Control rooms have always been places where the stakes are high, reports Barco.
Control rooms are the nerve centres of power grids, transportation networks, emergency services and industrial operations.
One wrong move, or one successful cyber-attack, can have consequences that ripple far beyond the walls of the facility itself.
So, when it comes to the technology running those rooms, security needs to be the foundation, not an afterthought.
For years, KVM over IP has been the standard answer to a specific operational challenge: how do you give operators access to multiple computers and systems through a single keyboard, mouse and screen, across a network? It solved a real problem, and it did well.
However, as control rooms become more connected, more source-diverse and more targeted by sophisticated threat actors, the question is no longer just “can operators access the systems they need?”
The question is “how securely, and how seamlessly, does that access integrate with everything else the organisation is doing to protect itself?”
That shift in thinking is what gives rise to KVM over IT – and it changes quite a lot.
In this article we explore what Barco CTRL, the platform that evolves control room workflows and visualisation natively in the IT ecosystem, means for critical infrastructure security.
From connecting to integrating
KVM over IP connects operators to systems. KVM over IT integrates the control room into the broader IT ecosystem of the organisation. The distinction sounds subtle, but the security implications are profound.
With a traditional KVM over IP setup, the control room tends to sit alongside the IT infrastructure – a separate island with its own security policies, its own user management and its own monitoring tools.
That separation creates gaps – gaps are exactly what attackers look for. Every interface between two systems that were not designed to work together is a potential entry point.
KVM over IT, as embodied by Barco CTRL, takes a different approach. Rather than bridging the gap between the control room and the IT infrastructure, it eliminates the gap.
Identity management, access controls, audit logging and network monitoring – all of it is shared with the rest of the organisation’s IT environment.
On top of that, the platform natively supports the full range of source types an organisation relies on, from web applications and virtual desktops (RDP, VNC) to traditional AV signals, all accessible through the same interface.
The control room does not get a special exemption from the security policies governing everything else but rather benefits from them.
Even better: security does not end at the boundaries of the main control room.
Thanks to the Connected Control Room concept, Barco CTRL can securely share critical information across sites regardless of geographic distance.
Whether you are connecting offshore operations with onshore facilities, linking distributed airport control rooms or enabling experts to work from remote locations with full operational capability, the platform handles it without compromising security or simplicity.
The federation feature takes this one step further. Multiple autonomous Barco CTRL installations at different locations can be linked together, allowing them to share sources and information as if they were one coherent system.
For organisations managing distributed operations, this transforms what used to be a collection of isolated control rooms into a unified operational network – one that is still fully secure, fully manageable and very much part of the broader IT ecosystem.
The security architecture: five pillars
Understanding why this matters, requires a look at how Barco CTRL’s security is actually structured.
The platform is built on five clearly defined security pillars, collectively forming a “secure by design” approach – meaning security was not added to the platform after the fact, but woven into its architecture from the very first design decision.
Identity management sits at the top. Built on a zero-trust architecture, the platform enforces strict authentication and authorisation at every level.
This is not just user login but includes device authentication as well, meaning unauthorised hardware cannot simply be plugged into the network and gain access.
Critically, because Barco CTRL integrates with corporate identity providers, operators can use MFA and the same credentials they use across the rest of the organisation.
When someone changes roles or leaves the company, their access is revoked through the same central process as any other system. No separate user database to maintain, no risk of orphaned accounts.
Communication protection ensures that everything traveling across the network is encrypted and verified. Barco CTRL uses certificate-based communication with mTLS for confidentiality and integrity.
This is the same standard used across modern enterprise IT environments, which means it fits naturally into existing network security frameworks rather than requiring special handling.
System protection covers the lifecycle of the platform, from booting through storage, communication and software updates.
Devices are prevented from running unauthorised software, with boot integrity enforced by Barco’s signing mechanisms.
This appliance-based model eliminates entire categories of attack that rely on introducing malicious software at the endpoint level.
Audit logging is where the IT integration pays particularly visible dividends. Integrated audit logging means that control room events – logins, configuration changes, source access, system alerts – are recorded in the same place as the rest of the organisation’s central log platform, for example a SIEM server.
For security teams responding to an incident, this is the difference between having a complete picture and having an inconvenient gap.
For compliance officers, it means the control room produces exactly the kind of traceable records that frameworks like NIS2, ISO 27001 and NERC-CIP require, without any additional tooling or manual effort.
Media protection completes the picture, with encryption applied to the media streams that travel on the network, to protect content from unauthorised access [MD1.1].
Why IT integration strengthens every pillar
Each of these pillars is stronger because of the IT integration, not despite it.
Consider MFA: in a traditional KVM over IP environment, enforcing MFA consistently across the control room often requires separate configuration, separate exceptions and separate maintenance.
In a KVM over IT environment, MFA is simply part of how users log in – the same way it works everywhere else in the organisation.
Attribute-based access control (ABAC) adds further granularity: access rights can be tied to roles, locations and operational context, ensuring operators only see the sources relevant to their function.
Network monitoring works the same way. Because Barco CTRL’s components – encoders, decoders, the server node – are monitored via standard SNMP, they appear in the same IT dashboard the operations team already uses.
There is no separate management console, no proprietary tooling and no siloed view of the control room’s health. When something looks wrong, the IT team sees it in the same place they see everything else.
This consistency is an important security feature. Fragmented monitoring creates blind spots, while unified monitoring eliminates them.
Security that does not slow operations down
There is a tension at the heart of control room security that every IT manager and C-level executive in critical infrastructure knows well. Operational technology (OT) environments are inherently conservative.
The systems managing power distribution or rail networks cannot simply be updated on a rolling schedule the way a corporate laptop fleet can. Downtime is not just inconvenient but can be truly catastrophic.
This conservatism has historically made OT environments slower to adopt modern security practices, and that lag has not gone unnoticed by threat actors.
The convergence of IT and OT is accelerating, and with it, the attack surface is expanding.
Barco CTRL is designed to navigate this tension.
Security measures are implemented in ways that do not create operational friction.
Updates can be rolled out centrally, across the entire system, in the time it takes to drink a cup of coffee – not during extended maintenance windows that disrupt operations.
On the software side, services run in isolated containers on the server, meaning one malfunctioning component cannot bring down the whole system.
Redundancy options for critical components ensure that even hardware failure does not mean downtime. The result is a platform that takes security seriously without making operators feel like they are working inside a vault.
Not a checkbox, but a starting point
For C-level executives, the regulatory dimension of control room security is increasingly personal.
The NIS2 directive, which applies to organisations operating in critical and important sectors across the EU, requires management to actively approve and oversee cybersecurity risk management measures – and holds executives personally liable for failures.
Administrative fines for essential entities can reach €10m or 2% of global turnover.
The EU Cyber Resilience Act, coming into effect in December 2027, will impose new obligations on manufacturers of software-enabled products, including requirements around vulnerability handling and security update provision throughout the product lifecycle.
NERC-CIP adds further layers of compliance obligation for organisations operating in specific sectors or geographies. Barco CTRL is built with this regulatory landscape in mind.
The platform undergoes regular penetration testing, holds ISO 27001 certification and follows a clear security roadmap maintained by a dedicated in-house product security team.
Security as an enabler
Perhaps the most important shift that KVM over IT represents is philosophical.
Security in control rooms has sometimes been framed as something that gets in the way – more passwords, more restrictions, more friction.
The reality – when security is designed in from the start and integrated properly into the IT ecosystem – is the opposite.
A control room that shares identity management, monitoring and audit logging with the rest of the organisation is easier to manage, easier to audit and easier to defend than one that operates as a separate island.
For IT managers, it means the control room finally speaks the same language as the rest of the infrastructure they oversee.
For C-level executives, it means reduced liability exposure, cleaner compliance reporting and a security posture that can evolve in step with the threat landscape rather than always catching up to it.
KVM over IP solved the problem of access. KVM over IT solves the problem of security.
Not by locking things down, but by connecting them intelligently to the systems and processes that already protect the organisation. But KVM over IT is not only about security.
It turns KVM into an IT-native platform, integrating with enterprise networks, identity systems, monitoring tools and security processes, while providing scalability, manageability and resilience far beyond traditional KVM over IP.
To find out more information, please visit: www.barco.com
