Operational Technology Security. For the equipment you cannot replace.
PLCs, HMIs, CNCs, SCADA, RTUs — every industrial environment runs on equipment older than modern cybersecurity. IT tools do not work on it. Active scans crash it. Agents do not install on it. Access Gate enforces zero-trust at the network layer instead — asset discovery, microsegmentation, MFA, audit — without touching a single production device.
Industrial environments are not IT environments with industrial labels. The equipment is 15-30 years old. The protocols predate authentication. The priority is uptime, not data. The tools that work for IT — agents, active scans, modern firewalls speaking modern protocols — either do not work at all, or actively break the systems they are meant to protect. An OT security platform has to start from the constraint and build outward, not the other way around.
Industrial equipment lifecycle
A PLC deployed in 2003 is still running in 2026. Patch cycles, firmware updates, and replacement schedules look nothing like IT.
Agents installable on PLCs
Industrial controllers run dedicated firmware with no agent runtime. Whatever security you deploy has to operate at the network layer, not on the endpoint.
Cost of two-week production outage
Typical mid-sized industrial ransomware incident. The driver behind "no production downtime" being a hard constraint, not a preference.
Six capabilities, mapped to OT operational reality
Asset discovery on legacy protocols
OT runs Modbus, S7, DNP3, EtherNet/IP, OPC-UA — protocols IT scanners do not understand or risk crashing. Passive observation is the only safe method.
Passive packet inspection identifies device make, model, firmware, and protocol behavior. No active probes. PLCs that have been up for 10 years stay up.
Microsegmentation without rewiring
OT networks are usually flat — one big VLAN serving the whole shop floor. Re-VLAN-ing requires switch changes, planned downtime, and cable rework that production teams will not approve.
Overlay segmentation runs above the existing L2/L3 topology. Zones are defined logically, conduits are enforced by policy. No physical change required.
Network-layer MFA for unsupporting devices
PLCs, HMIs running Windows XP, embedded controllers — none of them support MFA natively. Compliance frameworks require it anyway.
MFA enforced at the Access Gate proxy in front of the device. User authenticates; gate opens the session. The device sees a normal connection. The auditor sees MFA evidence.
Vendor remote access control
OEMs, integrators, and contractors need access for maintenance. Persistent VPN is the wrong answer — too much standing access, too little accountability.
Session-scoped vendor access: specific asset, specific protocol, specific time window. MFA required. Session recorded. Auto-revoked when the window ends.
Tamper-evident audit
CMMC, NIS2, NERC CIP, IEC 62443 — every framework requires evidence that controls actually ran. Self-generated narrative logs are not enough; they need to be untamperable.
Hash-chained session logs, cryptographically signed time stamps, append-only storage. Every session attributable to an identity. Export-ready for C3PAO, NIS2 audit, or NERC CIP assessment.
Compatibility with existing IT security stack
OT teams cannot operate parallel security tooling. Logs need to land in the SIEM the SOC already uses. Identity needs to come from the IT IdP.
Forwards to Splunk, Sentinel, QRadar, Elastic, or any syslog/CEF target. Federates to Entra ID, Okta, Active Directory, or local accounts. Coexists, does not duplicate.
Four verticals, four regulatory hooks
Manufacturing
Job shops, contract manufacturers, automotive tier suppliers, aerospace fabricators. Mix of modern HMIs and decade-old PLCs on the same shop floor.
Regulatory hook
CMMC Level 2 (defense), NIS2 (EU), CIS 18 (general). Audit deadlines drive timeline.
Business outcome
Pass the certification, keep production running, avoid the GCC High migration that does not cover the shop floor anyway.
Utilities — power, water, gas
Substations, treatment plants, pipelines. SCADA systems, RTUs, legacy serial-to-IP converters. Geographically dispersed sites.
Regulatory hook
NERC CIP-003-9, CIP-015 INSM (US power). EPA CISA expectations (water). NIS2 (EU).
Business outcome
Avoid the $1M/day per-violation NERC fine exposure. Demonstrate INSM for the East-West traffic that CIP-015 just made mandatory.
Defense industrial base
Prime contractors and subs handling CUI on engineering workstations and OT-adjacent systems. Often a mix of GCC High plans and on-premise legacy.
Regulatory hook
CMMC Level 2 (October 2026). DoD Zero Trust Reference Architecture (DTM 25-003). NIST SP 800-171.
Business outcome
Cover the OT and specialized-asset CUI flows that GCC High cannot. Pass the C3PAO assessment for the contracts the business runs on.
Critical infrastructure transport
Airports, ports, rail operators. Mix of physical access systems, OT (baggage handling, signaling, terminal control), and IT business systems.
Regulatory hook
TSA Security Directives (US transport). NIS2 (EU). State-level critical infrastructure rules.
Business outcome
Bounded enclave around the OT segments. Vendor access controlled. Audit evidence ready for TSA inspection without disrupting day-to-day operations.
From dark OT to enforced zero-trust.
Week 1: passive discovery + scope. Week 2: zones, conduits, MFA. Week 3: audit logs to your SIEM. No production downtime at any phase.
No production downtime
Access Gate is agent-free, deployed adjacent to the network, and starts in observation mode. Enforcement is enabled per-zone after baseline traffic is mapped.
Coexists with your IT security stack
Logs forward to Splunk, Sentinel, QRadar, Elastic. Identity federates to Entra, Okta, AD. Access Gate adds the OT layer your IT tools cannot reach — it does not replace them.
Specific compliance and architecture deep-dives
For specific regulatory frameworks, see CMMC for defense manufacturers, NIS2 for industrial OT, and NERC CIP for electric utilities. For architecture, see CUI enclave vs GCC High and DoD Zero Trust Reference Architecture for OT.
Operational technology security
single-site pilot, no downtime
Operational technology (OT) security is the practice of protecting industrial systems — PLCs, HMIs, SCADA servers, CNCs, RTUs, sensors, and the networks they run on — from cyber threats. It differs from IT security in three fundamental ways: (1) priority is availability over confidentiality (an automation device that stops costs more than data exposure for most operators), (2) the lifecycle is 15-30 years rather than 3-5, and (3) the protocols (Modbus, S7, DNP3, OPC-UA) were designed before modern cybersecurity standards. An OT security platform must work without taking equipment offline, without installing agents, and without breaking the protocols themselves.
Three structural reasons. (1) Agents do not install on PLCs, HMIs, or embedded firmware — there is nowhere to put them. (2) Active scanning (Nessus, Qualys) can crash legacy OT devices that were not built to handle modern probing. (3) IT firewalls do not understand industrial protocols and either block everything (production stops) or pass everything (segmentation fails). OT needs purpose-built platforms that observe passively, enforce at the network layer, and speak industrial protocols. Access Gate is built for this.
OT (Operational Technology) is the broader term — it covers any system that monitors or controls physical processes. ICS (Industrial Control System) is one major subset of OT, specifically the systems that control automated industrial processes — SCADA, DCS, PLCs, HMIs. Other OT subsets include building management systems (HVAC, lighting), facility security systems (access control, surveillance), and increasingly IoT-class devices in industrial environments. Most security platforms marketed for ICS also cover the broader OT category; the terms are often used interchangeably in vendor marketing.
Access Gate is a network-layer enforcement platform — it sits adjacent to your existing infrastructure, not in front of it. It federates to your existing identity provider (Entra ID, Okta, Active Directory). It forwards logs and alerts to your existing SIEM (Splunk, Sentinel, QRadar, Elastic). It does not replace your IT firewalls, your endpoint security on user workstations, or your patch management. It adds the OT-specific enforcement layer that those tools cannot provide: passive asset discovery, overlay microsegmentation, network-layer MFA, vendor session control, and tamper-evident audit on industrial protocols.
Depends on the vertical. Defense and defense industrial base — CMMC Level 2 (NIST 800-171), DoD Zero Trust Reference Architecture. Power utilities — NERC CIP-003-9, CIP-015 INSM. Water utilities — EPA America's Water Infrastructure Act, post-Volt Typhoon CISA guidance. Manufacturing — NIS2 Article 21 (EU), CMMC Level 2 (US defense suppliers). Transportation — TSA Security Directives. Across all of these, the common technical demands are: network segmentation, access control with MFA, audit logging, vendor remote access control, and supply chain risk management. Access Gate covers these as horizontal capabilities; the regulatory mapping is per-vertical evidence packaging.
3 weeks for a single-site pilot. Week 1: passive asset discovery, scope confirmation, identity provider integration. Week 2: zone definition, conduit policies, MFA enforcement on vendor and operator paths. Week 3: audit log forwarding to SIEM, evidence package generation for the relevant regulatory framework. After the pilot, expansion to additional sites runs in parallel and adds about 1-2 weeks per site depending on complexity. No production downtime is required at any phase.