No Downtime, No Rewiring. Zero Trust for Utility OT.
A reference architecture for utility operators commissioning new sites and hardening existing ones. Authentication, control, proxying, and audit applied to SCADA, RTUs, and PLCs. Without IP renumbering, without firewall rule rewrites, without taking the site offline.
Every utility site has two security-critical moments: commissioning (a new site being built) and brownfield operations (infrastructure already running, often for decades). The same Zero Trust architecture applies to both. Access Gate is an on-premise security broker that sits adjacent to the site core, brokers identity-bound sessions across IT, OT, and IoT assets, and produces a tamper-evident audit trail. It deploys inside the project calendar during commissioning and inside 9 days on a live network during brownfield operations.
Commissioning, or Brownfield. Same Architecture.
Every utility site goes through two security-critical moments. The first is commissioning: a new substation, a generation asset coming online, a greenfield OT environment built from scratch. The second is brownfield operations: infrastructure that has been running for years, often decades, with PLCs and RTUs that predate modern security requirements by a generation. Both moments create exposure. The same Zero Trust architecture closes it.
The integration window.
A new site is commissioned through a sequence of project gates. Civil works complete, network gear is racked, the OT integrator arrives on site, factory and site acceptance tests run, the site is powered on, and operations takes handover. This sequence is the only window in the life of the site when adding a security layer is operationally simple.
Access Gate inserts during the integration window. Asset discovery, identity provider integration, enclave policy definition, and audit configuration are completed before the handover gate. The site goes live with visibility, identity-bound access, and audit operational on day one.
Live infrastructure, narrow tolerance.
Most utility OT estates are not new-build. They are live. The firewall is trusted, the MPLS is contracted, the SCADA servers are joined to the corporate domain, and the integrators have remote support paths that nobody fully maps. Operational tolerance for downtime is near zero. Tolerance for IP renumbering or VLAN restructuring is also near zero.
The architecture that makes the brownfield moment workable is adjacency. Access Gate sits next to the site core, observes traffic, brokers identity-bound sessions, and produces a tamper-evident audit trail. It does not require the firewall ruleset to change. It does not require IP renumbering and the SCADA does not stop.
What the Firewall and MPLS Were Never Specified to Do.
The perimeter firewall and the MPLS overlay are well-specified for what they do. They define the trust boundary at the site edge, they segment north-south traffic, and they transport data between sites with predictable performance. They are not, and were never specified to be, the answer to the questions a regulator now asks about the OT estate.
Firewall and MPLS layer
In scope- North-south policy at the site edge.
- VLAN segmentation in the switching layer.
- Encrypted transport between sites.
- NAT and address translation.
Visibility and control gap
Out of scope- Asset inventory of what is actually on the OT VLAN.
- Identity per session, tied to a person and an asset.
- Audit trail of who touched which PLC, HMI, or RTU.
- Lateral movement detection inside the OT VLAN.
- Visibility into vendor remote support sessions.
Failure modes on a typical utility site.
Unknown PLCs and IEDs
Added by the integrator during commissioning, never inventoried, never reviewed.
Shared engineering credentials
On the SCADA Administrator account, used by multiple staff, with no per-session attribution.
USB-introduced firmware changes
On PLCs and HMIs, with no record of who plugged in, when, or what was written.
Vendor laptops on the maintenance VLAN
Standing reach into the supervision and control layers.
Third-party remote support tools
ConnectWise, TeamViewer, Splashtop, AnyDesk. Persistent paths to engineering workstations and historians, often outside the firewall ruleset.
Domain-joined SCADA servers
Inheriting trust from the corporate Active Directory, with no enforcement boundary between the IT domain and the OT estate.
Access Gate. Adjacent to the Site Core.
The architecture is the same whether the site is being commissioned or already operating. Access Gate sits adjacent to the site core bus, observes traffic, brokers identity-bound sessions, and produces a tamper-evident audit trail. It does not require changes to the MPLS or VLAN topology. The whitepaper includes the full diagram with control room, water and energy zones, IoT subnet, and IdP federation paths.
The four pillars of security in OT.
| Pillar | Anchored on |
|---|---|
| Authentication | Engineering workstations and vendor jump host. Identity tied to a person, an identity provider, and an asset. Not a shared LAN credential. |
| Control | Boundaries between the maintenance, supervision, control, and field VLANs. Enclave policy: which identity can reach which asset over which protocol, in which time window. |
| Proxying | Path between the maintenance VLAN and the field assets. Sessions are brokered, time-bound, and recorded. |
| Audit | Access Gate appliance with forwarding to the SIEM. Tamper-evident logs covering identity, asset, protocol, time, and session content. |
Engineer's note. The architecture does not depend on agents on the field assets and does not require IP renumbering. A security broker is introduced within the communication path to provide security services. To address uptime and resiliency requirements, network architecture (redundancy and high availability) should be implemented.
Commissioning in 3 Weeks. Brownfield in 9 Days.
The same workstream maps to two different operational contexts. At commissioning, it sits inside the project calendar and finishes before the handover gate. On a brownfield site, it runs against a live network and finishes inside two operational weeks. Neither pathway requires downtime to OT operations.
| Week 1 | Appliance install adjacent to the site core. Passive asset discovery across the IT & OT VLANs. Identity provider integration with Active Directory. Decision to carry PKI or act as intermediate authority. |
| Week 2 | Enclave policy definition with the OT integrator. Vendor access paths configured, identity-bound and session-recorded. Engineering workstation grants scoped to specific PLCs and HMIs. |
| Week 3 | Cutover to enforced policy. Audit logging validated end to end. Operational handover documentation. First audit evidence pack delivered with the site. |
| Days 1-2 | Appliance deployed. Secure overlay extended across all sites. Passive asset visibility validated. No VLAN changes, no existing infrastructure reconfiguration. |
| Days 3-4 | IdP integrated. Role-based policy applied to HMI servers, historian, alarm dialer, and engineering workstations. Remote integrator sessions made identity-bound and session-recorded. Implicit LAN trust eliminated for SCADA Administrator accounts. |
| Days 5-6 | Segmentation enforced. Discrete enclaves around SCADA cluster, treatment systems, and field polling networks. Lateral movement from corporate domain restricted to brokered grants. |
| Day 7 | Monitoring and alerting configured. Tamper-evident audit logs forwarded to operator logging stack. |
| Days 8-9 | Validation against applicable control framework. Operator training. Compensating controls documented for assets that cannot support modern authentication. |
Identity, Control, and Audit in OT Terms.
Three operational scenarios drawn from a typical utility site. Each is shown twice: how it runs without Access Gate, and how it runs with Access Gate. Written for the engineer who has been on the floor.
Scenario 1. Vendor maintenance window on an RTU
A field technician from the RTU vendor needs to push a firmware update to RTU-04 in the substation control room. The maintenance window is two hours on Tuesday morning.
- Shared vendor VPN credential.
- Flat reach into the supervision VLAN.
- No record of which technician connected.
- No record of what was touched beyond RTU-04.
- Access does not expire automatically.
- Time-bound grant 09:00 to 11:00 Tuesday.
- Identity tied to the named technician.
- Reach restricted to RTU-04 over the specific protocol port.
- Session recorded end to end.
- Automatic revocation at 11:00.
Scenario 2. Internal engineer pushing a PLC logic update
A site engineer needs to update ladder logic on PLC-12 to fix a control loop tuning issue. The update is approved through the change management process.
- Engineering workstation has standing reach to all PLCs on the control VLAN.
- Change is visible only on the PLC's own audit, if anyone checks it.
- No correlation between the user, the asset, and the change window.
- Evidence for the next audit must be reconstructed by hand.
- Workstation requests a grant to PLC-12, scoped to the change window.
- Session is proxied and recorded.
- The resulting log line ties user, asset, protocol, and time window together.
- Evidence for the next audit pull is one query, not a reconstruction.
Scenario 3. Incident response forensic query
Something looks wrong on the historian at 02:14 on Sunday morning. Operations escalates. The security team needs to know who or what touched the historian in the prior 72 hours.
- Pull firewall logs (no identity context).
- Pull Active Directory logs (no asset context).
- Reconstruct the session timeline by hand.
- Hours to days to first answer.
- No ability to replay what was done.
- One query returns every session that touched the historian in the prior 72 hours.
- By identity, by source, by protocol, with timestamps.
- Recorded sessions available for replay.
- Minutes to first answer.
- Evidence preserved with tamper-evident integrity.
NIS2, NERC CIP, and CCCS at the Level an Auditor Examines.
The four Access Gate pillars map to the access, monitoring, and audit control families in the three frameworks that apply to utility operators in the EU, the US Northeast, and Canada. See the dedicated NERC CIP compliance page for the per-standard breakdown including CIP-003-9 and CIP-015 INSM.
| Control family | Authentication | Control | Proxying | Audit |
|---|---|---|---|---|
| NIS2: Access control and authentication | Identity per session, MFA at the network layer. | Enclave policy per identity and asset. | Brokered sessions for remote and vendor access. | Per-session log with identity binding. |
| NIS2: Incident handling and logging | - | - | Recorded sessions for replay. | Tamper-evident audit log forwarded to SIEM. |
| NIS2: Supply chain security | Vendor identities bound to grants. | Vendor reach restricted by enclave policy. | Vendor sessions brokered and recorded. | Vendor access fully evidenced. |
| NERC CIP-005: Electronic security perimeters and remote access | Identity per remote session. | Enclave defines the electronic security perimeter at the asset level. | Intermediate system pattern: brokered, recorded. | Remote access log per CIP-005-7 requirements. |
| NERC CIP-007: System security management | Account management at the access broker. | Port and service restrictions enforced at the boundary. | - | Security event monitoring at the access layer. |
| NERC CIP-010: Configuration change management | Identity binding for change-window access. | Time-bound grants align to change windows. | Recorded sessions document the change. | Evidence pack ready for assessment. |
| CCCS baseline: Identity and access management | Identity per session, IdP-backed. | Enclave policy per identity. | Brokered sessions for privileged access. | Per-session log retained. |
| CCCS baseline: Logging and monitoring | - | - | Recorded sessions for monitoring. | Tamper-evident logs aligned to the baseline. |
Water, Electric, Gas. The Same Pattern.
Water and electric utilities run the same underlying pattern: SCADA, RTUs, PLCs, geographically dispersed sites, vendor remote access, audit pressure. The reference architecture applies identically. The regulatory hook and the assessment workflow differ by vertical.
Water and wastewater utilities
Context. Treatment plants, pump stations, distribution networks. SCADA systems, RTUs, legacy serial-to-IP converters across geographically dispersed sites.
Regulatory. EPA America's Water Infrastructure Act, NY EFC SECURE 12-step checklist, post-Volt Typhoon CISA guidance, NIS2 (EU).
Outcome. Pass the cybersecurity assessment your funder requires. Demonstrate identity-bound access to treatment SCADA without taking the plant offline.
Explore verticalElectric utilities and power generation
Context. Substations, generation assets, transmission and distribution control rooms. SCADA, RTUs, IEDs, protective relays connected by MPLS.
Regulatory. NERC CIP-005, CIP-007, CIP-010, CIP-015 INSM (US). CCCS baseline (Canada). NIS2 (EU).
Outcome. Cover the East-West traffic that CIP-015 made mandatory. Avoid the $1M/day per-violation NERC fine exposure. Evidence pack ready for the next assessment.
Explore verticalFor US electric utilities specifically, the NERC CIP compliance landing covers CIP-003-9 vendor remote access and CIP-015 INSM in depth. For New York water utilities, the NY EFC SECURE grant page maps Access Gate to the 12-step DEC/DOH compliance checklist.
The Full Reference Architecture, in 10 Pages.
The PDF includes the full reference architecture diagram, the week-by-week commissioning and brownfield deployment timelines, the three operational scenarios, the four-pillar coverage map, and the NIS2 + NERC CIP + CCCS compliance matrix at the control-family level.
Questions utility security teams ask.
No. The brownfield deployment runs in 9 days against a live network with no maintenance window required. The appliance sits adjacent to the site core, observes traffic passively for asset discovery, and overlays identity-bound policy on top of the existing VLAN structure. No IP renumbering, no firewall reconfiguration, no SCADA restart. The whitepaper details the day-by-day timeline.
Access Gate operates as the intermediate system required by CIP-005-7 for remote access: every session is identity-bound, brokered, and recorded. CIP-007 system security management is covered by account management at the access broker plus port and service restrictions at the enclave boundary. CIP-010 configuration change management is covered by time-bound grants that align to change windows and produce recorded sessions as evidence. The compliance coverage matrix on this page shows the full mapping.
Yes. Water and electric utilities run the same underlying pattern: SCADA, RTUs, PLCs, geographically dispersed sites, vendor remote access for maintenance, audit pressure from a regulator. The four pillars (authentication, control, proxying, audit) apply identically. Water utilities additionally benefit from the EPA America's Water Infrastructure Act assessment workflow and, in New York, the EFC SECURE grant 12-step checklist which Access Gate covers directly.
The architecture is the same; the operational context differs. Commissioning means the site is being built: the integrator is on site, the IP plan is being committed, the security workstream fits inside the project calendar (3 weeks). Brownfield means the site is already running: the appliance runs against a live network and finishes inside two operational weeks (9 days), no maintenance window required. The whitepaper has the full week-by-week breakdown for both pathways.
No. The firewall and MPLS are well-specified for what they do: north-south policy at the site edge, VLAN segmentation in the switching layer, encrypted transport between sites. Access Gate fills the visibility and control gap they were never specified to cover: asset inventory of what is actually on the OT VLAN, identity per session tied to a person and an asset, audit trail of who touched which PLC or RTU, lateral movement detection inside the OT VLAN, and visibility into vendor remote support sessions.
Third-party remote support tools (TeamViewer, ConnectWise, Splashtop, AnyDesk) typically establish persistent paths to engineering workstations and historians outside the firewall ruleset. Access Gate brokers those sessions: the vendor identity is bound to a time-window grant, reach is restricted to specific assets and protocols, the session is recorded end to end, and access is auto-revoked when the window closes. You retain the operational benefit of vendor tooling without the standing-access exposure.