CISA says your OT devices can’t handle security. They’re right. Here is how to fix it before April 2026 without ripping out your infrastructure.
I read CISA’s latest thriller, Barriers to Secure OT Communication: Why Johnny Can’t Authenticate. Spoiler alert: Johnny isn’t authenticating because the industrial fortress you built is running on protocols older than your first car (not mine!). We are staring down the barrel of NERC CIP-003-9, which goes live in April 2026, and suddenly those “Low Impact” assets in your renewable farms or water plants are a high-stakes liability. The industry tells you to patch devices that can’t be patched or to air-gap systems that need remote vendor support. It is a catch-22 wrapped in a compliance violation.
The Compliance Comet Heading for Your Plant
Mark April 1, 2026, on your calendar. It isn’t an April Fools’ joke; it is the day the compliance comet slams into your “Low Impact” assets. NERC CIP-003-9 is expanding its reach, and suddenly, the regulators are very interested in the security posture of your distributed environments. I’m talking about wind farms in the middle of nowhere, solar arrays, and municipal wastewater facilities. If it generates power or moves water, you are about to have a very bad time with auditors.
Here is the reality check: you are trying to enforce modern cybersecurity on Operational Technology that was designed when the fax machine was considered high-tech. CISA put it bluntly in their recent report on secure operational technology communication: these devices are “dumb.” They were built for reliability, not for fighting off Russian state-sponsored hackers. Trying to force a legacy PLC to natively handle encryption or complex authentication is like trying to teach calculus to a toaster. The toaster doesn’t care about integrals; it just wants to make toast. If you push it too hard, it burns the house down.
This creates a massive headache for Vendor Electronic Remote Access. You have third-party integrators who need to dial in to fix things, but the devices they are connecting to have zero native defence. You cannot rip and replace all this heavy iron before the 2026 deadline — the CFO will never sign that cheque. The only way to survive this is to stop asking the device to protect itself. You need to wrap that “dumb” infrastructure in an identity-aware proxy like Agilicus AnyX. You verify the human, not the packet, retrofitting compliance onto the toaster without having to buy a whole new kitchen.
The VNC Trap and the Air Gap Myth
Let’s be honest about the “Air Gap.” It is a bedtime story we tell auditors so we can all sleep at night. In reality, your operational network is about as airtight as a screen door on a submarine. The culprit? Usually, it is the desperate need for remote maintenance on Human Machine Interfaces (HMIs).
To keep the lines running, we rely on VNC. I get it. It is universal, it works on everything from a Raspberry Pi to a million-dollar stamping press. But technically? It is a disaster. The standard VNC protocol is a relic. We are talking about a system that often authenticates with a maximum of eight characters (DES-truncated if you are lucky, often cleartext), has no concept of a “username,” and transmits your screen updates without a shred of encryption.
So, what do we do? We wrap this insecure mess in a VPN and hand out shared keys to third-party vendors. Now you have a contractor logging in from a coffee shop with full network access just to fix a single HMI. That isn’t security; that is a **dumpster fire** waiting for a match. Just ask the water sector — open remote access tools are exactly how bad actors try to mess with chemical levels.
Here is the hard truth: you cannot rip out VNC. The uptime requirements for water, wastewater, and renewables won’t allow it. You cannot teach a 15-year-old PLC to support TLS 1.3. But you can stop pretending the air gap will save you. We need to repurpose these tools, not replace them. We need to treat VNC like the toxic waste it is and put it in a proper containment vessel — what we call a Zero Trust VNC Remote Desktop. We have to stop trusting the network and start trusting the identity.
Don’t Replace Johnny, Get Him a Bodyguard
So, Johnny is incompetent. We established that. But you can’t fire him because he’s the only one who knows how to keep the turbines spinning or the water clean. The answer isn’t to rip out your infrastructure — that’s a bankruptcy strategy, not a security strategy. The answer is to get Johnny a bodyguard.
I like to visualise your PLCs and SCADA systems as the bartender at a rowdy nightclub. The bartender’s job is to pour drinks — to run the process. They shouldn’t be checking IDs. They are terrible at it, and frankly, they don’t care. That is where the **Identity-Aware Proxy** (Agilicus AnyX) steps in. It’s the bouncer at the door.
Here is how it works in the real world, not the textbook world. You, the user, perform the sophisticated song-and-dance at the door: Single Sign-On, biometric Multi-Factor Authentication, the works. You prove you are who you say you are to the proxy. If you pass, the proxy turns around and hands the ‘dumb’ operational technology device the simple credentials it understands. We call this password stuffing. The device gets the simple password it needs; the world gets the cryptographic proof it demands.
This acts as a translation layer. You are effectively merging local identity with online identity without the PLC ever knowing the difference.
For the NERC CIP auditors breathing down your neck, this is gold. You satisfy the strict authentication requirements without touching the fragile underlying architecture. It wraps that unencrypted, ugly traffic in HTTPS over WebSocket, creating an encrypted tunnel over the dirty internet.
The best part? When you need to fire a third-party vendor. In the old days, you’d be chasing down shared VPN keys like loose change. Now? You just revoke their identity in your central directory. The bouncer stops letting them in. Johnny keeps pouring drinks, blissfully unaware he was almost breached.
Conclusions
The reality is that your PLCs and HMIs will never be secure on their own. Waiting for vendors to bake in modern cryptography is a fool’s errand that ends in a regulator’s fine or a ransomware note. You do not need to rip out your infrastructure to fix this. You need to decouple identity from the device. By placing an Identity-Aware Proxy in front of your legacy tech, you satisfy NERC CIP-003-9, you secure your third-party vendors, and you finally kill the VPN. Johnny might not be able to authenticate, but with the right architecture, he doesn’t have to.