The energy utility’s guide to replacing VPNs for NERC CIP secure remote access

Executive Summary

The energy sector operates the most critical infrastructure on the planet. As utilities modernise and embrace digitization, the line between information technology and operational technology has blurred. This convergence brings unprecedented efficiency but also exposes the grid to sophisticated cyber threats. For decades, the virtual private network has been the default tool for enabling remote access to these environments. However, under the stringent requirements of the North American Electric Reliability Corporation Critical Infrastructure Protection standards, the legacy VPN is no longer a viable security solution.

This comprehensive guide details why VPNs fail in modern, distributed energy networks, how impending regulatory shifts like NERC CIP-003-9 are forcing a re-evaluation of remote access, and how transitioning to a zero trust architecture provides a simpler, more secure, and fully compliant alternative.

The Strategic Failure of the VPN

To understand why a replacement is necessary, utilities must first acknowledge the architectural flaws inherent in virtual private networks. VPNs were designed in an era when the corporate perimeter was well-defined and static. They operate on a fundamental premise of network-level trust: once a user successfully authenticates and passes through the firewall, they are inside the perimeter and are implicitly trusted.

Broad Network Access and Lateral Movement

The most significant vulnerability of a VPN is that it grants access to an entire subnet or network segment. If a third-party vendor’s laptop is compromised, the attacker can ride the VPN connection directly into the utility’s OT network. From there, they can scan for vulnerable programmable logic controllers, human-machine interfaces, and supervisory control and data acquisition systems. This lateral movement is the primary vector for crippling ransomware attacks against critical infrastructure.

Operational Friction and Complexity

Managing VPNs across a distributed energy grid is an administrative nightmare. Remote wind farms, solar arrays, and low-impact distribution substations often rely on cellular modems, satellite links (such as Starlink), or carrier-grade NAT. VPNs require inbound firewall ports and static IP addresses, which are difficult, expensive, and insecure to maintain in these environments.

Furthermore, requiring third-party vendors to install, update, and troubleshoot proprietary VPN client software on their corporate machines leads to constant helpdesk tickets and delayed maintenance.

The NERC CIP Imperative: Moving Beyond the Perimeter

The regulatory landscape is rapidly shifting to address these vulnerabilities. The NERC CIP standards are evolving to mandate stricter identity verification and access controls, pushing utilities away from perimeter-based defences.

The Impact of NERC CIP-003-9

The upcoming enforcement of NERC CIP-003-9 (effective April 2026) is a watershed moment. It extends strict Vendor Electronic Remote Access controls to “Low Impact” Bulk Electric System (BES) cyber assets. Utilities can no longer rely on obscurity or basic network isolation for their distributed edge sites. They must implement robust multi-factor authentication and explicitly manage third-party access.

Legacy OT devices cannot natively support modern authentication protocols like SAML or OIDC. They cannot prompt a vendor for a push notification to their phone. Therefore, utilities must deploy an intermediary layer that enforces these security policies before the connection ever reaches the legacy endpoint.

The Zero Trust Blueprint for Energy Utilities

The solution to both the technical failings of the VPN and the strict requirements of NERC CIP is zero trust architecture. As defined by NIST SP 800-207, zero trust assumes the network is hostile. Trust is never granted implicitly; it must be continuously evaluated and explicitly granted based on identity and context.

For energy utilities, implementing zero trust requires transitioning from network-centric access (the VPN) to an identity-aware proxy model, such as Agilicus AnyX.

Unified Identity and Authentication

Rather than managing isolated VPN accounts or shared local passwords, zero trust relies on unified identity federation. All users—whether internal engineers or third-party contractors—authenticate against their own corporate identity provider (e.g., Microsoft Entra ID). This allows the utility to mandate multi-factor authentication universally. If a contractor leaves their firm, their access to the grid is instantly revoked when their corporate account is disabled. This completely eliminates the risk of orphaned credentials, a common finding in NERC CIP audits.

Precise, Application-Layer Authorisation

An identity-aware proxy does not connect a user to a network; it connects a verified identity to a specific, authorised resource. If a vendor needs to update the firmware on a specific Siemens PLC at a remote substation, they are granted access exclusively to that PLC. They cannot see the HMI next to it, nor can they scan the subnet. This micro-segmentation contains potential breaches and satisfies the core principle of least privilege.

Seamless, Clientless Access

By shifting to an identity-aware proxy, utilities can eliminate the VPN client. Vendors access authorised resources securely through their standard web browser using modern web protocols. This removes the friction of software deployment and significantly accelerates mean-time-to-repair (MTTR) during critical outages.

Outbound-Only Connectivity: Cloaking the Infrastructure

Unlike VPNs, which require inbound firewall ports that can be discovered by scanners like Shodan, a modern zero trust platform utilises outbound-only connections. A lightweight connector sits inside the OT network and establishes an outbound tunnel to the identity proxy. From the outside, the facility has no open ports. It is completely invisible to the public internet, solving the challenges of CGNAT and satellite connectivity natively.

Automating Compliance and Audit

Proving compliance during a NERC CIP audit requires meticulous documentation. A zero trust platform automates this burden. Because every request passes through the identity proxy, the system generates a central, immutable audit log. Utilities have instant visibility into exactly who accessed which resource, at what time, and from where, alongside cryptographic proof of multi-factor authentication.

Conclusion: The Path Forward

The transition away from legacy VPNs is no longer optional for the energy sector; it is a regulatory and operational imperative. By embracing an identity-aware proxy and a zero trust architecture, utilities can secure their most critical assets against modern threats while dramatically simplifying access for the third-party vendors who keep the grid running. Agilicus AnyX provides a comprehensive framework to meet the stringent demands of NERC CIP-003-9, ensuring that the power stays on and the infrastructure remains impenetrable.