Articles, EDM, Product in Focus

A reachable management path is the real attack surface

Posted by author-avatar
A reachable management path is the real attack surface — Enova Technologies

KVM-over-IP Security Vulnerability: A Critical Risk

KVM-over-IP switches offer undeniable convenience for remote console access in data centre and OT environments, but they introduce a significant security blind spot. When these devices become network-reachable, they create an unexpected attack surface that bridges isolated engineering workstations and HMI systems to broader corporate IT networks.

Understanding the exposure is the first step toward securing it. A compromised KVM-over-IP switch grants attackers direct console access to every connected machine—bypassing firewalls and standard network protections. When the switch itself is accessible from corporate IT networks, it becomes a critical pivot point for lateral movement and unauthorised system access.

Enova Technologies | ZPE Systems Nodegrid

A KVM-over-IP switch does one job. It puts a keyboard, screen, and mouse on a remote machine across the network. In an OT environment, that machine is often an engineering workstation or an HMI. The convenience is real. So is the exposure.

The switch sits on a network. Reach the switch, and you reach every console behind it. If that switch is also reachable from corporate IT, it becomes a bridge between two networks that were meant to stay apart.

This is how most OT incidents now start. Around three-quarters of attacks on OT systems begin in IT, then move across through a remote-access or management path. The field devices are rarely the first target. The path used to manage them is.

Isolated Management Infrastructure (IMI): an architecture that keeps the access and management plane off the production network. Devices are reached over a dedicated out-of-band channel, separate from both the OT network and corporate IT, so a compromise of the production network does not compromise the path used to manage and recover it.

A reachable management path is the real attack surface

Oldsmar, Florida, February 2021. A remote-access session reached the HMI at a municipal water treatment plant. The sodium hydroxide setpoint was changed from 100 ppm to 11,100 ppm. An operator watching the screen caught it and reversed it within minutes. The chemical is not the point. The reachable, un-isolated management path is.

A KVM-over-IP switch is the same class of path. It is a management interface with reach into OT. Treat it as one.

KVM-over-IP as an IT/OT bridge vs. an isolated management plane

KVM/IP bridging IT and OT Corporate IT IT WAN Admin VPN Attacker foothold KVM-over-IP switch reachable from both sides lateral move OT control layer (consoles behind the switch) Eng. WS HMI PLC One switch reachable from IT is a path into OT. The management interface is the attack surface, not the field device. With Nodegrid IMI Production network (IT + OT) COMPROMISED / DOWN Nodegrid OOB console + KVM/IP 4G / LTE OOB channel OT consoles (reached out-of-band) HMI PLC Eng. WS Access plane sits off the production network. No IT-to-OT bridge. Zero Trust at the access point.

The fix is architectural, not another firewall rule

Keep the access plane off the production network. ZPE Systems calls this Isolated Management Infrastructure (IMI). The Nodegrid platform reaches consoles over a dedicated out-of-band channel on cellular, separate from both the OT network and corporate IT. Access runs through Zero Trust controls and FIPS 140-3 validated cryptography. If the production network is compromised or down, the management path stays isolated and intact.

CISA Binding Operational Directive 23-02 makes the same case for federal networks. Remove management interfaces from internet exposure, or place a policy enforcement point between the user and the interface. KVM-over-IP falls squarely inside that scope.

Nodegrid for isolated OT access

[1]Out-of-band console and KVM/IP accessReaches engineering workstations, HMIs, PLCs, and switches over a dedicated channel, separate from the production network.
[2]Cellular OOB path (dual-SIM 4G/LTE)Management access that does not depend on the OT network or corporate IT.
[3]Zero Trust access controlMFA, identity-based access, and FIPS 140-3 validated cryptography.
[4]Vendor-neutral platformLinux-based Nodegrid OS integrates existing OT security and management tools, with no rip-and-replace.
[5]Ruggedised hardware optionsExtended temperature range and power redundancy for plant-floor and utility sites.
“A management interface with a path into OT is an OT asset. Secure it like one.” Isolated Management Infrastructure principle, aligned with CISA BOD 23-02

Frequently asked questions

Why is a KVM-over-IP switch an OT security risk?

A KVM-over-IP switch reaches every console connected behind it. If the switch is reachable from corporate IT, anyone who reaches the switch can reach the OT consoles behind it. That turns the switch into a bridge between IT and OT, which is the path most OT incidents now travel.

What is Isolated Management Infrastructure (IMI)?

Isolated Management Infrastructure keeps the access and management plane off the production network. Devices are reached over a dedicated out-of-band channel, typically cellular, that does not depend on the OT network or corporate IT. If the production network is compromised or down, the management path stays isolated and intact.

What happened at the Oldsmar water treatment plant?

In February 2021, a remote-access session reached the HMI at a municipal water treatment plant in Oldsmar, Florida. The sodium hydroxide setpoint was changed from 100 ppm to 11,100 ppm. An operator watching the screen caught it and reversed it within minutes. The exposure was a management path into the control layer that had not been isolated.

How does CISA BOD 23-02 apply to KVM and console access?

CISA Binding Operational Directive 23-02 requires federal agencies to remove networked management interfaces from internet exposure, or place a policy enforcement point between the user and the interface. KVM-over-IP and out-of-band server management interfaces fall inside that scope as management interfaces.

Does isolating the management plane mean ripping out existing tools?

No. The ZPE Nodegrid platform is vendor-neutral. The Linux-based Nodegrid OS integrates existing OT security and management tools, so the access plane can be isolated without replacing the equipment behind it.

Is out-of-band access secure on its own?

Out-of-band access removes the network bridge, but access still needs control. Nodegrid runs Zero Trust controls, multi-factor authentication, identity-based access, and FIPS 140-3 validated cryptography on the out-of-band channel, so an isolated path is not an open one.

Enova is a ZPE Systems partner in Singapore. If you want to map where your KVM and console paths cross between IT and OT, we can walk through it with you.

Ask about Nodegrid IMI for your OT environment →
eNOVA Technologies

Published by

eNOVA Technologies

eNOVA Technologies is Singapore's specialist distributor for data centre IT management solutions, representing Adder, Guntermann & Drunck, Raritan, Sunbird, ZPE Systems, and VuWall across Singapore and Southeast Asia. Our technical content is produced with AI assistance and reviewed by our in-house team before publication.

This article was produced with AI assistance and reviewed by the eNOVA Technologies team. All technical claims are verified against manufacturer documentation.

author-avatar

About eNOVA Technologies

eNOVA Technologies is Singapore's specialist distributor for data centre IT management solutions, representing Adder, Guntermann & Drunck, Raritan, Sunbird, ZPE Systems, and VuWall across Singapore and Southeast Asia. Our technical content is produced with AI assistance and reviewed by our in-house team before publication.

Back to list
Older NIAP PP 4.0: isolating networks at one desk