For decades, the gold standard of security for critical infrastructure was simple in concept and brutal in practice: the air gap. Physically disconnect your most sensitive systems from everything else. No network connection means no network attack.
It worked. Until it didn't.
Modern operations — in hospitals, manufacturing plants, energy facilities, water treatment systems, and beyond — depend on connectivity. Medical devices stream patient data to clinical dashboards. Industrial sensors feed real-time telemetry to control systems. Building management platforms monitor hundreds of subsystems simultaneously. The air gap, once a reliable fortress, became an operational obstacle.
So organizations did what they had to do. They connected their critical systems. And in doing so, they inherited every threat that connectivity brings.
Air Gap Assurance is Threatmatic's answer to this dilemma: the security posture and isolation guarantees of an air-gapped environment, delivered on a fully connected network.
The Industrial Reality: Devices Vastly Outnumber People
In a typical office environment, the ratio of devices to users is close to one-to-one. A laptop, a phone, maybe a tablet.
In an industrial or clinical environment, that ratio is inverted — dramatically.
A mid-sized hospital might have 2,000 employees and 15,000 connected devices. The devices include infusion pumps, ventilators, patient monitoring systems, imaging equipment, nurse call systems, pharmacy dispensing machines, smart beds, access control panels, security cameras, HVAC controllers, elevator systems, and dozens of other categories — each with its own firmware, its own communication protocols, and its own security posture (or lack thereof).
This is the environment that traditional security tools were not designed for. Endpoint agents can't run on an infusion pump. Firewalls can't track the behavioral baseline of 15,000 heterogeneous devices. And a breach that starts on a connected medical device can cascade — silently, rapidly — toward patient records, billing systems, and clinical operations.
Case Study: Regional Medical Center\n\n
The following composite case study reflects real-world challenges faced by hospital networks.
A regional medical center with three campuses and approximately 8,400 connected devices came to Threatmatic with a problem that will sound familiar to any healthcare IT leader.
Their network had grown organically over 15 years. Medical devices from a dozen different manufacturers sat alongside administrative workstations, clinical workstations, building systems, and staff personal devices — all on a flat network architecture that had been patched and segmented manually over time.
The IT team — eight people managing three campuses — had neither the time nor the tooling to maintain accurate inventory of what was on the network, let alone enforce consistent policy across it. A recent third-party security audit had flagged 340 devices with unknown or unclassified status. Seventeen devices were found to be making outbound connections to destinations that could not be explained.
They needed Air Gap Assurance: the ability to say, with confidence, that a compromised infusion pump could not reach a patient record. That a breached HVAC controller could not pivot to a clinical workstation. That every device on their network — regardless of manufacturer, age, or operating system — was operating within a known and enforced boundary.
What Threatmatic Found
Within 48 hours of deployment, Threatmatic's agent-less discovery had mapped every device across all three campuses — identifying manufacturer, device type, firmware version where available, and communication patterns.
The results were sobering and not uncommon:
- 214 medical devices were communicating with vendor management systems on the public internet with no authentication enforcement
- 89 building automation devices — HVAC controllers, lighting systems, access panels — were on the same network segment as clinical workstations
- 31 devices had never been seen before and could not be attributed to any known procurement record
- 4 devices were actively communicating with external IP addresses associated with known threat infrastructure
None of these issues had triggered alerts in the existing environment. They had simply been invisible.
How Air Gap Assurance Was Applied
Threatmatic's approach was not to disconnect these devices — the hospital couldn't afford the operational disruption. Instead, it applied the logical equivalent of an air gap: policy-enforced microsegmentation that ensured each device could only communicate with what it was supposed to communicate with, and nothing else.
Medical devices were grouped by type and manufacturer. An infusion pump from Vendor A was permitted to communicate with Vendor A's management platform — and nothing else. It could not reach the EMR system. It could not reach administrative networks. It could not reach other medical devices outside its own clinical segment. Any deviation from this baseline would trigger an automatic isolation and alert.
Building systems were moved into their own isolated segment, fully separated from clinical and administrative networks. A compromised HVAC controller became a facilities problem — not a patient data problem.
Unknown devices were placed into a quarantine segment with internet-only access and no lateral reach. IT was notified. Each device was reviewed, attributed, and either enrolled properly or removed.
The four devices communicating with threat infrastructure were isolated within milliseconds of Threatmatic detecting the anomaly, cutting off any potential exfiltration in progress. Forensic investigation later identified one as a legacy nurse call system that had been compromised through an unpatched vulnerability — a device that had been on the network for six years without anyone knowing it was at risk.
The Outcome
Six weeks after deployment:
- 100% device visibility across all three campuses for the first time in the organization's history
- Zero uncontained lateral movement possible from any single device to any sensitive system
- Policy enforcement in under 50ms across the entire estate, without a single agent installed on a clinical device
- IT team hours saved: estimated 14 hours per week previously spent on manual segmentation maintenance, firewall rule updates, and incident investigation
The CISO's summary to the board was direct: "We now have the security equivalent of an air-gapped network — without actually air-gapping anything."
Why Air Gap Assurance Matters Beyond Healthcare
The hospital case is illustrative, but the challenge is universal wherever devices outnumber people.
Manufacturing — CNC machines, robotic assembly systems, quality sensors, and PLCs need to communicate with production management systems — and nothing else. A compromised machine on the factory floor should never be able to reach financial or HR systems.
Energy and utilities — SCADA systems, substation controllers, and grid monitoring equipment operate in environments where a single breach can have physical consequences. Logical air gapping ensures that even a connected grid remains operationally isolated.
Transportation and logistics — Fleet tracking systems, warehouse automation, loading dock controls, and environmental monitoring create device estates that dwarf user populations. Air Gap Assurance contains the blast radius of any single compromise.
The Architecture Behind Air Gap Assurance
Threatmatic delivers Air Gap Assurance through three integrated capabilities:
1. Universal Discovery — Agent-less device fingerprinting identifies every device on the network regardless of operating system, manufacturer, or age. No device is invisible.
2. Behavioral Baselining — Every device's normal communication pattern is mapped and continuously monitored. Deviations — even subtle ones — are detected in real time.
3. Instant Microsegmentation — Policy-enforced boundaries are applied automatically, ensuring that compromise of any single device cannot propagate laterally. Isolation happens in milliseconds, not minutes.
Together, these capabilities replicate the isolation guarantee of a physical air gap — while preserving the connectivity that modern operations demand.
Security That Scales With Your Device Estate
When devices outnumber people by ten-to-one, twenty-to-one, or more, the old models of security don't scale. You cannot hire enough people to manually manage the segmentation of 15,000 devices. You cannot install agents on equipment that was never designed to support them. You cannot rely on static firewall rules in an environment that changes every day.
Air Gap Assurance is security that scales with the reality of your environment — not the environment you wish you had.
The air gap was a good idea. Threatmatic makes it practical.
To learn how Threatmatic can deliver Air Gap Assurance for your facility, visit Threatmatic.com or contact us to discuss your environment.