Transforming Industrial Connectivity into Identity-Governed Compliance

Executive Summary: The Board’s New Mandate

In the face of intensifying regulatory pressure, legacy connectivity models like virtual private networks (VPNs) and firewalls have become a source of corporate liability. Standards such as NERC CIP-003-9 in North America, the NIS2 Directive in the European Union, and the Critical Cyber Systems Protection Act (CCSPA) in Canada are shifting cyber risk from a technical nuisance to a primary source of corporate and personal liability.

The Agilicus AnyX platform provides the technical architecture necessary to shield leadership from the catastrophic penalties of non-compliance. By replacing implicit network trust with verifiable, identity-governed sessions, AnyX ensures that every remote access event is tied to a specific human identity rather than a generic network address. This whitepaper details how shifting from the network layer (Layer 3) to the application layer (Layer 7) creates the “evidence-based compliance” necessary to navigate today’s increasingly litigious regulatory environment for critical infrastructure protection.

The Industrial Mesh: Hyper-Specialisation vs. Statutory Accountability

The modern power grid and manufacturing plant depend on a hyper-specialised supply chain. To maintain operational uptime, utilities require constant remote access from dozens of vendors such as Rockwell, Schneider, and Schweitzer Engineering Laboratories (SEL). This creates an “industrial mesh” where third-party technicians are frequently connected to the most sensitive parts of the grid.

While this interdependency is essential for maintenance and optimisation, it creates a significant conflict with statutory accountability. Regulators no longer accept “best effort” security or administrative policies that are not architecturally enforced. When a breach occurs, the burden of proof is on the organisation to show that they implemented “reasonable and proportionate” measures. In the current regulatory environment, the board of directors can be held personally responsible for failures in management oversight.

(Visualising the complex web of vendor connections to a single utility or plant)

The VPN Liability: Why Layer 3 Fails the Audit

For decades, the virtual private network has been the default answer for remote connectivity. However, the VPN is predicated on an obsolete architectural model: “the network is the perimeter.” In an era of connected industrial meshes, this assumption is a source of statutory liability.

The failure points of legacy remote access include:

1. Implicit Network Trust: A Layer 3 VPN extends a network tunnel from a remote device into the internal network. Once the tunnel is established, the remote device is effectively “inside.” If a vendor’s laptop is compromised, the malware can move laterally across the subnet to reach protection relays or controllers.
2. identity Blindness: VPNs typically authenticate the tunnel, not the individual user session. Audit logs might show that a vendor account connected at 10:00 a.m., but they cannot prove which individual human was using the account or what specific actions they took. This breaks the individual accountability requirements found in NERC CIP-003-9.
3. The Visibility Gap: Traditional security tools log network events such as “IP 10.0.0.5 sent 500 bytes to IP 192.168.1.10.” To an auditor, this is nearly useless. They need to know who did it, why they were authorised, and what commands they issued.

The AnyX Paradigm: Shifting to Layer 7 Identity-First Access

Agilicus AnyX re-imagines industrial access by moving the security boundary from the network layer (Layer 3) to the application layer (Layer 7). This is “Identity-First Access.”

In the AnyX architecture, there is no network-level connection between the remote user and the industrial asset. Instead, Agilicus acts as an identity-governed broker.

The Identity Broker Flow

1. Pre-Authentication: Before a user even sees a login prompt for an asset, they must authenticate against a centralised identity provider such as Microsoft Entra ID (Azure AD), Okta, or Google Workspace. This ensures that the organisation’s existing security policies, including multi-factor authentication and conditional access, are enforced.
2. Authorisation: Once authenticated, the AnyX platform checks the user’s identity against a granular access policy. The system asks: “Does this specific individual have permission to access this specific relay via this specific protocol?”
3. Protocol Proxying: If authorised, AnyX establishes a protocol-specific session. The remote user connects to the AnyX edge, and the AnyX connector, sitting safely inside the operational technology network, makes a local connection to the asset. The two never “touch” at the network layer.

(Legacy VPN Network Tunnel vs. Agilicus AnyX Identity Broker)

Technical Implementation: Modern Identity for Legacy Industrial Control Systems

The primary challenge in industrial environments is the “Legacy Gap.” Critical infrastructure relies on assets designed decades ago, long before multi-factor authentication or modern identity protocols existed. Agilicus AnyX bridges this gap by “wrapping” legacy protocols in a modern identity layer.

Protocol Support and Interception

AnyX supports a wide array of industrial protocols, delivering them to a browser or a native client without requiring VPN software.

• VNC (Virtual Network Computing): AnyX provides a clientless VNC gateway. AnyX renders the VNC session into an HTML5 canvas, meaning the raw VNC protocol never leaves the internal network. This adds multi-factor authentication to a protocol that never supported it natively.
• RDP (Remote Desktop Protocol): AnyX proxies RDP sessions, allowing users to access engineering stations via their browser. This eliminates the need to expose port 3389 to the network.
• SSH (Secure Shell): AnyX provides a secure SSH gateway with centralised key management. Instead of distributing keys to vendors, AnyX uses the user’s single sign-on identity to authorise the session.

Specific Industrial Protocol Handling: The “Universal Protocol”

Beyond standard protocols, industrial environments use specialised meshes like Modbus/TCP and EtherNet/IP. Agilicus AnyX handles these via its Universal Protocol engine. The Agilicus desktop agent intercepts specific industrial traffic on the user’s machine and encapsulates it within an identity-governed tunnel. This allows a technician to use their native programming software while AnyX ensures they cannot “see” any other devices on the same backplane. This is the practical implementation of ISA/IEC-62443 zones and conduits without the need for complex firewall rules.

(Identity Provider -> AnyX Cloud -> AnyX Connector -> Legacy PLC/HMI)

Industrial Case Mapping: Real-World Implementation

The application of Agilicus AnyX transforms theoretical compliance into industrial defence across various sectors.

• Case Study A: The Power Grid (SEL Relays): Traditionally, protecting Schweitzer Engineering Laboratories (SEL) relays required a VPN and shared keys. With AnyX, the substation gateway hosts a connector that brokers the SSH connection. Technicians authenticate with their corporate identity, and AnyX manages the actual relay key. This provides individual accountability for every relay configuration change.
• Case Study B: Manufacturing (Rockwell PanelView): Many manufacturing plants access human-machine interfaces (HMIs) such as Rockwell PanelView via VNC. Since VNC is often unencrypted and lacks multi-factor authentication, it is a significant risk. AnyX transcodes the VNC protocol into a web-native format, injecting multi-factor authentication at the browser before the HMI screen is rendered.
• Case Study C: Process Control (Schneider Electric): Managing Modbus/TCP or Schneider-specific protocols often results in “identity-blind” networks. AnyX implements resource-level authorisation. Instead of authorising an entire network, AnyX authorises access to a specific PLC for a specific vendor, preventing lateral movement and scanning.

The European Mandate: NIS2 and VNC Remote Access

The European Union’s NIS2 Directive marks a significant escalation in regulatory oversight. Article 21 mandates that essential entities implement supply chain security and cryptography measures. Under NIS2, traditional VNC access is a major non-compliance risk.

Agilicus AnyX solves this by adding multi-factor authentication to every VNC session and automatically wrapping the traffic in an AES-256 encrypted tunnel. Because the AnyX connector only makes outbound connections, the HMI does not need a public IP address or an inbound port opened on the industrial firewall.

The Evidence Engine: Automated Auditing for Regulators

In the world of critical infrastructure, security that cannot be proven is security that does not exist. Compliance is the act of providing evidence.

Agilicus AnyX provides an “Evidence Engine” that translates technical telemetry into human-readable accountability. Every session is logged with the verified identity, the specific resource, the protocol used, and the duration. For enterprise-scale utilities, AnyX integrates directly with security information and event management (SIEM) platforms like Microsoft Sentinel. This allows compliance teams to create automated dashboards that show all third-party access in real time, providing the “proportionate measures” evidence required by regulators.

(User Action -> AnyX Proxy -> Audit Log -> SIEM Dashboard)

Containment and the “Blast Radius”: Why Micro-segmentation Matters

One of the most dangerous concepts in industrial networking is the “flat network.” If an attacker gains a foothold on one device, they can propagate across the entire facility. Agilicus AnyX implements micro-segmentation at the identity layer. It creates a logical segment for each user session, known as a software-defined perimeter. The connection between the user and the asset only exists for the duration of the authorised session. If a vendor’s laptop is compromised, the malware is physically confined to the single protocol and the single asset authorised for that vendor. This reduces the blast radius of a breach to a single, isolated asset.

Implementation Workflow: From Zero to Zero-Trust

Deploying Agilicus AnyX into an existing environment follows a non-disruptive, “overlay” model:

1. Identity Integration: Link the AnyX platform to the existing identity provider (e.g., Microsoft Entra ID). Define user groups such as “Internal Maintenance” or “Vendor A.”
2. Connector Deployment: Install the lightweight AnyX connector inside the operational technology network. Ensure it has outbound-only access via port 443.
3. Resource Definition: Define the target assets (PLCs, HMIs, Workstations) and their protocols.
4. Policy Enforcement: Map user groups to resources. Apply conditions such as time-of-day restrictions.
5. Evidence Verification: Verify that logs are flowing correctly to the corporate SIEM or internal audit stores.

Conclusion: From Connectivity to Accountability

Agilicus AnyX is not just a connectivity tool: it is a compliance engine. It shifts the burden of proof from manual administrative processes to automated, identity-first architecture. This allows industrial operators to safely embrace hyper-connectivity while satisfying the most stringent global regulatory demands. For the modern utility, the path to security is no longer through a network tunnel, but through a verifiable chain of identity.