Your Security Tools Stop Working.
Exactly When You Need Them Most.
Ransomware response, planned maintenance, regulatory requirements: any of these can isolate your network. When that happens, MFA fails, the IdP goes unreachable, and operators fall back to shared passwords. This is not a configuration problem. It is a structural gap in every organization running isolated OT networks.
1 in 4
Industrial security tests finds shared or default credentials in OT networks
87%
Increase in ransomware attacks on industrial operators in 2024
5 Years
Nation-state actors maintained undetected access using only valid credentials
Sources: Claroty State of CPS Security 2024 · CISA Advisory AA24-038A, February 2024
Part 1: The Problem
The Gap Shows Up Three Ways
Each one is serious on its own. Together, they compound into an identity posture no security leader would choose. Most have inherited it anyway.
Authentication Fails When the Network Closes
Ransomware containment, planned maintenance windows, and NERC CIP Electronic Security Perimeters all cut the internet connection your identity platform needs to function. MFA stops working. RADIUS times out. Engineers fall back to shared passwords to keep systems running.
Nobody Knows Who Actually Logged In
Shared admin credentials are the default in most OT environments. Not because anyone chose them, but because individual identity management was never deployed there. One password, used by a dozen people, on systems that control physical infrastructure. If something goes wrong, there is no audit trail.
Compliance Evidence Doesn’t Exist
NERC CIP, ISA/IEC 62443, and HIPAA assessors require per-user access records, authentication logs, and proof of MFA controls, all generated from inside the network boundary. That evidence cannot exist if the identity system that produces it was never deployed there. Before every audit, someone rebuilds the log manually in a spreadsheet. That is not a compliance program.
Why It’s Unsolved
The Entire Identity Industry Moved to the Cloud. Your Most Sensitive Networks Didn’t.
The Assumption
Modern IAM was built on one assumption: the device authenticating and the service validating can both reach the internet. Every architectural decision that followed was built on that assumption. Cloud-hosted FIDO2 servers, SaaS policy engines, mobile push notifications, centralized audit logs.
When the assumption breaks, the stack breaks with it.
RADIUS is the clearest example. The protocol runs locally over UDP; it was built for on-premises communication. But the identity store it validates against has moved to the cloud. When the network isolates, RADIUS times out. Operators either cannot authenticate or fall back to a shared local account.
The Consequence
There is a compounding problem. Federal and DoD networks are transitioning to IPv6 per OMB M-21-07. New switches, routers, and firewalls are being deployed on IPv6 transport. But most IAM vendors’ RADIUS implementations only support IPv4. If your RADIUS server cannot operate over IPv6, it cannot authenticate users to any network device on IPv6 infrastructure.
The environments controlling power grids, pipelines, and clinical networks run on the weakest identity controls in the organization. Not by choice. The tools were built for a connected world, and these environments deliberately are not.
Fixing This Doesn’t Require Replacing Your Infrastructure
It requires extending identity controls into the environments your current tools cannot reach. Here is what that looks like.
Network devices authenticate individually, over IPv4 and IPv6.
Switches, routers, and firewalls validate credentials via RADIUS against a local identity store with MFA enforced. Full IPv6 transport support for networks completing OMB M-21-07 transition. No shared account. No timeout. No fallback.
Every person has an individual account.
Shared credentials are eliminated. Every access event is attributed to a named person, not a shared account that a dozen people know the password to.
MFA works when the network is closed.
Authentication runs on local infrastructure inside the boundary: FIDO2, TOTP, YubiKey, CAC. No outbound call. No timeout. No fallback to a static password during an isolation event.
Contractor access expires automatically.
Accounts created for a maintenance window or turnaround cycle are time-bounded by design. When the work ends, the access ends.
Audit evidence is generated automatically.
Per-user access logs are produced continuously inside the boundary. No manual reconstruction before every audit.
Part 2: The Solution
The Complete Identity Stack. Inside the Boundary.
SecureAuth AirGap deploys every identity control your isolated network needs as a single package. No cloud dependencies. No components that call home.
The Problem
RADIUS times out when the network isolates
What AirGap Delivers
RADIUS validates against an on-premises IdP via local LDAP. Full IPv4 and IPv6 transport. MFA enforced at the network layer. OMB M-21-07 compliant.
The Problem
Cloud IAM stops working when the network closes
What AirGap Delivers
Workforce IdP runs on Windows Server virtual appliances inside the boundary. No outbound call at any point in the authentication chain.
The Problem
FIDO2 requires a cloud server to register and authenticate hardware tokens
What AirGap Delivers
FIDO Service deploys on-premises. YubiKeys and passkeys register and authenticate entirely inside the boundary.
The Problem
Mobile push MFA routes through a cloud service that becomes unreachable when the network closes
What AirGap Delivers
Mobile Service deploys on-premises. Push notifications route through local infrastructure. Familiar MFA experience with no SaaS dependency.
The Problem
Audit logs don’t exist inside the OT perimeter
What AirGap Delivers
Every authentication event logged locally inside the boundary. Continuous retention. SIEM export. No manual reconstruction.
Nothing Calls Home.
The complete stack ships as a single deployable package.
Workforce IdP
Windows Server virtual appliances. Runs the full identity and policy engine locally.
FIDO Service
On-premises FIDO2 WebAuthn server. Hardware token registration and authentication inside the boundary.
Mobile Service
On-premises authentication app support. Push notifications route through local infrastructure.
RADIUS (IPv4 + IPv6)
Local RADIUS server with full IPv4 and IPv6 transport. Validates against the on-premises IdP via LDAP. MFA enforced at the network layer for switches, routers, and firewalls. OMB M-21-07 compliant.
MFA & Config Data
Local database stores all FIDO, Mobile Service, and RADIUS configuration and enrollment data inside the boundary.
If Your Most Sensitive Network Cannot Reach the Internet, Your Identity Controls Need to Work Without It
Energy & Utilities
NERC CIP Electronic Security Perimeters. SCADA and EMS networks. Grid operators and water/wastewater systems.
Oil, Gas & Chemical
Petrochemical, refining, LNG, and midstream pipeline operations. ISA/IEC 62443 compliance zones.
Healthcare
Hospitals and health systems with segmented clinical networks. Post-ransomware isolation environments. HIPAA access logging requirements.
Industrial Manufacturing
Automotive OEM, aerospace, and discrete manufacturing with isolated OT environments.
Trusted by CISOs, OT Security Leads, Infrastructure Architects, and Compliance Teams responsible for identity in isolated networks.
Full Identity Control. Inside the Boundary.
How security and operations leaders in critical infrastructure are closing the identity gap in their most sensitive networks, without replacing existing infrastructure.
The SecureAuth AirGap Playbook is a practical guide for security and operations leaders. It covers the structural gap in air-gapped identity, why it has gone unsolved, and what a complete on-premises identity stack looks like in practice, including RADIUS over IPv6, offline MFA, and automated audit logging inside the OT perimeter.
What’s Inside the Playbook
- The structural gap in air-gapped identity
- Why cloud-first IAM fails in isolated networks
- Complete on-premises identity stack architecture
- RADIUS over IPv6 for OMB M-21-07 compliance
- Offline MFA: FIDO2, TOTP, YubiKey, CAC
- Automated audit logging inside the OT perimeter
