SECURE NETWORK ACCESS

Corey O'ConnorJuly 2, 2025 10 minute read

Redefining Energy Security with Universal ZTNA: A Candid Q&A with Appgate Chief Solutions Architect Adam Rose

As the energy sector undergoes a rapid digital transformation, the stakes for cybersecurity have never been higher. In this exclusive Q&A, Appgate Chief Solutions Architect Adam Rose addresses the unique and evolving threats facing energy organizations—from IT/OT convergence and remote access risks to the limitations of legacy security models, and explains why universal Zero Trust Network Access (UZTNA) is emerging as the gold standard for protecting critical infrastructure, ensuring operational continuity, and enabling secure, high-performance access for both on-premises and remote users.  

Q: Why is cybersecurity such a pressing issue for the energy sector right now?

A: Cybersecurity has always been important, but the urgency for the energy sector has never been higher. The energy industry is the backbone of modern society. Any significant disruption—whether it’s generation, transmission, or distribution—can have cascading effects on everything from healthcare to public safety to the economy. What’s really changed in recent years is the attack surface: we’re seeing a massive digital transformation with smart grids, IoT devices, and cloud computing, all of which introduce new vulnerabilities. Attackers know this, and the sector is being targeted more than ever. In fact, the energy sector now accounts for nearly 40% of all attacks on critical infrastructure—over three times more than any other sector. That’s a staggering statistic, and it really underscores the need for a proactive, modern approach to cybersecurity.

It’s also important to recognize that many of these attacks are not just the work of independent hackers or criminal groups. Nation-state actors, particularly from China and Russia, are heavily involved in targeting critical infrastructure, including the energy sector. The U.S. Office of the Director of National Intelligence’s 2025 Annual Threat Assessment specifically highlights that China remains the most active and persistent cyber threat to U.S. critical infrastructure; with campaigns like Volt Typhoon aiming to pre-position access for potential attacks. Given that these advanced attack models often rely on cloaked ingress points and pre-positioned malware, it is imperative for energy organizations to adopt security strategies that render critical access points invisible to attackers and ensure that any lateral movement from such compromised footholds is rapidly identified and contained.  

Russia also has demonstrated advanced capabilities and a willingness to disrupt energy systems, both for intelligence gathering and as part of broader geopolitical strategies. These state-sponsored campaigns significantly raise the stakes for energy organizations, making robust, modern cybersecurity not just an IT concern, but a matter of national security.

 

Q: What are some of the unique security challenges energy organizations face?

A: The energy sector faces a perfect storm of challenges. First, there’s the convergence of IT and OT networks—so your business systems and your operational technology are more connected than ever. That’s great for efficiency, but it also means an attack on the IT side can potentially jump to the OT side, putting physical infrastructure at risk. Further complicating this, you may also have a number of adjacent networks, perhaps built or maintained as separate 'fiefdoms' by trusted vendors or partners, that now more easily connect to or influence these converged environments, each potentially introducing unique security gaps. Then you have the need for secure remote access; field teams, remote operators, and third-party vendors all need to connect from different locations, sometimes under less-than-ideal circumstances. Add to that the proliferation of smart devices and legacy systems that weren’t built with today’s threats in mind, and you’ve got a complex, constantly shifting threat landscape.  

Let me give you a concrete example. Imagine a utility company with substations spread across a wide geographic area. Each substation might have legacy control systems, modern IoT sensors, and remote maintenance crews accessing those systems from the field. Within each substation, you're likely to find a challenging mix of technologies. There could be legacy control systems, often reliant on outdated and inherently insecure industrial protocols like Modbus or BACnet, which typically lack robust, modern authentication and encryption mechanisms, making them vulnerable to eavesdropping or unauthorized commands. Alongside these, you'll find an increasing number of modern IoT sensors. While these sensors often have native IP network capabilities, they are frequently designed more for ease of deployment and operational use rather than for robust security, inadvertently creating new, often unmonitored, entry points into your network. Finally, consider the critical human element: the maintenance crews accessing these very systems. These teams might be working directly in the field, sometimes with a variety of personal or less-secure corporate devices. Or, they could be connecting remotely, and this remote access often still relies on traditional, perimeter-based tools like VPNs. These VPNs are themselves frequent targets of attack, are often successfully breached, or are commonly provisioned with far too much network-wide access instead of the precise, least-privilege connections needed to protect sensitive OT environments. Every one of those connections is a potential entry point for attackers. And if you’re still relying on traditional perimeter security, you’re essentially leaving the door open. This is why we see such a strong push toward Zero Trust models in energy because the old ways just aren’t enough anymore.

 

Q: Traditional security models like firewalls and VPNs have been the norm for years. Why aren’t they enough anymore?

A: Perimeter-based security was fine when everything stayed inside a well-defined network, but that world is gone. With remote work, cloud adoption, and the integration of IT and OT, those boundaries are blurred or just plain gone. VPNs and firewalls often provide broad access-too broad, frankly—and lack the ability to adapt to user context or device health. Once someone’s in, they can often move laterally, which is a huge risk for critical infrastructure. In addition, traditional models leave open listening service ports exposed on the network, increasing the attack surface. ZTNA concepts like Single Packet Authorization (SPA) enable you to limit or even eliminate this exposure by making required ports and protocols invisible to unauthorized users, so only authenticated and authorized connections can reach them. This creates a new, tightly controlled boundary around critical services, drastically reducing opportunities for attack. We need a model that assumes the network is already compromised and verifies every access request, every time. That’s why so many organizations in the energy sector are now looking to universal Zero Trust Network Access, or UZTNA, as the next step—it’s a fundamentally different approach that addresses these modern realities head-on.

 

Q: You’ve mentioned universal Zero Trust Network Access (UZTNA) as a solution. Can you explain what that means for energy organizations?

A: Zero Trust, and specifically universal ZTNA, is a game-changer. The philosophy is simple: never trust, always verify. Every single access request—whether it’s coming from inside the plant, a remote worker at a coffee shop, or a third-party vendor—gets rigorously authenticated and authorized. We look at identity, device health, location, and more. Unlike traditional solutions, ZTNA continuously validates these context and posture elements while the user or device is connected—not just at initial login—and can react to changes in context in near real time. For energy, this means you can confidently allow access to critical systems without worrying about exposing your entire network.

What really sets universal ZTNA apart, especially for energy, is the ability to provide direct, secure access to only the resources a user is authorized for—no more, no less, and only when the access is expected, or planned. Our approach at Appgate is direct-routing: users connect directly and securely to only the resources they’re authorized for, with no detours or bottlenecks. That’s critical for real-time operations where latency and downtime are unacceptable. And it’s not just about security; it’s about enabling the business to keep running, no matter what. To summarize, Appgate provides secure access to the right people, to the right resources, but only under specific circumstances.

 

Q: What does this look like in practice? How does Appgate’s UZTNA actually work on the ground?

A: Let’s take a real-world scenario. Suppose you have a field engineer who needs to access a SCADA system to perform maintenance. With our UZTNA, that engineer’s identity and device are verified in real time, and they’re granted access only to that specific system—nothing else. If their device posture changes, or if their behavior seems off, access can automatically be revoked immediately. Our direct-routing model means there’s no unnecessary detour through a central hub, so performance stays high and downtime is minimized.

But it goes further. Because of our “segment-of-one” approach, which isolates every user’s access to only the specific resources they’re permitted, if an attacker does get in, the attack surface is hidden and not accessible or discoverable to unauthorized users, and they’re contained—they can’t move laterally across your network through the access Appgate ZTNA controls. It’s important to note that while Appgate ZTNA cloaks ingress points and enforces strict user-to-resource access, comprehensive east-west (internal) segmentation requires integration with complementary solutions like Illumio, ColorTokens, or Elisity. Our gateways must be positioned between the user and the protected resources, and each user’s access is determined dynamically based on posture, context, and identity. This is what gives organizations the confidence that their operations remain resilient, no matter where their users are. In fact, a leading energy provider’s move to universal ZTNA was driven by the need to make protected segments completely invisible to anyone who isn’t explicitly authorized. Whether users are in the office, at home, or at a public cafe, there’s simply no way for unauthorized users to even see those critical assets, much less access them.

And for the business, that means high performance, low downtime, and the ability to maintain operations in any scenario. This is especially critical in OT environments, where supporting locally installed engineering and diagnostic tools—such as Niagara Workbench, Rockwell RS Logix/Studio 5000, Siemens TIA Portal/STEP 7, Schneider EcoStruxure/Unity Pro, ModScan/ModSim, BACnet Explorer, or DNP3 Test Set—is essential due to strict licensing and operational requirements. We’ve seen this play out with other clients as well. For example, Sorocaba Refrescos in Brazil was able to quickly transition hundreds of employees to remote work during the pandemic, all while strengthening access controls, improving network segmentation, and reducing operational complexity. They saw immediate improvements in connection stability and security, and their IT team was able to manage access more efficiently with far less overhead.  

Q: Why have leading energy companies chosen Appgate’s UZTNA?

A: It comes down to three things: invisibility, performance, and resilience. A leading energy provider, for example, needed to make sure that no user—whether they’re in the office, at home, or at a public cafe—could directly access protected segments of their network without undergoing rigorous, policy-driven and automated checks. Just as importantly, with Appgate’s direct-routed approach, users can securely connect to critical resources without having to hairpin their traffic through cloud security stacks or SaaS-based products. All traffic remains contained within the operational domain of the customer, with no reliance on any third-party “break and inspect” service. Our solution makes those critical assets invisible to anyone who isn’t explicitly authorized. The direct-routing architecture ensures high performance and low downtime, which is non-negotiable in energy. And finally, the business continuity aspect: energy companies can’t afford to be down, ever. Our UZTNA helps keep them up and running, securely, at all times.

But let me expand on that a bit. In the energy sector, business continuity isn’t just a nice-to-have, it’s absolutely critical. Any downtime can mean lost revenue, regulatory penalties, risks to public safety, and even the loss of human life. What made Appgate stand out to a leading energy provider was our ability to deliver secure, high-performance access without sacrificing usability. Whether a user is in a control room, out in the field, or working remotely, they get the same seamless, secure experience. And because our architecture is designed for scalability and integration, it fits right into existing IT and OT environments, supporting both legacy and modern systems. That’s a huge advantage for organizations that can’t afford disruption or degraded performance.

 

Q: What advice do you have for energy sector leaders who are evaluating their cybersecurity strategies?

A: First, start with the basics: make sure your organization is consistently applying foundational cybersecurity controls. That means strong passwords, multi-factor authentication, regular patching, network segmentation, employee training, and continuous monitoring—these are non-negotiable and too often overlooked. This includes the SCADA or Controllers/IOT appliances themselves, as many have been found to have publicly available default admin. or backdoor credentials. As highlighted at this year’s RSA Conference keynote on critical infrastructure, many organizations are still missing these essentials, and no advanced technology can compensate for gaps in the fundamentals. Resist the urge to chase the latest shiny tool until your security hygiene is rock solid. Once you have the fundamentals in place and consistently enforced, you can build on that strong foundation by embracing a Zero Trust mindset. Assume attackers are already inside and build your defenses accordingly. Don’t rely on old perimeter models. Next, look for solutions that can secure both on-premises and remote access, especially for OT environments. A segment-of-one model is essential; you want to limit any potential breach to the smallest possible area. Make sure your solution supports compliance with industry standards like NERC CIP and IEC 62443, and that it provides the audit trails you’ll need. Most importantly, prioritize business continuity; choose solutions that keep your operations running, no matter what.

I’d also urge leaders to think about the long-term. Digital transformation isn’t slowing down, and neither are the threats. It’s not enough to simply react to the latest incident or regulatory requirement. You need a security strategy that’s resilient, adaptable, and capable of supporting innovation. That means investing in solutions that can grow with your business, integrate with your existing infrastructure, and provide the visibility and control you need to manage risk proactively. And don’t underestimate the value of simple solutions that are easy to manage and use will drive better adoption and ultimately better security outcomes.

 

Q: Any final thoughts for energy organizations thinking about the future?

A: The digital transformation of energy is both an opportunity and a risk. The threats are real and growing, but so are the tools at our disposal. Universal ZTNA isn’t just a technical upgrade—it’s a strategic imperative for protecting critical infrastructure and ensuring the lights stay on for everyone. The time to act is now, before the next attack tests your resilience. Looking ahead, future-proofing your security posture means prioritizing solutions that offer robust API integration and flexible layering, so you can seamlessly incorporate next-generation controls and toolsets as they emerge. Whether it’s integrating with new automation platforms, orchestration tools, or leveraging advances in AI for threat detection and response, this adaptability will be key to navigating an uncertain future and maintaining resilience as technology evolves.

But let me leave you with this: cybersecurity is no longer just an IT issue—it’s a business issue, a safety issue, and in many ways, a societal issue. The decisions you make today will determine not only the security of your organization, but also the reliability of the services your communities depend on. By adopting a Zero Trust strategy and investing in the right solutions, energy companies can protect their critical infrastructure, safeguard the communities they serve, and maintain the reliability and security of our power grid for generations to come.

 

Receive News and Updates From Appgate