USE CASES

Protect Legacy OT Devices

TLDR: Virtual Air Gaps for OT Devices

A Zero Trust gateway creates a "virtual air gap to protect unpatchable legacy OT devices. It acts as a strict gatekeeper, verifying every connection and only allowing authorized traffic. This isolates your old gear from cyber threats, like a physical air gap, but without disrupting operations. It's a secure, software-defined barrier, keeping hackers out and your critical systems running.

Challenge Met: Virtual Patching for Unpatchable OT Devices

Zero-day vulnerabilities in unpatchable OT devices pose a critical threat. While traditional patching is impossible, virtual air gaps and network cloaking offer a powerful, proactive defense, effectively acting as a "virtual patch." By making these devices invisible to unauthorized users and external threats, network cloaking eliminates the attack surface, preventing exploitation even if a zero-day vulnerability exists. The devices are hidden in plain sight, accessible only to verified, authorized users.  

Simultaneously, the virtual air gap, created by a Zero Trust gateway, enforces strict access control, verifying every connection before allowing traffic to reach the protected devices.

This prevents unauthorized access and limits the potential impact of a successful exploit, even if an attacker discovers a zero-day. Essentially, these technologies create a protective barrier, isolating the vulnerable devices from the outside world and minimizing their exposure to potential attacks. They provide a layer of security that operates independently of the device’s inherent vulnerabilities, buying critical time until a permanent patch or replacement can be implemented.

The Ideal World: Cloaked and Segmented Virtual Air Gaps

Imagine creating a virtual air gap, a secure isolation zone, for your vulnerable legacy OT devices, without physically disconnecting them. Network cloaking achieves just that. By rendering these unpatchable systems invisible to unauthorized users and external threats, cloaking effectively simulates the security benefits of an air gap, but without the operational limitations.  

These legacy devices, often critical to operations but lacking modern security features, become hidden in the digital shadows. They remain accessible to authorized personnel with verified BlastShield clients, but are completely undetectable to external attackers. This means that even if a breach occurs elsewhere in the network, the cloaked devices remain protected, isolated from the threat.  

This virtual air gap provides a powerful defense against known and unknown vulnerabilities. It prevents lateral movement within the network, limiting the impact of a successful attack.

It also protects against zero-day exploits and other emerging threats to which legacy devices are particularly susceptible. Network cloaking allows you to maintain the functionality of your critical legacy systems while significantly reducing their risk exposure, effectively bridging the gap between operational necessity and security imperative.

How We do It:

Virtual Air Gap for Unpatchable OT Devices using Network Cloaking and Zero Trust Access

This outlines a technical configuration combining network cloaking and zero trust access to create a "virtual air gap" for unpatchable OT devices, minimizing their exposure and potential attack surface.

Rationale:

Unpatchable OT devices pose significant security risks due to known vulnerabilities. An actual air gap is often impractical, but a virtual air gap aims to replicate its security benefits by minimizing network exposure and enforcing strict access controls.

Technical Configuration:

Network Cloaking

  • Deploy Network Cloaking as a secure overlay to the OT network:
    • Deploy BlastShield in front of the unpatchable OT segment.
    • Implement cloaking overlay to hide the internal IP address space.
    • Deny all external connections except Zero Trust Access
  • Protocol Filtering and Obfuscation:
    • Allow only essential OT protocols required for operation for each device or group of devices.
  • Dynamic DNS for the Overlay Cloak:
    • Use dynamic DNS to map device hostnames to cloaked IP addresses

Zero Trust Access

  • Deploy BlastShield
    • Deploy a BlastShield gateway between the cloaked OT segment and the rest of the network.
    • Configure the gateway to act as a micro-segmentation controller.
  • Identity-Based Access Control:
    • Activate Secure Remote Access and Authentication on BlastShield
    • Optionally, Integrate BlastShield with an IdP (e.g., Active Directory, Azure AD).
    • Define granular access policies based on user/device identities.
  • Least Privilege Principle:
    • Grant access only to authorized users or devices based on the principle of least privilege.
    • Require explicit authorization for all access requests.
  • Contextual Access Control:
    • Consider factors like time, location, and device posture when granting access.
    • Implement multi-factor authentication (MFA) for all access attempts.
  • Microsegmentation:
    • Create microssegments within the cloaked OT network based on device function or criticality.
    • Enforce strict access control policies between microssegments.
  • Secure Remote Access (If Required):
    • Force all remote access through the BlastShield gateway.
    • Implement strong authentication and encryption for remote sessions.
    • Segment remote access based on roles and responsibilities.

Implementation Considerations:

  • OT Protocol Awareness: Ensure security measures do not interfere with legitimate OT protocol traffic.
  • Performance Impact: Evaluate the performance impact of network cloaking and ZTA on OT network operations.
  • Redundancy: Implement redundancy for critical components to minimize downtime.
  • Security Hardening: The BlastShield gateway can only be accessed with Passwordless MFA and from authorized devices.
  • Documentation: Maintain detailed documentation of the configuration.
  • Regular Audits: Conduct regular security audits to ensure ongoing compliance and effectiveness.
  • Change Management: Implement strict change management procedures for OT devices and security configurations.
  • Monitoring: Implement robust logging and monitoring for the BlastShield systems.

Benefits:

  • Reduced Attack Surface: Network cloaking minimizes the visibility of unpatchable OT devices.
  • Granular Access Control: BlastShield enforces strict access controls, limiting the potential impact of a breach.
  • Enhanced Compliance: Helps meet regulatory requirements and industry standards.

By combining network cloaking with zero trust access, organizations can create a strong "virtual air gap" for unpatchable OT devices, significantly reducing their risk of compromise.

Getting started with BlastShield is easy and free.

Getting started with BlastShield is easy and free. Follow the three steps below and get up and running fast.

Create a Free Trial
Account

Download the BlastShield Authenticator & Client

Make Your Host Invisible
In Minutes

Schedule A Demo
Company

Our Privacy Policy applies.

Privacy Policy | Cookie Policy | © 2025 BlastWave, Inc. All Rights Reserved