To airgap or not to airgap: the question for highly secure control rooms

October is cybersecurity month. With Barco CTRL, we are a forerunner for security in control rooms, so we consider ourselves a thought leader on this topic. Many questions we receive are related to the markets that have the highest security settings. How much change is there to fully withstand a cyber-attack? Should we airgap or not? That is why we now present this article on how to activate Barco CTRL in the most secure environments, such as the government and military markets.

"Airgapping" is a security measure where systems or networks are physically isolated from unsecured networks like the internet. In highly secure control rooms, where data confidentiality and integrity are paramount, airgapping is often employed to safeguard critical operations. However, while very effective, it also comes with several trade-offs.

1. Perceived enhanced security: Full airgapping – meaning no physical connectivity to other networks – gives people the confidence of being invulnerable to external cyberattacks. Without connectivity to other networks, malicious actors cannot easily breach the system remotely, protecting highly sensitive data and communications from espionage or sabotage. However, according to a recent Microsoft article, this is more of a perception than a fact.
2. Data integrity: By isolating systems, airgapping ensures that only authorized personnel can introduce data via controlled means, such as USB drives or other physical media. This minimizes the risk of malware and helps maintain the integrity of operational data.
3. Mitigation of insider threats: Even in cases of insider threats, the lack of external connections adds an additional barrier to data exfiltration. Employees or contractors cannot simply upload data to external servers or communicate with malicious third parties over the internet.

1. Operational inefficiencies: Airgapping can slow down communication and data transfer. You can only use AV-based sources to carry information as visuals into your control room. In other words, you’re moving pixels, not data. This means you cannot make use of modern network-based technologies to transport CCTV camera streams, Remote Desktop sessions, and web-based content (e.g., dashboards). In fast-paced military environments, where real-time intelligence and swift decision-making are crucial, the delays caused can be a significant drawback.
    
   
2. High maintenance: Isolated systems require constant manual updating, patching, and oversight. This can be resource-intensive, especially in a large command center with multiple airgapped systems, increasing the workload for IT teams.
    
   Airgapping effectively removes many advantages of connected systems and requires organizations to keep and maintain a separate environment. For example, your organization’s users will need separate user accounts and cannot make use of their existing user accounts that are governed by your existing identity provider (e.g., Active Directory). This means features like single sign-on (SSO) that the identity provider offers are not applicable. Effectively, you will need to set up and maintain every required network service twice.
    
   
3. Limited scalability: As military operations evolve and become more integrated, airgapped systems can become harder to scale and adapt. The growing need for interoperable systems across various command centers may render full airgapping less feasible in the long run.
    
   
4. A false sense of security: Because airgapped systems are considered completely isolated islands, staff may be led to think them fully secure. In other words, cybersecurity is not a main concern, and the system is only slightly protected from threats from within. For example, it may be considered acceptable to use shared system accounts, which are a significant issue from a security point of view. When intruders have a way to (physically) access the system, they encounter no defense mechanisms, allowing them to do as much damage as they can. A notorious example of this is the ‘Stuxnet’ attack on Iran’s nuclear program.
    
   In some cases, when airgapping isn’t done properly, the security promised by employing this strategy becomes a fallacy. If an airgapped network is not fully physically isolated – for example, using a separate VLAN for the network but still retaining a physical connection to a firewall shielding it from other networks and blocking all traffic in between, the firewall becomes a single point of failure for the security of the entire airgapped system. If an attacker manages to take over the firewall, they have successfully gained access to the airgapped network.
    
   
5. Missing out on security controls: Modern security controls often require further connectivity to be as efficient as possible. Think about daily updated scanning signatures for anti-virus, anti-malware, and network intrusion detection systems. Centralized Security Information Event Management (SIEM) systems that help detect attacks by correlating anomalous log events from different systems in the environment are only effective and meaningful when being able to analyze logs from connected systems to identify patterns in log messages that point to malicious activity.
    
   
6. Not following state-of-the-art security: Ongoing initiatives to strengthen cybersecurity, such as the NIS2 law that is coming into effect in Europe, or the U.S. Presidential Executive Order 14028, mandate that organizations move from perimeter-based security (isolating networks) to zero-trust security. This allows connectivity to external networks but requires that all connections are authenticated and authorized. Perimeter-based security is seen as less secure, as it creates a false sense of security inside the perimeter.
    
   Some countries even mandate network connectivity by law. In Germany, the IT-SIG 2.0 law mandates that operators of critical infrastructure detect and mitigate cyber-attacks. To be able to do so, the use of a SIEM is mandatory. For the SIEM to detect cyber-attacks, it needs to be fed with logs from as many systems as possible, including the systems driving your control room.

While airgapping is a robust defense strategy for protecting critical systems, its operational limitations and maintenance demands require careful consideration, especially in environments that demand agility and rapid response.

When looking at cybersecurity, airgapping should not be viewed as the most secure solution. It is a possible path to secure a system – one that is indeed strong, but poses its limitations on the flexibility of the control room and the possible use cases. In an increasingly connected world, it’s not easy to remain completely isolated from the cloud.

In Barco’s Global Control Room Research 2024 (a large poll involving over 2,000 control room professionals), there is a clear correlation between control room efficiency and connectivity. Of the professionals describing their control rooms as ‘efficient’, 80% are connected to the outside world. This is only 48% in ‘less efficient’ control centers. The research was conducted in all sectors, so not only the most critical ones, but it gives a good indication of what people experience as effective.

Many organizations solve the connectivity problem by maintaining two completely separate networks: one connected and one airgapped. This is an infrastructural nightmare and not really efficient for operators that constantly need to switch computers, depending on the task they currently perform.

When updating or completely redesigning a system, it is worth asking the question: “Where do we go next?” Will we sustain the airgapped way of working for the next ten years or so? Or are we planning to move to connected operations, but not right now (for example, because there are several legacy programs still operational)? This is a very important decision, as it will highly determine your return on investment.

So, where does Barco stand in this debate? When building Barco CTRL, cybersecurity was the most important factor in the design process. Using the Security by Design principles, we built a secure foundation, ready for zero-trust connected environments. The goal is to seamlessly couple security with usability. In other words, maximize security while providing connectivity at any time. And we did succeed in this.

Does this mean that Barco CTRL is not able to work in an airgapped system? Not at all. It is perfectly possible to have a completely offline installation of Barco CTRL. The manual clearly explains this use case.

The question to airgap or not will remain in place for some time – but we believe it will fade out eventually due to the ever-rising importance of connectivity. So, instead of hiding on an island where you are stuck yourself, it’s better to create an impenetrable fortress on the mainland. Investing in cybersecurity, even though it might be more expensive to start with, is probably wiser than creating an airgapped network that will be obsolete in five years. We designed Barco CTRL to answer the needs of connected control rooms, both in terms of security and usability.

Related Knowledge Base articles:

How to activate Barco CTRL

How to activate Barco CTRL in a secure environment

Would you rather listen to this content? Then check out the podcast we created based on this article: