If I were designing security for Natanz, I would recommend many things in order to have defense in depth. I would want to implement a network prevention and detection firewall. This would allow for easily blacklisting or whitelisting IP addresses and certain ports. Additionally, I would recommend having an Endpoint Detection and Response (EDR) software implemented on all devices connecting to the internal network to allow for monitoring activity of potential unauthorized or malicious files running. I would also recommend they have a Security Information Event Management Tool (SIEM) in place to collect the logs from the network traffic and the EDR. This will allow a team to observe and have quick response if anything unusual is detected in the environment.
I believe that having an air-gapped system may still be beneficial in some situations. In cases where data should be completely offline from other things this is the best solution. However this would be a very rare case in my opinion. An example would be when writing or testing malware, a team would most likely want to be working in an air grabbed network to avoid the potential infection of other devices.
If a system is not air-gapped and is connected to the internet, then that means there is at least one device that can reach out to through the internet and in turn someone can reach in. I would argue that not being air-gapped is more likely to have a potential breach or attack occur.
I think the best way to detect a compromise of an air-gapped environment would be to have software similar to an EDR installed on each device, however there would need to be a human to check physically on each of the networks to check the EDR to see if there was any attempt of unusual activity on any of the devices. So this wouldn’t allow for a real-time response unless there was a person sitting watching the software constantly.
Usually there is not much a vendor can do to prepare for zero-day attacks. However, I would argue that because these attacks used for Stuxnet were all published before use that Microsoft should have been aware of them. I believe that companies should have a threat hunt team/ person. Part of this team’s role or doled out to a third party, should be to search in publications for compromises that may affect their systems.
References
https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/ https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet