How zero trust architecture secures critical energy infrastructure and satisfies NERC CIP

Executive Summary

The energy sector is at a critical juncture. The convergence of legacy operational technology with modern digital connectivity has rendered traditional, perimeter-based security models obsolete. To protect critical infrastructure against increasingly sophisticated nation-state actors and ransomware syndicates, organisations must adopt a strategy that assumes the network is already compromised. This is the foundation of “Energy Zero Trust”—a paradigm shift that aligns a robust defence-in-depth strategy with the stringent requirements of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards.

The Strategic Direction: NIST and NERC CIP

Zero trust is not merely a marketing buzzword; it is a rigorously defined architectural model. The NIST Special Publication 800-207 formally defines zero trust architecture as an enterprise cybersecurity strategy that is based on the premise that trust is never granted implicitly. Access to resources must be continuously evaluated and explicitly authorised.

Regulators in the energy sector have recognised the necessity of this shift. NERC has actively explored how zero trust principles intersect with existing mandates, such as CIP-005 (Electronic Security Perimeter(s)). As outlined in the NERC CIP-005 and Zero Trust strategic webinar, moving beyond simple network isolation toward identity-centric access control is the future of grid security. With the expansion of regulations like CIP-003-9 covering low-impact assets, the need for a scalable zero trust implementation has never been more urgent.

Defence in Depth Reimagined

Historically, a defence-in-depth strategy relied on concentric rings of physical and network firewalls. However, once an attacker breached the outer perimeter—often by compromising a third-party vendor’s virtual private network credential—they gained unfettered lateral movement across the internal network.

Modern defence in depth requires micro-segmentation at the application layer. By deploying an identity-aware proxy like Agilicus AnyX, utilities can implement true zero trust. Every request, regardless of its origin, must be strongly authenticated and explicitly authorised before it reaches the protected operational technology.

The Agilicus AnyX Advantage: Simple, Compliant, Secure, Fast

Agilicus AnyX is a purpose-built implementation of zero trust designed for the realities of industrial environments. It delivers on three key differentiators that make it superior to legacy VPN alternatives:

• Unified Authentication: Fragmented identity management is a major compliance risk. Agilicus AnyX unifies authentication by tying all access—whether for internal engineers or external vendors—to a central corporate identity provider (like Microsoft Entra ID). This enables the seamless enforcement of multi-factor authentication (MFA) and ensures that when a contractor’s employment ends, their access to the grid is instantly revoked.
• Precise Authorisation: A VPN grants access to a network; Agilicus AnyX grants access to a specific resource. This fine-grained, per-resource, per-role authorisation ensures that a vendor maintaining a specific human-machine interface can only see and interact with that exact interface. They cannot scan the subnet or pivot to other systems. This precision is accompanied by a complete, immutable audit trail, satisfying NERC CIP reporting requirements effortlessly.
• Seamless Access: The platform operates without requiring users to install third-party VPN clients. Remote experts can access critical systems securely through their standard web browsers.

No Network Architecture Changes Required

Perhaps the most significant advantage of the Agilicus approach is its ease of deployment. Implementing zero trust does not require ripping out legacy PLCs or redesigning complex, fragile network architectures. The solution uses outbound-only connections, eliminating the need for public IP addresses or inbound firewall ports. It works seamlessly over cellular networks, Starlink, and behind carrier-grade NAT.

For energy utilities facing strict regulatory deadlines, Agilicus AnyX offers a path to be compliant, be quick, and be simple. It provides an impenetrable layer of security that fundamentally reduces the attack surface, ensuring the resilience of the grid in an increasingly hostile digital landscape.