The Air-Gap Myth
Enova Technologies | ZPE Systems Nodegrid | OT Security
The serial console server connecting to your PLCs is a networked device. It sits on a management LAN. The SCADA historian replicates data to the business network. The engineering workstation has a corporate network adapter alongside its OT network adapter. The remote access VPN set up for vendor support three years ago is still active.
Each one is a path across the boundary the air-gap model assumes does not exist.
94% of organisations surveyed had experienced a security incident on their IIoT or OT systems in the previous 12 months, according to Barracuda Networks’ State of Industrial Security 2022 report. In most cases, initial access came through IT-adjacent and management systems, not through field devices. The production network was not the entry point. The management plane was.
What is the OT management plane?
An OT (operational technology) environment has two distinct layers. The production network carries control traffic between PLCs, RTUs, DCS systems, and SCADA servers. The management plane sits above it: the serial console servers, engineering workstations, historians, and remote access gateways used to configure and monitor those field devices.
The production network is often air-gapped or isolated by design. The management plane is typically IP-reachable. This distinction is where most OT security assessments find their largest gaps.
An air gap between field devices and business IT does not protect against an attacker who has already reached the management LAN. From there, every console port connected to a serial console server is reachable.
The correct architectural response is to isolate the management plane itself. CISA Binding Operational Directive 23-02 (June 2023) addresses this directly. It requires that management interfaces be removed from internet exposure or placed behind an isolated management network. While the directive applies to federal agencies, the principle is sound for any critical OT environment: the tool you use to reach your devices during an incident should not be on the same network as the systems being recovered.
This is the problem that out-of-band (OOB) management solves at the architecture level.
An OOB serial console server connects to PLCs, RTUs, and HMIs via RS-232 hardware console ports. This access path sits below IP, below the OS. Its own management traffic runs on a dedicated cellular link (4G/LTE), independent of both the OT production network and the management LAN. If either IP network is offline or compromised, the cellular OOB channel remains up. Every device console remains reachable.
ZPE Systems calls this Isolated Management Infrastructure (IMI). Their Nodegrid Serial Console implements the architecture with dual-SIM 4G/LTE, FIPS 140-3 validated cryptography, Zero Trust access controls with MFA, and ruggedised hardware options for energy, utilities, and manufacturing environments. The Nodegrid OS is vendor-neutral and open Linux-based, meaning existing OT security tools and management agents can run as VMs or containers directly on the device.
“The tool you use to reach your OT devices during an incident should not be on the same network segment as the systems being recovered.”
Isolated Management Infrastructure (IMI) principle — CISA BOD 23-02Management plane exposure: air-gap assumption vs. OOB reality
Nodegrid Serial Console for OT environments
Serial console access to PLCs, RTUs, HMIs (RS-232) — direct connection at the hardware layer, below IP and below the OS
Cellular OOB path (dual-SIM 4G/LTE) — management access independent of both OT production network and management LAN
Zero Trust access control — MFA, identity-based access management, FIPS 140-3 validated cryptography
Vendor-neutral platform — integrates existing OT management and security tools; open Linux-based Nodegrid OS supports VM and container hosting
Ruggedised hardware options — extended temperature range and power redundancy for energy, utilities, and manufacturing environments
Frequently asked questions
What is an OT management plane and why is it separate from the OT network?
The OT network carries production data between PLCs, RTUs, DCS systems, and SCADA servers. The management plane is the layer above it — the serial console servers, engineering workstations, SCADA historians, and remote access gateways used to configure and monitor those field devices. These management systems typically sit on an IP-reachable LAN, even when the field devices themselves run on isolated serial or proprietary buses.
How does a serial console server create an air-gap exposure risk?
A serial console server provides IP-based access to PLC and RTU console ports over RS-232. Although the field devices have no IP stack, the console server itself is a networked device on the management LAN. Any attacker who reaches that LAN can access the console ports of every connected field device, bypassing the assumed air gap entirely.
What is Isolated Management Infrastructure (IMI) and how does it close this gap?
Isolated Management Infrastructure (IMI) places the management access path on a completely separate network from both the OT production network and the management LAN. A serial console server connects to field devices via RS-232 and routes its own management traffic over a dedicated cellular (4G/LTE) link. If both IP networks are compromised or offline, the cellular OOB path remains available and every device console remains reachable.
What is CISA Binding Operational Directive 23-02 and what does it require?
CISA Binding Operational Directive 23-02, issued June 2023, requires federal agencies to remove management interfaces from internet exposure or implement Zero Trust controls. CISA specifically recommends an isolated management network as the preferred remediation. The architectural principle applies beyond federal agencies: the tool used to manage infrastructure during an incident should not share a network segment with the systems being recovered.
How does ZPE Nodegrid provide out-of-band management for SCADA and ICS environments?
ZPE Systems Nodegrid Serial Console connects directly to PLCs, RTUs, and HMIs via RS-232 hardware console ports, below IP and below the OS. It carries FIPS 140-3 validated cryptography, dual-SIM 4G/LTE for the OOB access path, Zero Trust access controls with MFA, and is available in ruggedised form factors for extended-temperature and harsh-power environments. The management plane is entirely independent of both the OT production network and the management LAN.
Does ZPE Nodegrid require replacing existing OT infrastructure or SCADA systems?
No. Nodegrid is vendor-neutral and connects via standard RS-232 console cables to existing PLCs, RTUs, DCS systems, and HMIs. The open Linux-based Nodegrid OS supports VM and container hosting, so existing OT management tools and security agents can run directly on the device. Deployment adds an isolated access path without changing the production network or requiring modifications to field devices.
Enova is a ZPE Systems authorised partner in Singapore. We can map your current SCADA management plane against the IMI model and identify exposure points.
Ask about Nodegrid OOB for your OT environment →
Published by
eNOVA Technologies is Singapore's specialist distributor for data centre IT management solutions, representing Adder, Guntermann & Drunck, Raritan, Sunbird, ZPE Systems, and VuWall across Singapore and Southeast Asia. Our technical content is produced with AI assistance and reviewed by our in-house team before publication.
This article was produced with AI assistance and reviewed by the eNOVA Technologies team. All technical claims are verified against manufacturer documentation.
