By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: AppgatePublished July 16, 2025

TL;DR: Energy organisations are using zero trust network access to replace broad VPN access with dynamic, least-privilege connections as IT and OT converge, remote work expands, and legacy systems remain exposed, according to Appgate. The security shift matters because identity, device posture, and context now determine who can reach critical systems, not network location.


At a glance

What this is: This is an analysis of how zero trust network access changes security for energy environments by tightening remote access, IT/OT segmentation, and compliance controls.

Why it matters: It matters because energy teams need access models that reduce blast radius across legacy systems, third-party access, and operational technology without relying on perimeter trust.

👉 Read Appgate's analysis of zero trust access for energy IT and OT environments


Context

Energy security is moving beyond perimeter defence because IT and OT systems now share more pathways, more remote users, and more vendor access than traditional firewall and VPN models were designed to handle. In that environment, access control becomes a governance problem as much as a network problem, especially where identity, device posture, and location determine whether a connection should exist at all.

For identity and access teams, the key issue is not just connectivity but who can reach operational assets, under what conditions, and with what audit trail. That makes zero trust network access relevant to IAM, PAM, and third-party access governance even when the primary article is framed around energy operations rather than identity management.


Key questions

Q: How should energy organisations secure remote access across IT and OT environments?

A: They should move away from broad network trust and toward resource-specific access policies that verify identity, device posture, and context before connection. In energy environments, that reduces lateral movement risk, protects legacy systems, and makes third-party access easier to govern. The goal is to expose only the resource needed for the task, not the wider network.

Q: Why does zero trust matter when IT and OT systems converge?

A: Because convergence collapses the old separation between business access and operational systems. When users, vendors, and IoT-connected assets share the same environment, a broad trust model can turn one authenticated session into much wider reach. Zero trust narrows that reach and gives teams a clearer way to control operational blast radius.

Q: What do organisations get wrong about VPN replacement in critical infrastructure?

A: They often replace the VPN while keeping the same trust model. If access is still broad, static, and network-led, the underlying exposure does not change much. The better approach is to redesign policy around least privilege, session context, and resource visibility so that remote access becomes narrower, not just newer.

Q: Which frameworks should teams use to govern zero trust access in energy operations?

A: NIST CSF, NIST 800-53, and NIST SP 800-207 are the most useful starting points because they connect access control, monitoring, and zero trust architecture. Energy teams should also align evidence collection with operational compliance requirements so that access logs, policy decisions, and exception handling are defensible in audits.


Technical breakdown

Why legacy perimeter access breaks in IT/OT environments

Traditional VPN and firewall models assume that once a user is inside the network, trust can broaden. That assumption fails in energy environments where IT, OT, IoT, vendors, and remote staff operate across shared infrastructure and different risk levels. Broad network reach increases lateral movement opportunities and makes segmentation harder to enforce consistently. Zero trust network access changes the control point from network membership to verified request, which is more compatible with distributed operations and legacy systems that cannot be rebuilt quickly.

Practical implication: replace network-wide access paths with narrowly scoped connectivity tied to role, device state, and resource need.

How microperimeters and context-aware policy reduce attack surface

Microperimeters create one-to-one or one-to-few access relationships between an approved user and a specific resource set. Context-aware policy then evaluates identity, device posture, and location before granting access, which means the policy can reject risky sessions without exposing the target service on the open network. In practice, this hides critical assets until they are explicitly needed and limits what any authenticated user can reach. For energy operations, that is especially useful where remote maintenance, plant systems, and third-party support all require different trust thresholds.

Practical implication: define access policies around resource visibility and session context, not around broad user network membership.

Why zero trust helps compliance without treating it as a separate layer

The compliance value of zero trust in this article comes from building auditability and restriction into the access path itself. Rather than relying on separate controls to prove who connected, when, and to what, the architecture can log policy decisions and enforce least privilege at the moment of access. That matters in regulated environments where access to operational systems must be defensible under standards that expect confidentiality, integrity, availability, and traceable control. Compliance becomes a property of the design, not just the paperwork around it.

Practical implication: map access policy logs and least-privilege enforcement to evidence requirements before expanding remote access further.


Threat narrative

Attacker objective: The objective is to expand from a single trusted connection into broader operational access that can disrupt energy services or expose sensitive systems.

  1. Entry occurs when remote access or vendor connectivity is granted through a broad trust boundary rather than a verified, resource-specific policy.
  2. Escalation follows when authenticated users can move laterally across IT, OT, or IoT-connected systems that were never meant to share the same access plane.
  3. Impact is reached when an attacker or over-privileged user can reach critical operational resources, disrupt services, or expose sensitive internal systems.

NHI Mgmt Group analysis

Zero trust in energy is an access governance problem before it is a network architecture problem. The article shows that the real challenge is controlling who can touch operational assets as IT and OT converge, not simply replacing one perimeter technology with another. When remote staff and vendors need access to sensitive systems, identity, device state, and resource scope become the decision points. Practitioners should treat zero trust adoption as an access-policy redesign exercise, not a connectivity refresh.

Microsegmentation becomes more valuable when the environment includes legacy systems that cannot be rebuilt. Energy operators rarely have the option to modernise every plant or control system at once, so the practical task is to reduce blast radius around what already exists. Context-aware policy and cloaked resources help contain exposure without a full rip-and-replace programme. Practitioners should prioritise controls that shrink reachable surface area around the most operationally sensitive assets.

Third-party access is the hidden governance fault line in energy modernisation. Distributed operations often require vendors, contractors, and service providers to connect into environments that were designed for far less external access. That makes lifecycle control, approval scope, and auditability critical, especially where privileged maintenance is involved. Practitioners should align zero trust policy with third-party access governance rather than treating vendor connectivity as an exception path.

Visibility into access decisions matters as much as the access decision itself. Zero trust only improves resilience if teams can prove why a connection was allowed, denied, or narrowed. That creates a stronger basis for compliance evidence, incident review, and access recertification across both operational and identity programmes. Practitioners should ensure policy logs are usable for governance, not just operations.

What this signals

Distributed access models will keep displacing perimeter assumptions in operational environments. Energy programmes that still rely on VPN reach as a proxy for trust will find it harder to separate legitimate remote work from unnecessary blast radius. The practical response is to make access decisions closer to the resource and to use MITRE ATT&CK Enterprise Matrix thinking to map lateral movement risk across shared environments.

Microperimeter design will become a governance marker, not just a network choice. The organisations that can prove which users, devices, and sessions are allowed to see which operational assets will have a clearer path through audit, incident response, and vendor oversight. That is especially true where remote maintenance and legacy control systems must coexist.

Identity-linked access controls will matter more as operational systems become more distributed. The access model described here is closely aligned with the broader zero trust discipline and will increasingly intersect with privileged access governance, third-party access review, and policy evidence capture. Teams that connect those controls early will be better positioned to reduce operational access sprawl before it becomes a resilience issue.


For practitioners

  • Map remote access to resource-specific policy Identify all energy, OT, and shared IT resources that are still reachable through broad VPN paths, then replace them with access rules that tie each connection to a specific application or system. Prioritise systems that support maintenance, remote administration, or vendor support, since those sessions create the widest exposure window.
  • Segment OT from IT with policy, not just routing Use microperimeters and conditional access to keep plant and operational systems separate from general enterprise traffic, even when both live on shared infrastructure. This is most effective when the policy explicitly blocks lateral movement between servers and prevents a valid session in one zone from extending into another.
  • Require device posture checks for privileged sessions Treat unmanaged or insecure devices as a separate trust category and prevent them from reaching operational systems that support production or maintenance. For privileged access, combine posture checks with MFA and short-lived session scope so that elevated access is both justified and observable.
  • Build audit evidence into access design Capture who requested access, which condition gates were evaluated, and which resource was exposed for every high-risk connection. That gives compliance teams a cleaner evidence trail for standards such as EGSI, NERC CIP, and ISA/IEC 62443 without relying on manual reconstruction after the fact.

Key takeaways

  • Energy security teams are being pushed away from perimeter trust and toward context-aware access controls that limit reach to specific operational resources.
  • The main risk is not remote access itself but broad sessions that allow lateral movement across IT, OT, and IoT-connected systems.
  • Zero trust works best when it is designed as an access governance layer that also produces usable audit evidence for compliance and incident review.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Least-privilege access and context-aware control are central to the article.
NIST Zero Trust (SP 800-207)The article is fundamentally about zero trust access for distributed energy systems.
NIST SP 800-53 Rev 5AC-6Least privilege is the core access control principle discussed throughout.
CIS Controls v8CIS-6 , Access Control ManagementThe post centres on controlling and segmenting access across critical environments.
ISO/IEC 27001:2022A.8.3Operational access restrictions and handling of user access are directly implicated.

Align access restriction procedures with ISO 27001 Annex A controls for secure operation.


Key terms

  • Zero Trust Network Access: Zero Trust Network Access is an access model that grants connectivity only after verifying identity, device posture, and policy conditions. It replaces broad network entry with specific, contextual access to named resources, which is especially useful when remote users and vendors must reach sensitive systems without exposing the wider environment.
  • Microperimeter: A microperimeter is a tightly scoped security boundary around a specific application, system, or resource set. Instead of assuming trust at the network edge, it limits who can see and reach the asset, reducing lateral movement and making access decisions more precise in mixed IT and OT environments.
  • Context-Aware Access: Context-aware access is a policy approach that evaluates factors such as identity, device health, location, and session risk before allowing a connection. It is more adaptable than static network rules because it can deny or narrow access when the conditions around a request do not match the required trust level.
  • IT/OT Convergence: IT/OT convergence is the operational blending of information technology and operational technology systems. It improves efficiency but also creates shared pathways, shared trust assumptions, and a larger attack surface, which means access governance must become more granular and more resilient.

What's in the full article

Appgate's full article covers the operational detail this post intentionally leaves for the source:

  • Case-study specifics on how Elecaustro implemented ZTNA to support remote access while meeting government security requirements.
  • The deployment experience at Sorocaba Refrescos, including how it segmented critical systems and replaced legacy VPN reliance.
  • The article's own comparison table linking remote access risks, IT/OT convergence, compliance, and legacy system constraints to ZTNA outcomes.
  • Practical examples of how context-aware policy and resource cloaking were applied in industrial environments.

👉 Appgate's full article shows how zero trust was applied in two operational case studies.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management in practical terms. It is designed for practitioners who need to connect access control decisions to real-world identity and security programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org