Securing the Unsecurable: How Zscaler Airgap Protects Devices That Can't Protect Themselves

Introduction 

Modern networks are full of devices that simply cannot run security software. In 2023 alone, over 1.5 billion attacks targeted these vulnerable IoT and OT endpoints. As OT and IoT devices flood enterprise and industrial networks, the attack surface has expanded far beyond what traditional security tools were built to handle. Many of these devices lack an operating system capable of supporting an agent, the ability to be patched, and tolerance for downtime. Zscaler built Airgap specifically for this problem. 

The need for agentless segmentation in OT/IoT 

While traditional malware or anti-virus software relies on there being an operating system to be installed on, Zscaler's Airgap is an agentless solution, which means, regardless of the operating system or device software, Zscaler can protect it. Many OT/IoT devices, such as industrial sensors, headless machines, or legacy hardware systems, cannot support any security software due to potential disruptions to functional reliability or operational uptime. For years, the answer has been isolated VLANs, internal or midrange firewalls, or a network access control (NAC) solution, but these solutions are complex and are not perfect for dynamic environments. 

What is Zscaler's Airgap segmentation? 

Zscaler's Airgap solution addresses all these concerns by taking a modern and novel approach. Airgap is agentless, identity-based segmentation that enforces Zero Trust principles on east-west traffic within LANs, OT, and IoT networks. It doesn't require any agents, downtime, or upgrades. It works by utilizing real-time device discovery, classification, and automated policy enforcement. Each device is assigned a /32 subnet mask, essentially making it a "network of one" and requiring all traffic to traverse a gateway to reach anything else. Airgap acts as this gateway. 

How agentless segmentation works 

Airgap works by automatically discovering and classifying everything on a network. It relies on AI-driven identification and classification of all devices on a particular network -- IT, OT, or IoT devices, all without manual intervention. Policies are created and applied based on a device's identity, context, or observed behavior, not just its IP address. Since all devices have a /32 subnet and cannot reach anything else on the network without assistance, all traffic must traverse the Airgap appliances, giving the network administrator complete control. Because the architecture requires all traffic to traverse the Airgap appliances, Zscaler is uniquely positioned to provide inline enforcement on every packet, enabling deep inspection, real-time threat detection, and granular policy control across the entire network without requiring a single agent on any device.  

Benefits for OT/IoT environments 

The most important feature of Airgap is its ability to enforce policy without an agent. Due to its clientless nature, Airgap can work with unmanaged and headless devices without the need to retrofit or install a client on every device. This effectively reduces the attack surface by eliminating lateral movement within an environment and enforcing least-privileged access. It simplifies management by eliminating the need for internal/midrange firewalls that rely on Access Control Lists (ACLs) or VLANs to enforce policy. 

Use cases & industry applications 

A few of the best and most notable use cases for Airgap are: 

• Manufacturing Environments: Industrial Control Systems (ICS), secure production lines, and robotic systems that cannot tolerate agent installation or downtime.
• Energy/Utilities: Critical infrastructure, including power plants and substations, protected from ransomware without disrupting operational systems.
• Healthcare: Internet of Medical Things (IoMT) devices, such as infusion pumps, monitors, and imaging equipment, secured without FDA-regulated software modifications.
• Smart Devices: Cameras, HVAC systems, and sensors are protected from becoming lateral entry points into the corporate network.

Comparison with traditional segmentation 

Airgap's most significant advantage over legacy segmentation is its fully agentless architecture. This allows it to be used with any type of device, with no performance impact. This is critical, as many IoT devices do not allow or support any client software on their operating systems. Airgap leverages a Zero Trust approach rather than the legacy approach of limiting access on an individual basis. As networks continue to grow and scale, this approach becomes increasingly infeasible and far more likely to result in a security breach. Adopting a Zero Trust approach means explicitly allowing access using a 'never trust, always verify' principle. By permitting only explicitly authorized actions, this reduces risk to the network as a whole. 

Future of OT/IoT security with Zscaler Airgap 

Airgap integrates directly with Zscaler's Zero Trust SASE/SSE platform, enabling agentless segmentation and privileged remote access for end-to-end security. With the continued evolution of Artificial Intelligence (AI), Zscaler is able to leverage this technology to automatically discover devices and create policies to ensure that a network remains secure. By utilizing an agentless solution, Zscaler places a focus on environments that may traditionally be left vulnerable due to an inability to place a client on a device.  

Conclusion 

Zscaler's Airgap solution truly is a game-changer for OT/IoT security. It takes a completely different approach than other solutions in the space by providing a segmentation solution that doesn't require an agent to function. Because of this, it's able to secure devices or environments where a client is simply not possible. This enables devices that were previously isolated by VLAN confinement or complete air-gapping to communicate securely across the network, unlocking integrations and data flows that security constraints had previously made impossible. This uniquely positions Zscaler to address a segment of the market that is out of reach for solutions that require a client in order to function. 

Next steps

Want to see Zscaler Airgap in action? WWT's Advanced Technology Center provides hands-on validation environments where you can explore Airgap alongside Zscaler's full SSE platform. Reach out to our team to schedule a briefing or demo today.