Your Security Tools Stop Working
Exactly When You Need Them Most.
Every organization running a power grid, pipeline, classified facility, or hospital network faces the same structural problem. The tools they use to control who accesses what were built for the internet. The networks that matter most are deliberately cut off from it. When they isolate, the identity platform becomes unreachable, MFA stops working, and operators fall back to shared passwords. This is not a configuration problem. It is a structural gap in every organization running isolated or segmented networks.
A practical guide for security and operations leaders in critical infrastructure, defense, and healthcare.
46%
Surge in ransomware attacks on industrial operators in a single quarter
1 in 4
Industrial security tests finds shared or default credentials in OT networks
5 Years
Nation-state actors maintained undetected access using only valid credentials
Sources: Honeywell 2025 Cybersecurity Threat Report, June 2025 · Claroty State of CPS Security 2024 · CISA Advisory AA24-038A, February 2024
Part 1: The Problem
The Gap Shows Up Three Ways
Each one is serious on its own. Together, they compound into an identity posture no security leader would choose. Most have inherited it anyway. And it applies whether your most sensitive network is an OT environment, a CMMC-scoped enclave, or a classified facility.
Authentication Fails When the Network Closes
Ransomware response, planned maintenance, and regulatory isolation all cut the internet connection your identity platform needs to function. MFA stops working. RADIUS times out. Engineers and operators fall back to shared passwords to keep systems running. On networks completing IPv6 transition per OMB M-21-07, the gap compounds: most RADIUS servers only support IPv4, leaving network devices on IPv6 segments with no authentication path at all.
Nobody Knows Who Actually Logged In
Shared admin credentials are the default in most OT and enclave environments. Not because anyone chose them, but because individual identity management was never deployed there. One password, used by a dozen people, on systems that control physical infrastructure or classified data. If something goes wrong, there is no audit trail. No individual accountability. No forensic record.
Compliance Evidence Doesn’t Exist
NERC CIP, CMMC, ISA/IEC 62443, and HIPAA assessors require per-user access records, authentication logs, and proof of access controls, all produced from inside the network boundary. That evidence cannot exist if the identity system that generates it was never deployed there. Before every audit, someone rebuilds the log manually in a spreadsheet. That is not a compliance program.
Why It’s Unsolved
The Entire Identity Industry Moved to the Cloud.
Your Most Sensitive Networks Didn’t.
The Assumption
Modern IAM was built on one assumption: the device authenticating and the service validating that authentication can both reach the internet. Every architectural decision that followed was built on that assumption. Cloud-hosted FIDO2 servers, SaaS policy engines, mobile push notifications, centralized audit logs.
When the assumption breaks, the stack breaks with it.
RADIUS is the clearest example. The protocol runs locally over UDP; it was built for on-premises communication. But the identity store it validates against has moved to the cloud. When the network isolates, RADIUS times out. Operators either cannot authenticate or fall back to a shared local account.
The Consequence
IPv6 compounds the problem. Federal and DoD networks are mandating transition per OMB M-21-07. New switches, routers, and firewalls are being deployed on IPv6 transport. Most IAM vendors’ RADIUS implementations only support IPv4. If your RADIUS server cannot operate over IPv6, it cannot authenticate users to any network device on IPv6 infrastructure. Your identity controls have a transport-layer blind spot on the newest infrastructure being deployed.
The environments controlling power grids, pipelines, classified systems, and clinical networks run on the weakest identity controls in the organization. Not by choice. The tools were built for a connected, IPv4 world, and these environments are neither.
The Standard
Fixing This Doesn’t Require Replacing Your Infrastructure
It requires extending identity controls into the environments your current tools cannot reach. Here is what that looks like, whether your boundary is a NERC CIP Electronic Security
Perimeter, a CMMC-scoped enclave,
or a classified facility.
Network devices authenticate individually, over IPv4 and IPv6.
Switches, routers, and firewalls validate credentials via RADIUS against a local identity store with MFA enforced. Full IPv6 transport support for networks completing OMB M-21-07 transition. No shared account. No timeout. No fallback.
Every person has an individual account.
Shared credentials are eliminated. Every access event is attributed to a named person, not a shared account that a dozen people know the password to.
MFA works when the network is closed.
Authentication runs on local infrastructure inside the boundary: FIDO2, TOTP, YubiKey, CAC, PIV. No outbound call. No timeout. No fallback to a static password during an isolation event.
Contractor access expires automatically.
Accounts created for a maintenance window, turnaround cycle, or program phase are time-bounded by design. When the work ends, the access ends.
Audit evidence is generated automatically.
Per-user access logs are produced continuously inside the boundary. No manual reconstruction before every audit. Evidence that exists continuously is evidence that holds up.
Nothing calls home.
License validation, telemetry, and threat intelligence updates: none of these require an outbound connection. Products marketed as on-premises that carry hidden cloud dependencies fail silently after a grace period expires. AirGap was built without them.
Part 2: The Solution
The Complete Identity Stack. Inside the Boundary.
SecureAuth AirGap deploys every identity control your isolated network needs as a single package. No cloud dependencies. No components that call home. Deploy it inside the boundary, and it works. For OT environments and NERC CIP perimeters. For CMMC-scoped enclaves and classified facilities. For any network that cannot reach the internet.
The Problem
RADIUS times out when the network isolates. Cloud IdP is unreachable.
What AirGap Delivers
RADIUS validates against an on-premises IdP via local LDAP. Full IPv4 and IPv6 transport. MFA enforced at the network layer. OMB M-21-07 compliant.
The Problem
Cloud IAM stops working when the network closes
What AirGap Delivers
Workforce IdP runs on Windows Server virtual appliances inside the boundary. No outbound call at any point in the authentication chain.
The Problem
FIDO2 requires a cloud server to register and authenticate hardware tokens
What AirGap Delivers
FIDO Service deploys on-premises. YubiKeys and passkeys register and authenticate entirely inside the boundary.
The Problem
Mobile push MFA routes through a cloud service that becomes unreachable when the network closes
What AirGap Delivers
Mobile Service deploys on-premises. Push notifications route through local infrastructure. Familiar MFA experience with no SaaS dependency.
The Problem
Audit logs don’t exist inside the OT or enclave boundary
What AirGap Delivers
Every authentication event logged locally inside the boundary. Continuous retention. SIEM export. No manual reconstruction.
Nothing Calls Home.
The complete stack ships as a single deployable package.
Workforce IdP
Windows Server virtual appliances. Runs the full identity and policy engine locally.
FIDO Service
On-premises FIDO2 WebAuthn server. Hardware token registration and authentication inside the boundary. Compatible with YubiKeys, passkeys, and PIV credentials.
Mobile Service
On-premises authentication app support. Push notifications route through local infrastructure. No SaaS relay required.
RADIUS (IPv4 + IPv6)
Local RADIUS server with full IPv4 and IPv6 transport. Validates against the on-premises IdP via LDAP. MFA enforced at the network layer for switches, routers, and firewalls. OMB M-21-07 compliant.
MFA & Config Data
Local database stores all FIDO, Mobile Service, and RADIUS configuration and enrollment data inside the boundary.
Full Identity Control. Inside the Boundary.
See how security and operations leaders in critical infrastructure, defense, and healthcare are closing the identity gap in their most sensitive networks, without replacing
existing infrastructure.