No Network Connection, No Attack Surface: The Case for On-Premises C2

Magal Solutions
June 8, 2026 - 4 min read

No Network Connection, No Attack Surface: The Case for On-Premises C2

The debate over cloud versus on-premises hosting for critical infrastructure has been largely settled. The more important question is about separation. That’s the question actively shaping procurement at ports, airports, energy installations, and border facilities. Specifically, what kind of separation a site’s command-and-control architecture needs to provide, and what the consequences are of getting that wrong.

For a growing number of operators, the answer points clearly toward on-premises hosting, as a deliberate security posture.

The threats that reshaped the calculus

The case for physical separation has grown stronger with each documented instance of cyber intrusion producing physical consequences. Stuxnet established the principle. The Baltic sabotage campaign reinforced it, showing that coordinated infrastructure targeting could combine physical and digital (cyber) vectors in ways that made the deploying of  network-connected C2 systems a considerable risk rather than a convenience. 

The conclusion many operators have drawn is straightforward: a system connected to external 3rd party networks has a considerable external attack surface. Removing that connection removes a category of risk that no amount of cybersecurity investment can fully close.

The security logic of physical separation

An on-premises C2 system hosted on a private, air-gapped server is not accessible from outside the site. There is no remote login, no cloud-based management interface, no IP address that an external actor can probe. Compromising it requires physical presence on the site, which is exactly the kind of threat a well-designed perimeter security architecture prevents.

This creates a closed loop that is inherently more defensible than any network-connected alternative. The cybersecurity budget required to protect an air-gapped system is a fraction of what network-connected infrastructure demands. There are no VPN configurations to maintain, or credentials to rotate. The threat surface is physically bounded, and therefore manageable.

To compromise it, you have to be there. Which is precisely what the perimeter is designed to prevent.

Consider a regional power generation facility operating in an environment with unreliable or contested connectivity. A web-based C2 system in that context introduces a dependency on external infrastructure that the site cannot control. An on-premises system has no such dependency. It operates independently of network conditions, and its security posture does not degrade when connectivity does.

Private operators are only learning now what government operators have always known.

Government operators (defence installations, nuclear facilities, server farms, high-security government buildings) have required on-premises hosting as standard for decades. The reasoning was never primarily about cost. It was about control: the recognition that the most sensitive systems should not have any surface exposed to the outside world.

That recognition is now spreading. Privatized operators of critical infrastructure that previously treated on-premises hosting as an unnecessary constraint are reassessing. What was once the preference of a narrow tier of government customers is increasingly the considered choice of any operator who has thought carefully about what a compromised C2 system means for their site and its ability to deliver output.

The hybrid option

On-premises does not have to mean isolated. A private cloud  gives operators the operational flexibility of a cloud architecture without the exposure of a web-based service. In this environment, the server infrastructure resides on-site but supports wireless access from defined locations within the site. Certain personnel can access the system remotely within defined parameters. And the server itself remains on-site, air-gapped from external networks.

This requires its own communications and IT infrastructure to implement correctly. It is not a simple configuration. But for operators who need both security rigour and operational flexibility, it is a viable middle path with minimal compromise. As a result, it is increasingly being specified in procurement requirements for complex sites.

This architecture is most relevant for: 

  • Government facilities and high-security installations
  • Privatized operators of critical infrastructure including airports, seaports, and energy assets
  • Sites operating in regions with unreliable or contested connectivity
  • Any operator for whom a compromised C2 system would have detrimental consequences beyond the site itself.

Magal has been designing and deploying on-premises C2 architecture for critical infrastructure operators across every major sector.

 

Speak to a specialist to assess the right architecture for your site.