Why traditional VPNs are the weak link in NERC CIP-003-9 compliance

Executive Summary

As the April 2026 deadline for the North American Electric Reliability Corporation Critical Infrastructure Protection (CIP-003-9) standard approaches, energy utilities are rushing to secure remote access to their low-impact cyber assets. In this rush, many organisations are turning to the tool they know best: the virtual private network. This is a critical strategic error. Rather than mitigating risk, expanding legacy VPNs into distributed operational technology environments amplifies it. This whitepaper examines the fundamental flaws of the VPN model and explains why achieving true compliance requires abandoning the perimeter in favour of zero trust.

The Illusion of the Perimeter

The virtual private network was built for a world that no longer exists—a world where the corporate network was a trusted sanctuary, and the internet was the sole hostile environment. The VPN acts as a drawbridge over a moat. Once a user authenticates, they are granted broad, network-level access. In an era of sophisticated ransomware and nation-state threats targeting critical infrastructure, this implicit trust is catastrophic.

If a third-party vendor’s laptop is compromised, a VPN connection allows the attacker to pivot seamlessly from the vendor’s machine directly into the utility’s operational technology network. They can scan the subnet, discover legacy programmable logic controllers, and move laterally. The VPN, intended as a security control, becomes the very conduit for the attack.

Failing the Compliance Test

The impending CIP-003-9 standard demands strict identity verification, particularly for vendor electronic remote access. It requires organisations to know exactly who is connecting, authenticate them strongly, and limit what they can do.

Traditional remote access fails this test on multiple fronts. VPNs are notoriously difficult to integrate with modern, unified identity providers for temporary third-party contractors. This often leads to the use of shared accounts or poorly managed local credentials on the VPN gateway. Furthermore, because the VPN grants network-wide access, it cannot enforce the precise, application-layer authorisation required to prove that a vendor only accessed the specific piece of equipment they were contracted to maintain. When auditors arrive, the utility is left trying to reconstruct access logs from fragmented network traffic, rather than presenting a clean, identity-centric audit trail.

The Operational Nightmare of Inbound Ports

Beyond security and compliance, the architecture of a VPN introduces severe operational friction. VPN gateways require inbound firewall ports to be opened to the public internet. This essentially paints a target on the facility, allowing automated scanners like Shodan to discover the gateway and bombard it with credential-stuffing attacks.

For remote wind farms or solar arrays relying on cellular modems or satellite connections, securing static IP addresses and managing complex firewall configurations is an administrative burden that delays maintenance and increases infrastructure costs.

The Zero Trust Alternative

The alternative to this fragile status quo is an identity-aware proxy built on zero trust principles. Agilicus AnyX completely inverts the traditional access model.

Instead of connecting a device to a network, Agilicus connects a verified human identity to a single, authorised application. There is no broad network access. There are no inbound firewall ports; the system uses outbound-only connections to completely cloak the infrastructure from the public internet. Vendors authenticate using their own corporate identity, complete a multi-factor authentication challenge, and access their required resource (such as a remote desktop) directly through a standard web browser—no client software required.

Conclusion: The Choice for Utilities

Energy utilities face a clear choice. They can continue to patch and extend a legacy perimeter model that is fundamentally unsuited for the modern threat landscape, battling operational friction and compliance gaps at every turn. Or, they can adopt a zero trust architecture that inherently satisfies NERC CIP-003-9 by delivering precise authorisation, unified authentication, and an invisible network perimeter. The virtual private network is the weak link; it is time to remove it.