Secure remote access for energy utilities

Executive Summary

As the energy sector accelerates its digital transformation, securing remote access to critical infrastructure has never been more vital. The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, particularly the impending CIP-003-9 standard, demand robust identity verification and strict access controls. However, relying on traditional virtual private networks (VPNs) to meet these mandates introduces severe operational friction and security vulnerabilities. This whitepaper details how energy utilities can replace legacy VPNs with a zero trust architecture, achieving seamless compliance, precise authorisation, and unified authentication across highly complex network topologies.

The Challenges of VPNs in Complex Networks

Modern utilities do not operate in neatly defined corporate perimeters. Critical assets—like wind turbines, solar arrays, and remote substations—are often connected via carrier-grade NAT (CGNAT), cellular modems, or satellite links like Starlink. Traditional VPNs struggle in these environments. They require static IP addresses, complex firewall rules, and inbound ports that expose the network to scanners and automated attacks. Furthermore, deploying and maintaining VPN clients on third-party vendor laptops is an operational nightmare. Many vendors simply refuse to install corporate software on their machines, leading to delayed maintenance and operational friction.

From a security perspective, a VPN is fundamentally flawed because it grants broad, network-level access. As highlighted by the Cybersecurity and Infrastructure Security Agency (CISA), threat actors routinely exploit VPN vulnerabilities to gain initial access and move laterally across critical infrastructure networks.

Unified Authentication for All Users

To meet NERC CIP standards, identity verification must be absolute. The solution lies in unified authentication. Instead of managing separate VPN credentials, shared passwords, or local accounts on operational technology devices, all users—whether they are internal employees or third-party contractors—should authenticate using their existing corporate identity provider (such as Microsoft Entra ID or Google Workspace).

By enforcing a “bring your own identity” model, utilities can mandate strict multi-factor authentication policies before a connection is even established. This approach eliminates the risk of orphaned accounts and ensures that access is immediately revoked when a user leaves their organisation, a critical requirement for compliance.

Precise Authorisation and Audit

A VPN cannot perform fine-grained authorisation. Once connected, a user is on the network. In contrast, a zero trust identity-aware proxy operates at the application layer. It enforces per-resource, per-role access controls.

If a vendor needs to service a specific programmable logic controller (PLC), they are granted access exclusively to that PLC, and nothing else. They cannot see or interact with other devices on the same subnet. Furthermore, every action is logged in a central, immutable audit trail, providing the exact “who, what, and when” required to satisfy NERC CIP auditors without complex network forensics.

Seamless Access with Agilicus AnyX

Agilicus AnyX provides a modern alternative to the VPN. As a zero trust identity-aware proxy, it allows utilities to securely publish internal resources—like remote desktops, web applications, or SSH terminals—directly to the user’s browser. It requires no client software, bypasses the complexities of CGNAT and Starlink via outbound-only connections, and completely cloaks the infrastructure from the public internet.

By decoupling access from the network, utilities can ensure that their remote access strategy is both simpler for users and significantly more secure than legacy VPNs, meeting the stringent requirements of NERC CIP without compromising operational efficiency.