Recently, we published a piece arguing that the air gap, the long-standing belief that physically isolated OT systems are inherently safe, no longer matches how industrial environments actually operate. If you have not read The Dangerous Myth of the Air Gap, it is worth a look because the foundation of this post sits on top of it.
What has changed since then is not the argument. It is the evidence.
Volt Typhoon, the Chinese state-aligned threat group also tracked as VOLTZITE, has spent the last several years operating quietly inside U.S. critical infrastructure. CISA, the NSA, and the FBI have published advisories. Industry threat intel has confirmed multi-year dwell times inside utilities. Public reporting has documented operators pulling SCADA data, historian content, and OT device configurations, not just IT-side reconnaissance.
The point of this post is not to recap Volt Typhoon. We covered that in detail in How to Hunt for Volt Typhoon Activity in an OT Network, and we will reference that work throughout. The point is to look at what this adversary has demonstrated through the lens of the air gap question, because the original myth was a conceptual problem. Volt Typhoon has turned it into an empirical one.
The air gap myth in OT security is no longer just inaccurate. It is the exact assumption a patient adversary is counting on.
Key takeaways
- CISA has confirmed Volt Typhoon maintained footholds in some victim IT environments for at least five years, not days or weeks.
- The publicly stated assessment from CISA and ODNI is that this group is pre-positioning for disruption during a future crisis, not causing damage today.
- Volt Typhoon relies almost entirely on living-off-the-land techniques by leveraging valid accounts and native Windows tools, so there is very little malware to signature.
- A confirmed intrusion at a Massachusetts electric and water utility showed the IT to OT pivot happening through shared identity infrastructure, not a dramatic exploit.
- Segmentation and air gaps still matter, but they only raise the cost of intrusion. They do not replace the need for OT-side visibility.
A Quick Refresh on Where We Left the Air Gap Conversation
For readers coming in fresh, the original post made a fairly direct case. Modern OT environments do not operate in isolation, regardless of what the network diagram suggests. The connectivity vectors that break the gap are well documented: removable media moving between sites, engineering workstations that touch both IT and OT, vendor remote access for support and updates, temporary connections that nobody logged, and the broader pressure of IT/OT convergence pulling data and identity infrastructure across what used to be hard boundaries.
We argued that the most dangerous part of the air gap was not its absence in practice. It was the false confidence that the belief created. Teams that assumed isolation often skipped monitoring, skipped inventory hygiene, skipped detection engineering on the OT side, and ended up with environments that were neither truly isolated nor actively defended.
That was the conceptual problem. The reason we are returning to it now is that, in the time since we published, a specific adversary’s tradecraft has made the abstract argument concrete in a way the industry can no longer talk around.
What Volt Typhoon Revealed About the Blind Spot
This section stays focused on what intersects with the air gap argument. For the full detection breakdown, our Volt Typhoon hunt post walks through the five hunt threads our team runs at customer sites.
Four characteristics of this group’s tradecraft matter for the air gap question.
- Dwell time is measured in years, not days. CISA has documented cases where Volt Typhoon maintained footholds inside some victim IT environments for at least five years before discovery. That is not a smash-and-grab operation. It is patient, deliberate access designed to survive personnel changes, patching cycles, and configuration drift.
- Pre-positioning, not immediate impact. The publicly stated assessment from CISA and ODNI is that this group is positioning for disruption during a future geopolitical crisis, not destruction today. Quiet is the strategy. The absence of incidents is not the absence of access.
- Living-off-the-land. Volt Typhoon operates almost entirely through valid accounts and native binaries. There is very little custom malware to find. The detection problem is not “did something malicious run”; it is “did something normal run in a way that does not fit this environment.”
- IT to OT pivot through trusted infrastructure. Public reporting and case studies, including the intrusion at the Littleton Electric Light and Water Departments (LELWD) in Massachusetts, show a consistent pattern. Entry through internet-exposed edge devices, credential harvesting from Active Directory, lateral movement using legitimate admin tools, and only then a quiet expansion into OT-adjacent systems. Dragos, which tracks the related cluster as VOLTZITE, has reported that operators went well beyond IT reconnaissance, collecting OT device configurations, historian data, GIS information, and operational sensor readings once inside.
Put those four together, and a picture emerges. This is an adversary whose strategy works best in environments built on the assumption that nothing needs watching. The longer defenders believe their OT is isolated and safe, the more room a patient operator has to map, stage, and wait.
How the Air Gap Assumption Becomes the Vulnerability
Building on the conclusions of the original post, belief in the air gap myth results in three conditions that enable a Volt Typhoon-type threat actor. The belief itself creates the conditions a Volt Typhoon-style actor needs. Three patterns in particular.
Visibility Deferral
Monitoring budgets gets prioritized where the perceived risk lies. When OT is believed to be air-gapped, the case for OT-specific visibility is hard to make at the executive level. The result is OT networks running on partial logs, no behavioral baselines, and detection coverage built for IT threats rather than ICS-aware behavior.
Volt Typhoon thrives in exactly that gap. Living-off-the-land activity on a jump host or engineering workstation looks like normal admin work to a generic SIEM rule. It only becomes visible when you have ICS context and host-level data working together.
Asset Inventory Bias
If you believe a network is air-gapped, you stop looking for the things that prove it isn’t. The undocumented cellular modem on the RTU stays undocumented. The historian’s outbound connection to a cloud analytics vendor gets approved once and forgotten. The vendor laptop with cellular tethering enabled gets plugged into the engineering bench because nobody questions whether it should be.
We see this on assessment engagements regularly. The actual IT/OT boundary rarely matches the diagram. Volt Typhoon’s entry pattern depends on those undocumented bridges existing and on defenders not having mapped them.
Detection Scope Creep
The third pattern is the most subtle. Organizations that believe their OT is isolated often treat IT-side detection as the perimeter. If IT security is solid, the thinking goes, OT is downstream of that and therefore covered.
That works only if the adversary respects the boundary. Volt Typhoon does not. Their entire approach is built around using legitimate identity infrastructure, which is shared across IT and OT in most environments, as the bridge. NTDS.dit, the database on a Windows domain controller that stores credentials for every account on the domain, including the ones that authenticate OT engineering workstations, becomes the connective tissue. Once an actor can copy that file, the entire domain should be treated as compromised. IT-side detection that does not extend visibility into OT misses the second half of the kill chain entirely.
The thread connecting all three patterns is the same. The air gap assumption deprioritizes the work that would catch this adversary. The IT/OT convergence risk we wrote about a year ago is no longer hypothetical. It is the documented operational posture of an active threat group.
What Changes When the Assumption Goes
The shift we want operators to make is not to abandon segmentation. Segmentation matters. Physical and logical isolation, where they exist, still raise the cost of an intrusion. What needs to change is the assumption that those controls are sufficient on their own.
A few posture shifts follow from that.
The IT/OT boundary is a hunt surface, not a wall. Jump hosts, historians, engineering workstations, AV servers, and remote access infrastructure are where the action happens. Treat that terrain as the highest-priority detection environment in your program, not the quiet back office.
Build visibility that assumes someone is already inside. This is what assume-breach means in OT terms. The question is not whether you can prevent every intrusion, but whether you would notice one that already happened. That requires passive network visibility on the OT side, host data from the IT/OT adjacent Windows estate, and behavioral baselines that make living-off-the-land activity stand out.
Coordinate IT and OT detection. Volt Typhoon’s tradecraft crosses the boundary by design. Detection that stops at the boundary misses the cross-domain pattern. The teams responsible for IT and OT security need shared visibility into the IT/OT DMZ, the identity infrastructure that authenticates both sides, and the engineering workflows that legitimately cross between them.
Hunt on hypothesis, not just on alerts. Our hunt post lays out the five threads our team runs through, from edge device misuse to data staging. The mechanics matter, and that post covers them in detail. The strategic point is that signature-based detection alone will not find this adversary. The strategic point is that signature-based detection alone will not find this adversary. Instead, intentional investigation is key.
Where Valkyrie and Cygnet Fit
Valkyrie is the OT security monitoring platform our team builds and runs. It exists to provide the visibility that the air gap assumption was supposed to make unnecessary. Three things make it relevant to the conversation in this post.
First, Valkyrie collects device-level data from controllers, HMIs, and the engineering workstations that bridge IT and OT, not just network traffic. Living-off-the-land activity on a jump host is invisible to a passive sensor on its own. The host context is where you catch it.
Second, the platform is built to correlate activity across the IT/OT boundary, which is where the Volt Typhoon-style adversary actually operates. The IT/OT convergence risk gets harder to address when your tools see only one side of the picture.
Third, for sites that cannot accept cloud connectivity or where persistent infrastructure is not an option, Cygnet is the flyaway kit version of Valkyrie. Our team has taken Cygnet into remote substations, pump stations, and genuinely air-gapped environments to run hunts and assessments without any external network dependency. Same capability, packed into a case we can carry into a site that the cloud cannot reach.
Our professional services team uses both regularly on hunt and assessment engagements. If you would rather have help running a Volt Typhoon-aware hunt than build the program from scratch, that is part of what we do.
The Bottom Line on Air Gaps and Volt Typhoon
The air gap is not dead as a concept. Physical and logical separation still matter, and there are environments where strict isolation is genuinely maintained. What needs to die is the assumption that any of that, on its own, makes the environment safe.
Volt Typhoon has shown the industry what a patient, well-resourced adversary does inside critical infrastructure when defenders believe they do not need to look. The multi-year dwell times, the IT to OT pivots through legitimate identity infrastructure, and the staging of operational data for use during a future crisis. None of that requires the air gap to be technically broken. It only requires defenders to act as if it isn’t.
The air gap myth that OT security teams have inherited needs an honest update. Assume connectivity, assume the adversary may already be present, and build the visibility that proves otherwise. That is the work in front of us.
If you want to see what that visibility looks like in your environment or talk through an assessment with our team, reach out. This is the work we do.
Frequently Asked Questions
Is a physically air-gapped OT network still at risk from Volt Typhoon?
Yes, if the isolation leads defenders to skip monitoring. Most environments assumed to be air-gapped have undocumented connectivity somewhere, and Volt Typhoon’s tradecraft is built to exploit exactly that assumption.
How long has Volt Typhoon gone undetected inside U.S. critical infrastructure?
CISA has confirmed the group maintained access and footholds within some victim IT environments for at least five years before discovery.
What does Volt Typhoon target once it reaches OT-adjacent systems?
Public reporting and Dragos intelligence on the related VOLTZITE cluster describe the collection of SCADA data, OT device configurations, historian data, GIS information, and operational sensor readings.
How can OT security teams detect Volt Typhoon-style activity?
Because the group relies on living-off-the-land techniques and valid accounts, detection depends on host-level data from IT/OT adjacent Windows systems, behavioral baselines, and shared visibility into the identity infrastructure that authenticates both IT and OT.

