Remote vulnerabilities don't really matter for air-gapped machines.

"Attacks like Stuxnet, the computer worm deployed against an Iranian nuclear facility a decade ago, shattered the myth that air-gapped systems are impenetrable fortresses."

source: https://www.cyberscoop.com/duo-labs-air-gap-radio-mikhail-da...

Links to: https://duo.com/labs/research/finding-radio-sidechannels

It wasn't really air-gapped if someone plugged an USB in it, was it ;)

I'm aware of the "over the air" methods to _read_ data from air-gapped systems (The blinking hard-drive light!), however I was referring to doing damage to industrial systems running legacy software, where you usually find this (think a big machine with a "terminal" attached to it that just controls the hardware and has no inputs).

That's exfiltration, not infiltration.

At that time using XP was a very viable thing to do. You would pretty much never do it now. Think about it from a business perspective. Something goes wrong in the OS. At that time you would have had to have linux guru on staff to take care of it. OR you could pay 30 bucks for a OEM embedded copy. If something went kinda bonkers you could call microsoft and they would fix it. Their support on things like that is pretty good. At that time getting that sort of support for linux would have been basically nonexistant. Today you could get that kind of support for linux. Back in 2000-2004 it would have been tough. At this point no company is going to re-write the firmware on a machine they sold 20+ years ago unless they happen to be still selling that exact same model and you are paying for some awesome support contract.

Not if Linux won't run the programs you want to run or you don't have IT staff to get it to run with wine or something. Average users will just "take their chances" if they're behind a firewall and not surfing the web then chances are very low for getting a virus if you glue up the usb ports.

In the XP days Linux was not seen as a serious things.