The coverage of Sygnia’s Operation Highland disclosure has leaned heavily on the duration — ten years inside an air-gapped network — as the remarkable element of the story. But dwell time is not the finding. The finding is that the air gap didn’t work, and that it failed in exactly the way air gaps always fail: someone had to authenticate.
Velvet Ant didn’t cross the network boundary. They subverted the authentication infrastructure that bridged it. A modified Nginx binary, planted on a system that served both the connected corporate network and the isolated environment, established a reverse shell that tunnelled through the authentication node. The air gap remained intact as a network topology fact. It was meaningless as a security control.
Why We Keep Building Air Gaps
The air gap concept has intuitive appeal: no network connection means no network attack. It is simple enough to explain to a board, regulatory auditor, or procurement committee. It appears in guidance from CISA, NIST, and IEC 62443 as a recommended measure for operational technology environments. It satisfies the compliance requirement for network segmentation in NERC CIP, NIS2, and several sector-specific frameworks.
The problem is that intuitive appeal and compliance satisfaction are not the same thing as security. Air-gapped networks need to receive software updates. They need operators to authenticate. In almost every operational scenario, they need to exchange data — historian exports, patch packages, configuration files — with connected systems. Every one of those flows is a potential bridge, and each bridge requires infrastructure that sits on the boundary.
That boundary infrastructure is the attack surface. In Operation Highland, it was an authentication proxy. In previous cases, it has been a USB update terminal, a data diode that was configured incorrectly, a jump server that was managed from both sides, or a SCADA historian that wrote to a shared database. The bridge is always there. The question is whether it is defended.
The Monitoring Gap That Let Velvet Ant Stay
Sygnia’s report makes clear that the victim organisation deployed endpoint detection on systems within the isolated network. They monitored the air-gapped segment for threats. What they did not monitor — or did not monitor with the same rigour — was the authentication node that served it.
This is a common pattern. Security teams conceptually classify the connected network and the isolated network as two distinct protection problems. The connected network gets the full security stack: EDR, SIEM integration, network monitoring, anomaly detection. The isolated network gets physical access controls, limited connectivity, and a policy that says nothing goes in or out without approval. What gets neither treatment is the infrastructure in between, because it belongs to both environments conceptually and therefore sometimes to neither in practice.
File integrity monitoring on the authentication proxy’s binaries would have detected the modified Nginx. Outbound connection monitoring from that host would have detected the reverse shell. Neither was in place in the way it needed to be to catch a low-noise, patient attacker who made no operational mistakes for a decade.
What Good Isolation Actually Looks Like
Air gaps can be made substantially more robust, but the changes require abandoning the assumption that physical separation is the primary control and treating it as one layer among several:
Authentication infrastructure must be single-purpose and single-direction. Authentication systems that serve air-gapped environments should not have any outbound connectivity to the general internet or to administrative networks that do. A domain controller or authentication proxy with both a path into the isolated network and a path to the corporate network is not an authentication boundary — it is a pivot point.
Integrity monitoring belongs on boundary infrastructure first. The systems most likely to be targeted by an adversary are those with the most access. Cryptographic verification of system binaries, running processes, and loaded kernel modules should be implemented on every host that touches a boundary, with alerts on any deviation from baseline.
Continuous monitoring is not optional for isolated networks. A security team that deploys comprehensive monitoring on the connected network and reduced monitoring on the isolated network because “less can happen there” has the logic exactly backwards. Less visibility means longer dwell time, not lower risk. Operation Highland’s ten-year duration is evidence of what happens when this trade-off is made.
Data transfer processes need the same scrutiny as network connections. Air-gapped networks that receive patch packages, historian exports, or configuration updates via removable media or one-way data transfer devices have a data path that is as real as a network cable. Every step in that transfer process — the system that prepares the transfer, the media that carries it, the system that receives it — needs integrity verification and audit logging.
The Regulatory Problem
The audit-driven adoption of air gaps has created a structural problem: organisations achieve compliance by deploying air gaps without deploying the monitoring and controls that make air gaps meaningful. The frameworks that mandate network segmentation rarely specify what detection and integrity controls must protect the boundary infrastructure. Auditors check that the air gap exists; they do not check whether the authentication proxy serving it has file integrity monitoring.
Operation Highland will probably not change that dynamic quickly enough. The organisation affected spent ten years with an attacker inside a supposedly secure environment, and the failure mode was entirely predictable and documented in prior incidents involving USBs, jump hosts, and data diodes. The lesson that physical isolation requires active defence has been available for as long as air gaps have existed.
What will eventually change it is enforcement: when regulators in critical infrastructure sectors begin attributing breaches to inadequate security of boundary infrastructure rather than accepting air gap deployment as a complete answer, organisations will be forced to reckon with what they have actually built.
Until then, the gap between air-gapping as a compliance artefact and air-gapping as an actual security control will continue to be filled by patient threat actors with ten years to spend.
Share this article