 62351-5:2013 — Power Systems Management — Data and Communications Security — Part 5: Security for IEC 60870-5 and derivatives. IEC. Geneva. 2013.

16. IEEE 1815-2012 — Distributed Network Protocol (DNP3). IEEE. 2012. Including Annex A: Secure Authentication Version 5.

17. NIST SP 800-82 Rev 3: Guide to Operational Technology (OT) Security. NIST. September 2023.

18. NERC CIP-007-6: Cyber Security — Systems Security Management. NERC. Effective July 2016.

19. Williams, T.J. (1992) A Reference Model for Computer Integrated Manufacturing — the Purdue Enterprise Reference Architecture. Purdue University. West Lafayette IN.

20. CISA. Advisory AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs. December 2023.

21. Dragos Inc. Year in Review: OT Cybersecurity 2023. Dragos Inc. Hanover MD. 2024.

22. Claroty. Global State of Industrial Cybersecurity 2023. Claroty Ltd. New York. 2023.

23. Waterfall Security Solutions. Unidirectional Security Gateway Technical Overview. 2024.

24. World Bank. Ukraine — Rapid Damage and Needs Assessment. March 2023. [Infrastructure reconstruction cost estimates.]

25. European Union. NIS2 Directive: Directive (EU) 2022/2555. December 2022.

26. European Union. CER Directive: Directive (EU) 2022/2557. December 2022. Transposed as S.I. 559/2024.

27. European Union. CRA: Regulation (EU) 2024/2847 on Horizontal Cybersecurity Requirements for Products with Digital Elements. October 2024.