Hummm
There are multiple ways that attackers can deploy reconnaissance malware to an air-gapped network,
The ways listed in that paragraph all depend on the security IT section not doing its job.
Updates - no matter where they come from should be tested and scanned before deployment.
Infected USB drives and/or contractor laptops - these should automatically be suspect and scanned well before they get near the air-gapped system.
Malicious ladder logic code - anyone that can't spot anomalies in that code shouldn't be coding for air-gapped systems.
All of the above are standard security requirements that my company insists on at the two industrial complexes we maintain. If management doesn't like it we walk away as we did in one case
Biting the hand that feeds IT
