The Air-Gap Myth: Why Your SCADA Management Plane Is More Exposed Than You Think
SCADA Air Gap Security: Exposing a Critical Misconception
Most organizations operate under the false assumption that air-gapped SCADA systems are inherently secure from external threats. However, the management plane connecting to these critical infrastructure assets introduces vulnerabilities that traditional isolation strategies fail to address. This exposure puts industrial control systems at significant risk despite physical network separation.
Modern OT security requires a layered approach that secures not just the control plane, but also the management pathways used for system administration and monitoring. Solutions like Nodegrid provide out-of-band management, encryption, and access controls that protect SCADA environments without compromising operational efficiency. By implementing proper segmentation and authentication protocols, organizations can eliminate the blind spots that leave even air-gapped systems vulnerable to lateral movement and unauthorized access.
Enova Technologies | ZPE Systems Nodegrid | OT Security
The Air-Gap Myth: Why Your SCADA Management Plane Is More Exposed Than You Think
Most OT environments are built on the assumption that physical isolation protects their control systems. The air gap is real in theory. In practice, the management path to OT devices creates IP-reachable connections that undermine it. This article explains where those connections form and what proper OT out-of-band management looks like.
The isolation assumption
The Purdue model assigns OT networks to lower levels, with clear boundaries between field devices, control systems, SCADA operations, and business IT. The expectation is that the further down the model, the more isolated the system. A PLC running a production line should not be reachable from a laptop on the corporate network. For the PLC itself, that is often true.
The problem is not the field device. It is the management path to it.
The serial console server that provides console access to your PLCs and RTUs is a networked device. It sits on a management LAN. Anything that can reach that management LAN can, in principle, interact with the console interface of every device the server connects to. The management LAN has more connections to IT and business systems than the field devices it serves.
Where the air gap breaks down
Several standard OT architecture elements bridge the boundary the air-gap model assumes is closed.
SCADA historians. Historian servers collect process data from the control layer and replicate it to business systems for reporting and analytics. A historian by definition has connectivity to both the OT network and the IT network. It is a bridge, by design.
Engineering workstations. OT engineers typically need access to both the corporate network (for email, documentation, software downloads) and the OT network (for configuration and diagnostics). Dual-homed workstations are common. Each one is a potential lateral movement path between the two environments.
Remote access for vendor support. During 2020 and 2021, most OT environments added remote access to allow vendors and integrators to support systems without site visits. Many of those VPN tunnels and remote desktop sessions remain active. Some were set up quickly and have never been formally reviewed against the organisation’s current security posture.
The serial console server itself. The device that provides console access to PLCs and RTUs has an IP address. It is managed over the network. If the management LAN is compromised, the serial console server is reachable, which means every device console it connects to is reachable.
Over 90% of manufacturing organisations experienced cyber attacks on their production or energy supply in 2021, according to Barracuda Networks research. In the majority of those cases, initial access came through IT-adjacent and management systems rather than the field devices themselves.
The management plane as the real attack surface
The field devices (PLCs, RTUs, DCS controllers) are often not directly IP-accessible. The management interfaces that provide access to them are. This is the distinction the air-gap model frequently fails to account for.
An attacker does not need to access the PLC directly. They need to access the system that provides console access to the PLC. In most OT architectures, that system is reachable from the management LAN, and the management LAN has upstream connections to IT infrastructure.
Management plane exposure: air-gap assumption vs. OOB isolation
What proper OT out-of-band management looks like
The correct approach is to isolate the management plane itself, not just the field devices. CISA Binding Operational Directive 23-02 specifically recommends isolated management infrastructure as a resilience requirement for critical infrastructure management interfaces.
An OOB serial console server connects to OT device console ports (PLCs, RTUs, HMIs) via RS-232 at the hardware layer, below the OS, below IP. The console server’s own access path runs on a cellular channel (4G/LTE) that is physically separate from both the OT production network and the management LAN. An attacker who compromises either IP network has no path to the OOB management channel.
This is what ZPE Systems calls Isolated Management Infrastructure (IMI). Their Nodegrid Serial Console provides RS-232 access to OT devices with built-in dual-SIM 4G/LTE. The Nodegrid OS is FIPS 140-2 validated and supports Zero Trust access controls including MFA and identity-based access management. The platform is vendor-neutral and runs on open Linux, supporting VM and container hosting for third-party OT management and security applications.
“The tool you use to reach your OT devices during an incident should not be on the same network segment as the systems being recovered.”
Isolated Management Infrastructure (IMI) principle, referenced in CISA BOD 23-02
Nodegrid for OT: capability summary
| [1] | RS-232 serial console access to PLCs, RTUs, DCS controllers, and HMIs — direct hardware-layer connection, no IP required on the target device |
| [2] | Dual-SIM 4G/LTE cellular OOB path — independent of both the OT production network and the management LAN; management access remains active when either or both IP networks are down or compromised |
| [3] | Zero Trust access control — MFA, identity-based policies, FIPS 140-2 validated cryptography; prevents unauthorised access to the OOB channel itself |
| [4] | Vendor-neutral open platform — open Linux-based Nodegrid OS supports VM and container hosting; integrates third-party OT management, OT security monitoring, and automation tools from a single device |
| [5] | Ruggedised hardware options — extended temperature range, power redundancy, and shock resistance; Nodegrid Gate SR and Mini SR are suited to industrial and utilities environments |
Mapping your current exposure
Before a security review, it is worth tracing the actual IP reachability of your management plane. The key questions:
- Which devices provide console access to your PLCs and RTUs? What network are they on?
- Does your SCADA historian have connectivity to both the OT network and the business network?
- How many engineering workstations have network adapters on both the OT and corporate networks?
- What remote access sessions (VPN, RDP, vendor tools) are currently active on management LANs?
- If the management LAN were compromised, which OT devices would be reachable via their console access paths?
- Does your current OT management access path remain available if the IP network is down?
ZPE Systems Nodegrid: OT Out-of-Band Management
- RS-232 serial console access to PLCs, RTUs, HMIs, DCS controllers
- Dual-SIM 4G/LTE cellular OOB — independent of both IP networks
- FIPS 140-2 validated cryptography
- Zero Trust: MFA, identity-based access, ZTNA support
- Open Linux OS with VM and container hosting
- IT/OT convergence without sacrificing network separation
- Available in standard 1U rack and ruggedised industrial form factors
- ZPE Cloud management for centralised OOB oversight across sites
Frequently Asked Questions
What is the air-gap myth in OT security?
The air-gap myth is the assumption that physical or logical separation between the OT network and the IT network is sufficient to protect industrial control systems. In practice, management interfaces including serial console servers, SCADA historians, and engineering workstations create IP-reachable paths across that boundary, undermining the isolation the design intended.
Why is the SCADA management plane a security risk?
The serial console server connecting to PLCs and RTUs is a networked device on a management LAN. SCADA historians replicate data to business networks. Engineering workstations are often dual-homed. Remote access VPNs added for vendor support remain active. Each creates a path an attacker can follow from IT systems into OT management, even when the field devices themselves have no direct IP connectivity.
What is out-of-band management for OT environments?
Out-of-band management for OT uses a dedicated channel, separate from both the production OT network and the management LAN, to access device console ports. An OOB serial console server connects to PLCs, RTUs, and HMIs via RS-232 at the hardware layer. The server’s own access path runs on cellular (4G/LTE), independent of any IP network, so management access is maintained even when those networks are compromised or offline.
What is Isolated Management Infrastructure (IMI) for ICS/SCADA?
Isolated Management Infrastructure (IMI) separates the management plane from both the production OT network and the corporate IT network. Access to OT device consoles runs over a dedicated cellular channel that is not reachable from either IP network. CISA Binding Operational Directive 23-02 recommends IMI as a resilience requirement for critical infrastructure management interfaces. ZPE Systems implements IMI through the Nodegrid platform.
How does ZPE Nodegrid provide out-of-band access for OT devices?
ZPE Nodegrid Serial Console connects to OT device console ports via RS-232 serial, below the IP layer. The Nodegrid itself uses cellular (dual-SIM 4G/LTE) as its management access path, isolating it from both the OT production network and the management LAN. It supports Zero Trust access control with MFA and identity-based policies, runs on open Linux supporting VM and container hosting, and is available in ruggedised hardware variants for industrial environments.
What does CISA say about OT management plane security?
CISA Binding Operational Directive 23-02 specifically recommends isolated management infrastructure for management interfaces on critical infrastructure. The directive addresses the risk that management interfaces, including those in OT environments, are exposed when reachable via production or IT networks. The recommended control is separating those interfaces onto a dedicated, isolated management path.
