Oil Distribution
  • Critical OT & Industry 4.0
  • Microsoft WSUS

Case Study: Secure Offline Patching for Air-Gapped OT Networks

Gas Distribution Operator in Europe

Talk to an expert

Ensuring WSUS synchronization across a strictly unidirectional security boundary

Preventing file corruption during large patch package transfers

Limited bandwidth preventing full system backup transfers

Meeting strict regulatory requirements including NIS2 and French LPM frameworks

Need / Problem / Context

Automating Secure Patching for Air-Gapped OT Infrastructure

A regional gas distribution operator in Europe needed to ensure regular operating system and application updates across a critical OT network controlling gas distribution infrastructure.

For cybersecurity reasons, the OT environment was fully air-gapped and disconnected from the Internet. While this architecture protected operational systems from remote cyber threats, it also made patch management — including WSUS (Windows Server Update Services) synchronization — extremely complex. Updates had to be transferred manually between IT and OT environments, creating operational overhead and increasing the risk of human error or data corruption.

The organization therefore needed a secure and automated mechanism to transfer validated update packages — including WSUS update flows — from the IT environment to the isolated OT network, while preserving strict one-way security separation and maintaining compliance with European critical infrastructure cybersecurity regulations (under NIS2).

Explore OT Solution
Solution Deployed

A Cyberium unidirectional gateway architecture was deployed to securely transfer validated update packages from the IT patch management infrastructure to the isolated OT network while preserving strict air-gap protection. The architecture enables automated patch distribution to OT systems without introducing any inbound connectivity risk to operational infrastructure.

Explore OWA
Hardware appliance

4x OWA 3U pack @ 1 Gbps

Four unidirectional security gateways were deployed to securely transfer update packages from the IT environment to the air-gapped OT network while enforcing strict one-way communication.

Protocol Connector

SFTP Connector

Update packages and patch repositories are transferred through secure file transfer mechanisms, ensuring reliable delivery of validated update content

Software Replicator Agent

Windows WSUS

A dedicated synchronization component enables automated replication of Microsoft update repositories between IT and OT environments while preserving the integrity of patch metadata and packages

WSUS logo (new)

Outcomes & Benefits

The deployment enabled the operator to automate patch management for its air-gapped OT infrastructure while maintaining strict cybersecurity protections and regulatory compliance

Achieved full compliance with EU NIS2 and French LPM cybersecurity regulation

Replaced a manual and resource-intensive update process and an unreliable third-party solution

Fully automated the OT patching workflow with no operational overhead

More use cases
Browse all OT Cases
  • Critical OT & Industry 4.0
  • OWA 2U/3U
  • Custom SCADA, Siemens WinCC
  • SQL Databases Agent

Siemens WinCC SCADA / SQL Replication for Water Treatment Plant

  • Critical OT & Industry 4.0
  • OWA 2U/3U
  • Custom SCADA
  • OPC UA Agent

OPC UA replication for Electricity Grid SCADA data centralization

  • Critical OT & Industry 4.0
  • OWA 2U/3U
  • Cisco Splunk
  • HTTP/S API, Syslog

Secure OT-to-SOC Convergence for Airport Operations

  • Critical OT & Industry 4.0
  • OWA 2U/3U
  • Custom SCADA
  • SQL Databases Agent

Secure SCADA Data Replication to IT Analytics Platforms

  • Critical OT & Industry 4.0
  • OWA 2U/3U
  • Hexagon PAS
  • File Transfer Agent, SMTP

Secure OT Alarm Dispatch to Remote Engineers

  • Critical OT & Industry 4.0
  • OWA 2U/3U
  • GE OSM (On-Site Manager)
  • File Transfer Agent, SFTP, FTP/S/ES

Secure Turbine Health Monitoring for Remote OEM Analytics

We secure the Critical

— connecting what should stay isolated.
Talk to an expert
Explore OWA
Latest blog entries
Browse Posts
Claude AI Cybersecurity Image

When AI Becomes the Attacker: Why the OT Security Arms Race Ends at the Hardware Layer

  • AI & Cybersecurity, Threat Landscape

In 2025, the baseline assumption of industrial cybersecurity broke. For twenty years, defenders had one reliable edge over attackers: time. (…)

Read more
Threat Landscape Report

The OT Threat Landscape in 2025–2026: Why the Firewall Was Never the Last Line of Defense

  • OT Cybersecurity Best Practices, Threat Landscape

Every documented OT breach in the past five years started at the same place: an internet-facing asset that operators believed (…)

Read more
Firewall VS Hardware

The Real Cost of Trusting a Firewall with Your OT Network — and the Case for Unidirectional Hardware Segmentation

  • OT Cybersecurity Best Practices, Regulations & Compliance, Threat Landscape

In every major OT cyberattack of the past decade, firewalls were present. In each case, they failed. Not because they (…)

Read more

How to Monitor OT Logs Through Data Diodes Without Losing SOC Visibility?

  • Architecture Design Patterns, Engineering Insights

Industrial cybersecurity starts with a simple reality: you cannot detect threats if you cannot see what happens inside your OT (…)

Read more