55 Lifts, 1,500 Meters of Vertical, Zero Security Team
A large ski resort operates 55 ski lifts spread across an altitude range of 850m to 2,353m. Each lift is a safety-critical system — motors, braking systems, tension monitoring, passenger detection sensors, and emergency stops — all controlled by industrial automation equipment.
Between the lifts, add snowmaking systems (hundreds of snow guns with automated pressure and temperature controls), avalanche control infrastructure, weather stations, access gates at entry points, and the communication backbone connecting everything.
This is distributed operational infrastructure. It has the same security challenges as a pipeline network or a distributed power grid — challenges we explore in depth in our guide to scaling zero trust across 50+ locations — but with a few additional complications:
- Extreme physical environment — equipment operates at high altitude in sub-zero temperatures, wind, ice, and UV exposure
- Seasonal workforce — staff turnover is high; many operators are seasonal employees with limited technical training
- No on-site IT team — there is no security operations center at the top of a mountain
- Safety-critical operations — a lift failure is not a data breach; it is a physical safety incident with potential injuries or fatalities
"Deploying Zero-Trust across our site — a ski resort — was not in the cards with our resources. Now we operate a ZT architecture with a simple centralized control. Game changer."
— STBMA Operations
The OT Systems You Do Not Think About
Ski resorts — and distributed infrastructure operators in general — run a range of OT systems that rarely appear in cybersecurity discussions:
- Lift controllers — PLCs managing motor speed, braking, passenger loading/unloading, and emergency procedures. These communicate with a central dispatch system over the resort's network.
- Snowmaking automation — controllers for hundreds of snow guns, managing water pressure, air flow, and activation based on temperature and humidity sensors. A compromised snowmaking controller can waste enormous amounts of water and energy, or create dangerous conditions on slopes.
- Avalanche control systems — remote-triggered explosive systems (Gazex, Wyssen towers) for controlled avalanche release. These are literally weapons systems controlled over a network.
- Weather stations — automated sensors feeding data to operations for decisions about lift operations, snowmaking, and avalanche risk.
- Access gates and ticketing — RFID/NFC gates at lift entry points, connected to the ticketing and access control system.
- Communication infrastructure — fiber, radio repeaters, and WiFi access points spread across the mountain, often in exposed locations.
Every one of these systems is networked. Every one is a potential entry point. And every one is in a location that is difficult to physically secure.
Why Traditional Security Does Not Scale
The default approach to securing distributed sites is to deploy security infrastructure at each location: a firewall per site, a VPN concentrator, managed switches, and a local admin to maintain it all.
For a ski resort with 55+ lift stations, dozens of snowmaking nodes, and assorted other sites, this approach falls apart:
| Factor | Traditional Site-by-Site Security | Centralized Overlay Approach |
|---|---|---|
| Capital cost | Firewall + managed switch per site. 55 lifts = 55 firewalls minimum. | Single management plane + lightweight appliance per site. |
| Staffing | Requires network/security staff to configure and maintain each device. | Requires one administrator managing centralized policies. |
| Coverage | Uneven — well-funded sites get good security, remote sites get forgotten. | Uniform — same policy applies to the lift at 2,353m as to the base station. |
| Deployment time | Weeks to months. Each site requires on-site configuration and testing. | Days. Pre-configured appliances ship to sites, plug in, auto-register. |
| Policy changes | Touch every device. A firewall rule change at 55 sites takes days. | Single policy push. Changes propagate to all sites in minutes. |
| Seasonal staff access | Create/revoke accounts on each local system. | Centralized identity management. Deactivate once, effective everywhere. |
| Vendor maintenance access | VPN credentials per site, often shared or never revoked. | Time-limited, recorded sessions through central gateway. |
| Incident response | Drive to the site, connect to the local firewall, pull logs. | Central dashboard with real-time visibility across all sites. |
The math is straightforward. At an estimated 8 hours of setup and configuration per site for traditional security, a 55-lift resort needs 440 hours of on-site technical work just for initial deployment. With a centralized overlay approach, the on-site work per location drops to under 30 minutes — plug in the appliance, verify connectivity, move to the next site.
What "Zero Trust Without a Security Team" Looks Like
The STBMA example demonstrates a deployment model that applies to any distributed infrastructure operator: ski resorts, but also wind farm operators, distributed solar installations, water utilities with dozens of pump stations, or logistics companies with hundreds of warehouses.
The operating model has four characteristics:
1. Centralized Policy, Distributed Enforcement
Security policies are defined once in a central management console. Rules like "lift controllers can only communicate with the central dispatch system" or "snowmaking PLCs cannot initiate outbound connections" are written as policies and pushed to every site.
The policies enforce themselves at each location without any local administration. There is no local firewall to misconfigure.
2. Identity-Based Access, Not Network-Based Trust
Being on the resort's WiFi network does not grant access to OT systems. Every connection requires authentication. A seasonal lift operator authenticates with their individual credentials to access the lift monitoring interface. When the season ends, their access is revoked centrally — effective immediately at every lift station.
3. Automated Onboarding and Offboarding
New sites (a new lift, a new snowmaking zone) are added by shipping a pre-configured appliance. It connects to the overlay network, downloads its policies, and begins enforcing. Decommissioning a site is equally simple — remove it from the management console and the overlay tunnel shuts down.
This is critical for seasonal operations. Resorts commission and decommission infrastructure sections based on snow conditions. Security must follow operations, not the other way around.
4. Full Audit Trail Without Local Log Management
Every access event, policy enforcement action, and configuration change across all 55+ sites is logged centrally. When an auditor or insurer asks "who accessed the avalanche control system on February 14th," the answer is a query, not a request to drive up the mountain and pull logs from a local appliance.
Beyond Ski Resorts
The deployment pattern — centralized management, lightweight edge appliances, overlay networking, zero on-site security expertise required — applies to any organization operating distributed physical infrastructure:
- Wind farms — 50+ turbines spread across remote terrain, each with a SCADA-connected controller
- Power grid substations — hundreds of unmanned substations across thousands of square miles
- Water utilities — hundreds of pump stations and treatment facilities across a service territory
- Logistics operators — warehouse automation systems across dozens of distribution centers
- Telecommunications — cell tower equipment and remote switching stations
The common constraint is the same: too many sites, too few qualified security staff, too much at stake to leave unprotected. The organizations that solve this problem are the ones that stop trying to replicate a data-center security model at every remote site and instead push security to a centralized plane that operates at the scale their infrastructure demands.
For more Zero Trust OT resources, architecture guides, and comparisons, visit the Zero Trust for OT Networks hub.
