[tptacek]

Well, I guess I'm going to say something challenging here: give up on air-gapping, since it's not going to happen. Revise your premises to assume technology that can be connected will be connected, and proceed accordingly.

I am not, by the way, happy about this, but I've also spent essentially a lifetime (minus maybe 13-14 years at the beginning) having all the surprise on this particular issue knocked out of me.

[hackinthebochs]

Sure, companies won't air gap willingly. But legislation can fix that. I see no reason why this world (or this country) is one where such legislation necessarily cannot happen.

[ziddoap]

It's really a shame that a (relatively easy to implement) solution exists to a problem, that could potentially save lives in this case, should be left to the wayside and a new solution needs to be invented. Which, that solution may also not be implemented.

I guess I have a little bit of surprise left in me on this issue.

[closeparen]

It's not a solution, it's a layer. Vulnerabilities still matter behind an airgap. A hospital is a large, semi-public facility. Patients are left alone in their rooms with network drops. There are legitimate business needs to transfer records in from and out to other institutions; who's to say they can't contain exploit payloads? There are contractors, vendors, and high-turnover low-skilled staff circulating every day. And even if there weren't, if you've been thinking of the airgap as a "solution" and not keeping up with patches, the first person to cross will have a ridiculously easy time with whatever's inside.

It's good to raise the bar from drive-by internet strangers to people and organizations willing to take mild physical risks, but it's not a panacea.

[ziddoap]

I suppose I could have been more precise in my wording, and clarified that I see it as a solution to a piece of the puzzle. Indeed, you do word it better in saying it is a layer. I agree. It is a solution to facet of a problem which exists at a certain layer.

I don't quite know how my comment led you to believe that I think airgapping is a pancea which solves all the existing computer woes in the world.

I certainly don't think, and didn't intend to imply, that airgapping removes the risk from contractors or a reason to not keep up on patches. Again, I'm confused how you reached that conclusion based on my comment.

[aptwebapps]

Unless the person you're replying to thinks you are personally currently maintaining such equipment, that's a general 'you'.

"And even if there weren't, if you've been thinking of the airgap as a "solution" and not keeping up with patches, ..."

Nobody here is going to say airgap and done, but out in the wild they will certainly deprioritize updates on airgapped equipment.

[ziddoap]

Well I mean, I said it's a solution. They said it is not a solution, a direct response to what I specifically had said, and followed by directly responding to the rest of my statement. The entire comment seems to be directed at what I said, hinging off my use of "solution".

Perhaps the 'you' was intended to be generalized. I interpreted as directed at me, since the entirety of the comment is directed at me. Maybe I'm mistaken.

The joys of trying to have meaningful conversations over text.

[closeparen]

If it’s a solution, legislation should just require it. If it’s one of many possible security controls that will each help a bit, we might need more nuanced and local decision making.