Master this essential documentation concept
A highly secure computer network that is physically isolated from unsecured networks, including the public internet, ensuring no data can enter or leave without physical access.
A highly secure computer network that is physically isolated from unsecured networks, including the public internet, ensuring no data can enter or leave without physical access.
Teams responsible for maintaining an air-gapped network often rely heavily on recorded walkthroughs, training sessions, and incident debriefs to capture institutional knowledge. Because these environments are intentionally isolated, onboarding a new engineer or troubleshooting an unfamiliar configuration means tracking down the right recording and scrubbing through hours of footage to find a two-minute explanation.
That friction is a real operational risk. When your security team records a detailed walkthrough of how data is physically transferred into an air-gapped network using removable media, that knowledge lives inside a video file that no one can search, reference mid-task, or update when procedures change. The person who recorded it may be the only one who knows it exists.
Converting those recordings into structured, searchable documentation changes how your team works with that knowledge. A technician configuring a workstation inside an air-gapped network can pull up the relevant procedure directly, without interrupting a colleague or replaying a 45-minute session to find the specific step covering USB validation protocols. Documentation also makes it easier to version-control procedures as your security posture evolves — something a video library simply cannot support.
If your team is sitting on a backlog of recorded sessions covering sensitive infrastructure like this, there is a more practical way to make that knowledge accessible.
Engineers at nuclear facilities must update control system software but have no standardized procedure for safely transferring validated binaries into the air-gapped operational technology (OT) network, leading to ad-hoc USB transfers that bypass integrity checks and create audit gaps.
Air-gapped network architecture enforces a documented, repeatable transfer protocol using write-once optical media and cryptographic hash verification at the data diode boundary, ensuring every software update has a traceable, tamper-evident chain of custody before entering the control network.
["Define and document the 'Secure Software Ingestion Procedure': all binaries must be signed with an offline HSM key and SHA-256 hashes recorded in the change management system before physical media is prepared.", "Document the physical transfer checkpoint: a designated 'transfer station' workstation in the DMZ writes files to write-once DVD-R, and a second engineer verifies the hash against the change ticket before the disc enters the air-gapped zone.", 'Create a step-by-step runbook for the receiving workstation inside the air-gapped network: mount disc in read-only mode, re-verify hash, scan with offline antivirus definitions, then copy to the encrypted file server.', 'Establish an audit log template that captures engineer ID, timestamp, media serial number, file hashes, and SCADA controller target — stored on the air-gapped file server and exported monthly via supervised printout.']
100% of software updates have a documented, auditable chain of custody, satisfying NRC 10 CFR 73.54 cybersecurity requirements and eliminating untracked USB transfers from the facility's risk register.
Security analysts in a classified Security Operations Center (SOC) cannot access external threat intelligence platforms, vendor documentation, or Stack Overflow during an active incident, forcing them to rely on memory or outdated printed runbooks, slowing mean-time-to-respond (MTTR).
An air-gapped internal wiki (e.g., a locally hosted Wiki.js or Confluence instance) stores pre-approved, periodically synchronized threat intelligence, SIEM query libraries, and incident response playbooks, giving analysts a searchable, version-controlled knowledge base without any external network dependency.
["Stand up a Wiki.js instance on a server within the air-gapped network; document the server's hardening baseline (CIS Benchmark Level 2) and backup schedule in the system's own 'Infrastructure' namespace.", "Establish a quarterly content update cycle: a designated 'Content Curator' downloads approved MITRE ATT&CK framework updates, vendor advisories, and YARA rule sets on an internet-connected workstation, reviews them for classification, and transfers them via supervised optical media.", 'Structure the wiki with namespaces mirroring incident categories (e.g., /Ransomware, /InsiderThreat, /ICS-Attack), each containing detection queries for the local SIEM, containment steps, and escalation contacts — all with version history enabled.', "Document a 'Dead Reckoning' protocol: if the wiki server itself is compromised, analysts follow a laminated quick-reference card stored in a physical safe, which contains the 5 most critical SIEM queries and escalation phone numbers."]
SOC analysts report a 40% reduction in time spent searching for runbook information during tabletop exercises, and the quarterly update cycle ensures threat content is never more than 90 days stale.
Industrial control system operators need to stream operational logs to an external SIEM for compliance monitoring, but any bidirectional network connection to the air-gapped ICS network violates their security policy, and no clear documentation exists for configuring hardware data diodes to perform this one-way export.
Precise technical documentation of a hardware data diode (e.g., Owl Cyber Defense or Waterfall Security Unidirectional Gateway) configuration enables a verified, physics-enforced one-way log stream from the air-gapped ICS historian to the enterprise SIEM without creating a return path that could be exploited.
["Document the physical installation: diagram the fiber-optic transmitter-only connection from the ICS historian's syslog output to the data diode's ingress port, explicitly noting that the diode hardware has no receive capability on the ICS-facing side.", "Write a configuration guide for the proxy software on both sides: the 'send proxy' on the ICS historian formats logs as UDP syslog RFC 5424 packets; the 'receive proxy' on the enterprise side reconstructs and forwards to Splunk — include exact port numbers, buffer sizes, and heartbeat settings.", 'Create a validation procedure: use a network tap and Wireshark on the enterprise side to confirm log receipt, then attempt a ping from the enterprise proxy back to the ICS historian and document the expected 100% packet loss as proof of diode integrity.', 'Write an ongoing monitoring runbook: alert on log volume drops exceeding 20% from baseline (indicating a diode or proxy failure) and document the physical inspection checklist for the fiber connection and proxy service health.']
The ICS environment achieves NERC CIP-007 compliance for security event monitoring without introducing any bidirectional network path, verified by a third-party penetration test that confirms zero return-path connectivity.
A defense contractor's engineering team developing classified firmware has no consistent policy for which removable media types are permitted in the air-gapped lab, resulting in personal USB drives being used for convenience, creating an uncontrolled data exfiltration and malware introduction risk that violates DFARS 252.204-7012 requirements.
A formally documented Removable Media Control Policy, enforced by both technical controls (USB port blocklisting via endpoint management) and procedural controls (media librarian role, serialized media inventory), creates an auditable, compliant transfer process that satisfies CMMC Level 3 practice MP.3.122.
['Document the approved media list: only government-furnished, serialized, hardware-encrypted USB drives (e.g., IronKey D300S) are permitted; document the procurement, serialization, and enrollment process including who assigns serial numbers and maintains the physical inventory log.', "Write the 'Media Ingestion Procedure': before any drive enters the air-gapped lab, it must be scanned on a dedicated 'sheep dip' workstation running an offline, up-to-date antivirus suite; document the sheep dip workstation's own hardening and AV update procedure.", "Create the 'Media Egress Procedure': data leaving the lab on approved media requires a two-person integrity rule — the engineer and a security officer both sign the media log entry, and the drive is encrypted and sealed in a tamper-evident bag before leaving the physical perimeter.", 'Document the violation response procedure: if an unauthorized device is detected by the endpoint management system, the workstation auto-locks, an alert fires to the ISSO, and the engineer must complete an incident report — include the exact incident report template in the appendix.']
Zero unauthorized removable media incidents are recorded in the 12 months following policy implementation, and the contractor passes a DCSA facility inspection with no findings related to media control, removing a prior CAR (Corrective Action Required) from their record.
Every piece of data crossing the air-gap boundary — whether inbound software updates, outbound audit logs, or lateral threat intelligence — must go through a documented, multi-step authorization workflow. This prevents the gradual normalization of informal transfers (e.g., personal USB drives) that historically account for the majority of air-gap breaches, including the Stuxnet attack vector. Authorization records must be retained and tied to a specific change ticket or security approval.
Air-gapped systems still require OS patches, antivirus definition updates, and application upgrades, but they cannot pull these from internet-facing update servers. Without a documented internal repository, systems go unpatched for months or years, creating significant vulnerability accumulation. A locally mirrored, periodically refreshed software repository with a documented ingestion procedure ensures systems remain current without compromising isolation.
Compliance frameworks like NERC CIP and ICS-CERT guidelines require security event monitoring even for air-gapped operational technology environments, but software-only solutions create bidirectional channels that can be exploited. Hardware data diodes enforce one-way data flow at the physics layer — there is literally no return optical path — making them the only technically sound method for exporting logs, telemetry, or historian data from an air-gapped network to an external SIEM without creating a reachable attack surface.
A 'sheep dip' workstation is a dedicated, hardened system used exclusively to scan and validate removable media before it enters the air-gapped network — it is never connected to either the internet or the air-gapped network simultaneously. Without a formally documented and physically enforced sheep-dip process, malware can enter the secure environment via trusted-looking media (as demonstrated by the Stuxnet attack on Iranian centrifuge controllers via infected Siemens USB drives). The sheep-dip station must have its own documented hardening baseline, offline AV update procedure, and usage log.
An air-gapped network's security is fundamentally limited by the physical access controls surrounding it — if an adversary can walk up to a workstation or plug into a switch port, the network isolation is irrelevant. Documentation must explicitly map the network boundary to a corresponding physical boundary (e.g., a SCIF, locked server room, or badge-access lab) and define the personnel, escort, and inspection procedures that govern physical entry. Misalignment between network and physical security is a common audit finding and a real attack vector.
Join thousands of teams creating outstanding documentation
Start Free Trial