The single-session CD is supposed to come from an unsecure network. What good will putting it back there do an attacker?
I am not thinking small, I am thinking rational. You are assuming an "insan[e]" attacker, which is rather silly. I'm not claiming that single-session CDs will make a system unbreachable, or that you should try to. My claim is simply that using single-session CDs (in a controlled, hygenic way) makes the cost to breach a system much higher than the alternatives that were suggested (network and USB) -- not even that single-session CDs are always the right solution.
Do you have any idea what the error rate for manual data entry is? Typically about 0.5% of the entries will be wrong. Retyping information is a very error prone process.
Do you have any idea that there are known good practices for checking entered data before committing to it? And that most people would want to apply this kind of check before kicking off a production run, of just about anything, regardless of how the order was sent to the system?
What is it about this topic that makes people forget basic engineering practices?
If you have a air-gapped system, you don't let people plug either random USB devices or random Ethernet devices into it. You help enforce this by disabling USB ports, MAC-locking switch or router ports, making it clear that only specific authorized people can import data, and making sure those authorized few use hygienic practices. It's IT security, not brain surgery.
1) If you can define the protocol to be simple enough, and
2) if you can be sure that only the intended application will process the data stream on the secure side, and
3) if you actually test that application enough to be confident it is secure, and
4) if you can ensure that sensitive information will not (improperly) leak back down the other direction, and
5) if you use it often enough to pay for that development cost, and
6) if you can resist the pressure to add features or "generality" to the protocol that makes it more costly to ensure secure processing...
then maybe such a protocol makes sense. Maybe somebody somewhere has satisfied all those ifs, but I would suspect not. For your simplified example, it is probably cheaper -- and just as secure -- to have an operator enter the dozen or so keystrokes to order "produce x amount of class y steel" than to design, build, install and support a more automated method. Human involvement has the added bonus of (nominally) intelligent oversight of the intended behavior for the day.
The point of an air gap is to make data transfers much more controlled. Some can be crossed regularly (with appropriate control), and some should not. One should only adopt any security measure after a cost-benefit analysis. The depth and rigor of that analysis should be determined by the expected costs (ongoing/operational) and potential costs (from a successful exploit).
Thus, I said "If I really wanted to reduce exposure", not "Everybody should do this to reduce exposure". If the productivity costs are very high, you had better impose enough oversight to deter or catch any policy violations... or choose a security policy besides "air gap". My basic points stand: much more software regularly talks to a network than regularly reads from CDs, and the protocols involved are much more complex for network communications; and USB sits in between those two.
FWIW, industrial control instructions can be made much more regular than arbitrary data, making it easier to detect a compromise before it reaches its ultimate target. For example, if the usual file size is 1 MB, you had better have a good reason for it to suddenly be 3 MB. If you are really paranoid, you might have a format checker or sanitizer to act like a very application-specific antivirus.
What compels the management to hook the control network up to the Internet? If a vendor told me that their safety-impinging product needed Internet access to run -- for a license check or for any other reason -- I would tell them to go pound sand, and I'd be happy to take my business to a competitor. If Internet access is not mandatory, you are describing "sometimes an air gap is inconvenient", not "sometimes an air gap is impossible".
There are techniques like "Hello my name is Solicitor Darren White, my client has just deceased and left you a sum of $1,000,000,000 (ONE BEEELLION DOLLARS)...". There are also techniques like "Registration is now open for [industry-relevant convention], please visit [malware-infected site] to sign up so you can keep up with new developments." Beyond that are very individualized attempts to gain the target's confidence, perhaps involving apparently independent contacts -- persona A contacts the target over a job board, persona B uses some of that information to ask for a supplier reference, eventually culminating in executable code delivered directly to the target in hopes that it will bypass virus checks and be executed on a sufficiently privileged computer. More sophisticated social engineering techniques will usually be more narrowly tailored and more costly for the attacker to use.
On the one hand, you have to worry about security holes in the USB driver and file system.
On the other hand, you have to worry about security holes in every piece of software that talks to the network.
If I really wanted to reduce exposure for a network, I would probably use single-session CDs to cross the air gap, and make sure to pack any extra space with random data.
They also noted that the city chose to install many cameras at intersections where crashes were rare to begin with. Chicago has raised roughly $500 million from red light camera tickets since 2002. "[O]fficials recently admitted to the city inspector general that they had quietly dropped the threshold for what constitutes a red light camera ticket, allowing the tickets even when cameras showed a yellow light time just under the three-second federal minimum standard. That shift earlier this year snared 77,000 more drivers and $7.7 million in ticket revenue before the city agreed to change the threshold back.
Which people do you think I am describing? There certainly are a lot of weirdo extremists in the environmental-activist camp, but I wasn't really thinking about them. If you want me to ignore the weirdo extremists on that side, will you ignore the weirdo extremists on the other side? More significantly, will media and activists stop focusing on the (conveniently distracting) anti-AGW weirdo extremists so that we can pay more attention to what actually can and should be done?
What specific steps do the reasoned thinkers recommend as "what actually needs to be done"? Last I heard, European countries were revising or just rolling back climate agreements because (a) they realized they couldn't achieve their goals without reducing their quality of life, (b) they realized the system was being gamed, and/or (c) they wanted to keep up with the countries who didn't sign up to those agreements.
Lots of people believe in ghosts. Lots of people also believe in people who "think that human activities have no impact on climate change". There's about as much hard evidence in one of these beliefs as in the other.
When climate alarmists stop pretending that the dispute is over the degree of human influence on climate, and how much different countries should spend to mitigate anthropogenic climate change (or other kinds!), they might start to get traction with skeptics. Also when they start acting like the situation is as bad as they claim it is.
I know that when I used an electric sous vide cooker to make pork chops for dinner last night, it was worse for the climate than if I ate raw vegetables, and better than if I grilled a slab of steak over a bonfire. I know that living in the suburbs emits more greenhouse gases than living in a tiny apartment in a big city. I am thoroughly unconvinced that forcing most people to live like the alarmists claim we should (but usually don't live themselves) will yield the claimed benefits, or be worth the costs even if the benefits would be as claimed.