.png)
Cyber attack: An “air-gapped” BAS still got wrecked—one thumb drive pushed malware down to device firmware and triggered a $200K+ rebuild choice
A building owner thought its Building Automation System (BAS) was safe because it wasn’t connected to the internet ("air gapped"). Then an engineer plugged in a thumb drive—and malware tore through the system down to device firmware.
The story came from Joe Gaspardone of Montgomery Technologies, speaking at NexusCon about real OT cyber incidents his firm has seen across client portfolios. In this case, the BAS was fully air gapped. No external connectivity. No remote access. “We have the most secure BAS system,” the team believed—until removable media became the ingress path.
“Malware completely corrupted the BAS all the way down to the device firmware,” Gaspardone said. Recovery wasn’t a simple restore. The owner faced a decision that looked a lot like ransomware economics: pay Bitcoin, or pay more than $200,000 to rebuild from the device layer up through the entire system stack.
They chose the rebuild. But the real cost showed up elsewhere. This was a life sciences building, where control rooms support sensitive experiments and production. When systems went offline, conditions drifted out of tolerance. Rent credits to tenants exceeded the cost of the rebuild itself.
Gaspardone’s point wasn’t that air gaps are useless—but that they’re often misunderstood. “That system actually would have been more secure had it been connected to a monitored and maintained network,” he said. Alerts would have fired. The spread could have been blocked at the network boundary.
Prevention, he argued, isn’t abstract cyber hygiene. It’s operational ownership: know what devices exist, how they’re connected, and where they live—then enforce change control when someone adds a camera, Wi-Fi, or a new BAS component.
Offline doesn’t mean secure. Unmanaged change does damage fast.
If you’d like to learn more, here are some ways to stay updated on stories like this:
- Watch the full presentation from NexusCon 2025
- Sign up for the Nexus Labs newsletter to get five similar stories for owners each Wednesday:
A building owner thought its Building Automation System (BAS) was safe because it wasn’t connected to the internet ("air gapped"). Then an engineer plugged in a thumb drive—and malware tore through the system down to device firmware.
The story came from Joe Gaspardone of Montgomery Technologies, speaking at NexusCon about real OT cyber incidents his firm has seen across client portfolios. In this case, the BAS was fully air gapped. No external connectivity. No remote access. “We have the most secure BAS system,” the team believed—until removable media became the ingress path.
“Malware completely corrupted the BAS all the way down to the device firmware,” Gaspardone said. Recovery wasn’t a simple restore. The owner faced a decision that looked a lot like ransomware economics: pay Bitcoin, or pay more than $200,000 to rebuild from the device layer up through the entire system stack.
They chose the rebuild. But the real cost showed up elsewhere. This was a life sciences building, where control rooms support sensitive experiments and production. When systems went offline, conditions drifted out of tolerance. Rent credits to tenants exceeded the cost of the rebuild itself.
Gaspardone’s point wasn’t that air gaps are useless—but that they’re often misunderstood. “That system actually would have been more secure had it been connected to a monitored and maintained network,” he said. Alerts would have fired. The spread could have been blocked at the network boundary.
Prevention, he argued, isn’t abstract cyber hygiene. It’s operational ownership: know what devices exist, how they’re connected, and where they live—then enforce change control when someone adds a camera, Wi-Fi, or a new BAS component.
Offline doesn’t mean secure. Unmanaged change does damage fast.
If you’d like to learn more, here are some ways to stay updated on stories like this:
- Watch the full presentation from NexusCon 2025
- Sign up for the Nexus Labs newsletter to get five similar stories for owners each Wednesday:
This is a great piece!
I agree.