No Downtime, No Rewiring. Zero Trust for Utility OT.
A reference architecture for utility operators commissioning new sites and hardening existing ones. Authentication, control, proxying, and audit applied to SCADA, RTUs, and PLCs. Without IP renumbering, without firewall rule rewrites, without taking the site offline.
Every utility site has two security-critical moments: greenfield commissioning (a new site being built) and brownfield operations (infrastructure already running, often for decades). The same Zero Trust architecture applies to both. Access Gate is an on-premise security broker that sits adjacent to the site core, brokers identity-bound sessions across IT, OT, and IoT assets, and produces a tamper-evident audit trail. The architecture diagram is below.
Greenfield or Brownfield. Same Architecture.
Every utility site goes through two security-critical moments. The same Zero Trust architecture closes both.
Commissioning a new site.
Access Gate inserts during the integration window. Asset discovery, IdP integration, enclave policy, and audit are configured before handover. The site goes live with identity-bound access and audit on day one.
Hardening a live site.
Access Gate sits adjacent to the site core, observes traffic, and overlays identity-bound policy on top of the existing topology. No firewall ruleset change, no IP renumbering, no SCADA restart.
Access Gate. Adjacent to the Site Core.
The architecture is the same whether the site is being commissioned or already operating. Access Gate sits adjacent to the site core bus, observes traffic, brokers identity-bound sessions, and produces a tamper-evident audit trail. It does not require changes to the MPLS or VLAN topology, it does not require IP renumbering, and it does not require agents on the field assets.
Water, Electric, Gas. The Same Pattern.
Water and electric utilities run the same underlying pattern: SCADA, RTUs, PLCs, geographically dispersed sites, vendor remote access, audit pressure. The reference architecture applies identically. The regulatory hook and the assessment workflow differ by vertical.
Water and wastewater utilities
Context. Treatment plants, pump stations, distribution networks. SCADA systems, RTUs, legacy serial-to-IP converters across geographically dispersed sites.
Regulatory. EPA America's Water Infrastructure Act, NY EFC SECURE 12-step checklist, post-Volt Typhoon CISA guidance, NIS2 (EU).
Outcome. Pass the cybersecurity assessment your funder requires. Demonstrate identity-bound access to treatment SCADA without taking the plant offline.
Explore verticalElectric utilities and power generation
Context. Substations, generation assets, transmission and distribution control rooms. SCADA, RTUs, IEDs, protective relays connected by MPLS.
Regulatory. NERC CIP-005, CIP-007, CIP-010, CIP-015 INSM (US). CCCS baseline (Canada). NIS2 (EU).
Outcome. Cover the East-West traffic that CIP-015 made mandatory. Avoid the $1M/day per-violation NERC fine exposure. Evidence pack ready for the next assessment.
Explore verticalFor US electric utilities specifically, the NERC CIP compliance landing covers CIP-003-9 vendor remote access and CIP-015 INSM in depth. For New York water utilities, the NY EFC SECURE grant page maps Access Gate to the 12-step DEC/DOH compliance checklist.
Reference architecture, greenfield and brownfield.
The PDF includes the full architecture diagram, the four-pillar coverage map, three operational scenarios, and the NIS2 + NERC CIP + CCCS matrix.
No maintenance window
Adjacent to the site core. No firewall ruleset change, no IP renumbering, no SCADA restart. Whether you are commissioning a new site or hardening a live one.
Audit-ready evidence
Tamper-evident, identity-bound session logs forwarded to your SIEM. Evidence packs map directly to NIS2, NERC CIP-005/010, and the CCCS baseline.
Questions utility security teams ask.
The architecture is the same; the operational context differs. Greenfield commissioning means the site is being built: the security workstream fits inside the project calendar before handover. Brownfield means the site is already running: the appliance sits adjacent to the live network and overlays identity-bound policy without IP renumbering, firewall changes, or a maintenance window.
No. The firewall and MPLS keep doing what they do: north-south policy at the site edge, VLAN segmentation, encrypted transport between sites. Access Gate fills the visibility and control gap they were never specified to cover: identity per session, audit trail of who touched which PLC or RTU, and visibility into vendor remote support sessions.
Access Gate operates as the intermediate system required by NERC CIP-005-7 for remote access, with brokered identity-bound sessions and tamper-evident audit logs. CIP-010 change-window grants produce evidence packs ready for assessment. NIS2 Article 21 access-control, supply-chain, and incident-handling requirements are covered by the same four pillars. The compliance matrix on this page shows the row-by-row mapping.