Electronic AirGap USB is a hardware device patented by Seclab that creates a complete physical break between a USB device and the protected system. The device is never connected directly to the critical system port—security relies on electronics, not software.

Key takeaway — Seclab Xport ensures electronic isolation of the USB port: the device never has access to the protected system. Only files authorized by the security policy are presented to the system via a virtual USB drive.

Seclab Xport neutralizes BadUSB attacks by design. Since the malicious device has no direct access to the protected system’s port, the attack is physically ineffective—regardless of how sophisticated the compromised firmware is.

What is a BadUSB attack?

A BadUSB attack exploits the firmware of a USB device to turn it into a malicious tool: simulating a keyboard to inject commands, emulating a network interface to intercept traffic, or executing arbitrary code. These attacks operate at the USB protocol level, below the file layer. They are undetectable by antivirus software and file-scanning stations, as no malicious file is involved.

Why electronic isolation is the only reliable protection

Software-based solutions (device whitelisting, USB class filtering) rely on information declared by the device itself—information that compromised firmware can falsify. Seclab Xport takes a fundamentally different approach: the device is connected to the Seclab system, never to the target system. The system only sees a virtual USB drive presented by Xport. No keyboard emulation, network interface, or other USB class can reach the protected system, because the physical break prevents any direct communication.

Key takeaway — BadUSB attacks are undetectable by antivirus tools because they exploit firmware, not files. Electronic isolation with Seclab Xport is the only approach that neutralizes them by design, by removing any direct access between the device and the system.

No, no installation is required. The protected system sees Seclab Xport as a standard USB drive. No software, no driver, and no modification of the host system are needed.

Plug & Play across all OS, including legacy systems

Seclab Xport works natively on Windows, Linux, and macOS, with no host-side configuration. It is also compatible with locked-down legacy systems—Windows XP and proprietary industrial OSs—where installing an agent or driver is impossible or prohibited. This is a decisive advantage in OT environments, where critical systems often run on outdated but non-replaceable operating systems.

Security that does not degrade over time

Since protection is hardware-based (physical break + electronic access control), it does not rely on signature updates, software patches, or host system maintenance. A Seclab Xport deployed today will provide the same level of protection in five or ten years, without intervention.

Key takeaway — Zero installation, zero drivers, zero host system modification. Seclab Xport operates as Plug & Play on Windows, Linux, macOS, and locked-down legacy systems. Hardware-based protection does not degrade over time.

Interoperability is based on a cryptographic signature mechanism: the TYREX station analyzes and signs clean files, while Seclab Xport verifies this signature and only allows validated files to pass through. Any unsigned file or file modified after analysis is systematically rejected.

Signature mechanism in detail

When a file passes through a TYREX station (or another Seclab Xport in file transfer mode), it is analyzed and then cryptographically signed. This signature file certifies that the original file was checked and deemed safe at a given point in time. Seclab Xport recognizes this signature and authorizes the transfer to the protected system. Any file without a signature—whether added after analysis or never processed by the station—is rejected.

Transparency for the host system

The device removes the signature file before presenting the original file to the host system, ensuring native compatibility with industrial applications.

Key takeaway — TYREX analyzes and signs, Xport verifies and allows. Unsigned files are rejected. The signature is removed before presentation to the host system, ensuring seamless compatibility with industrial applications.

Seclab Xport meets the removable media control requirements of IEC 62443 and NERC CIP through electronic USB port isolation, non-bypassable hardware access control, and built-in audit evidence.

IEC 62443 compliance: removable media control

The IEC 62443 standard identifies removable media as a potential attack vector in industrial environments. It requires strict control over their use, including restriction of authorized file types, port access control, and enforcement of the principle of least privilege. Seclab Xport addresses these requirements through:

• Physical isolation of the USB port: the device has no direct access to the system.
• Access control via cryptographic signature: only pre-validated files are allowed through.
• Blocking of protocol-level attacks (BadUSB): neutralized by the physical break.
• Least privilege enforcement: only explicitly authorized file types and transfer directions are permitted.

NERC CIP compliance: hardware isolation and auditability

For operators of electrical infrastructure subject to NERC CIP, Seclab Xport provides a hardware-based isolation and access control mechanism that cannot be bypassed—even by users with administrative privileges. The device generates auditable logs for each transfer (authorized file, rejected file, timestamp, device identity), which can be used to demonstrate compliance during regulatory audits.

Key takeaway — Seclab Xport covers IEC 62443 and NERC CIP requirements for removable media: physical isolation, hardware-based access control, BadUSB protection, least privilege enforcement, and full audit traceability.

Securing USB ports in OT environments relies on three steps: mapping assets and identifying USB ports, physically isolating critical ports, and continuously monitoring deviations and anomalies. This progressive approach enables increased maturity without compromising availability.

Step 1 — Map assets and ports (visibility)
You can only protect what you know. Seclab Xplore maps connected assets and identifies available USB ports. This visibility helps identify critical systems with exposed USB ports and prioritize protection efforts.

Step 2 — Isolate critical USB ports (protection)
Once sensitive assets are identified, Seclab Xport is deployed on the most critical systems. Physical isolation of the USB port completes the trust chain with upstream sanitization solutions such as TYREX stations: only analyzed and cryptographically signed files reach the protected system. BadUSB attacks are neutralized by design.

Step 3 — Continuously detect deviations (monitoring)
Seclab Xplore provides continuous monitoring of the environment: detection of new assets, new ports, and unusual behavior. In OT, network and system changes are infrequent—anomaly-based detection is more effective and generates fewer false positives than exhaustive threat hunting. Xplore can also detect whether machines have been connected to USB devices other than Seclab Xport.

This step-by-step approach, enabled by the Seclab Xcore Platform (Xplore for discovery and detection, Xchange for network isolation, Xport for USB protection), allows organizations to progressively increase their cybersecurity maturity while respecting the operational constraints of industrial environments.

Key takeaway — Secure OT USB ports by: detecting ports (Xplore), physically isolating them (Xport + TYREX), and monitoring deviations (Xplore). This progressive approach, powered by the Seclab Xcore Platform, aligns with industrial availability constraints.