Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Zero trust for energy IT and OT access: what changes for teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Energy organisations are using zero trust network access to replace broad VPN access with dynamic, least-privilege connections as IT and OT converge, remote work expands, and legacy systems remain exposed, according to Appgate. The security shift matters because identity, device posture, and context now determine who can reach critical systems, not network location.

NHIMG editorial — based on content published by Appgate: The Energy Sector’s Evolving Security Imperative

Questions worth separating out

Q: How should energy organisations secure remote access across IT and OT environments?

A: They should move away from broad network trust and toward resource-specific access policies that verify identity, device posture, and context before connection.

Q: Why does zero trust matter when IT and OT systems converge?

A: Because convergence collapses the old separation between business access and operational systems.

Q: What do organisations get wrong about VPN replacement in critical infrastructure?

A: They often replace the VPN while keeping the same trust model.

Practitioner guidance

  • Map remote access to resource-specific policy Identify all energy, OT, and shared IT resources that are still reachable through broad VPN paths, then replace them with access rules that tie each connection to a specific application or system.
  • Segment OT from IT with policy, not just routing Use microperimeters and conditional access to keep plant and operational systems separate from general enterprise traffic, even when both live on shared infrastructure.
  • Require device posture checks for privileged sessions Treat unmanaged or insecure devices as a separate trust category and prevent them from reaching operational systems that support production or maintenance.

What's in the full article

Appgate's full article covers the operational detail this post intentionally leaves for the source:

  • Case-study specifics on how Elecaustro implemented ZTNA to support remote access while meeting government security requirements.
  • The deployment experience at Sorocaba Refrescos, including how it segmented critical systems and replaced legacy VPN reliance.
  • The article's own comparison table linking remote access risks, IT/OT convergence, compliance, and legacy system constraints to ZTNA outcomes.
  • Practical examples of how context-aware policy and resource cloaking were applied in industrial environments.

👉 Read Appgate's analysis of zero trust access for energy IT and OT environments →

Zero trust for energy IT and OT access: what changes for teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Zero trust in energy is an access governance problem before it is a network architecture problem. The article shows that the real challenge is controlling who can touch operational assets as IT and OT converge, not simply replacing one perimeter technology with another. When remote staff and vendors need access to sensitive systems, identity, device state, and resource scope become the decision points. Practitioners should treat zero trust adoption as an access-policy redesign exercise, not a connectivity refresh.

A question worth separating out:

Q: Which frameworks should teams use to govern zero trust access in energy operations?

A: NIST CSF, NIST 800-53, and NIST SP 800-207 are the most useful starting points because they connect access control, monitoring, and zero trust architecture. Energy teams should also align evidence collection with operational compliance requirements so that access logs, policy decisions, and exception handling are defensible in audits.

👉 Read our full editorial: Zero trust access is redefining energy security across IT and OT



   
ReplyQuote
Share: