Skip to content

Securing Operational Technology

Operational Technology (OT) environments — from energy grids and water treatment plants to factory floors and ports — rely on legacy protocols, constrained hardware, and often insecure network designs. These systems weren’t built with modern threats in mind, yet they now face escalating cyber risks, including ransomware, espionage, and nation-state sabotage.

Crux VPN brings post-quantum secure networking to the edge of OT — enabling authenticated, encrypted communications across devices and control systems without introducing operational friction or requiring hardware changes. It’s a lightweight, software-defined trust layer designed for the realities of OT.

Problem

Traditional security tooling doesn’t translate well to OT environments:

  • Firewalls and traditional VPNs don’t scale to segmented, low-bandwidth, or air-gapped networks.
  • Legacy devices can’t support PKI or modern authentication frameworks.
  • Manual key provisioning is error-prone, risky, and hard to rotate.
  • IT-originated tools often break critical processes or violate uptime guarantees.

Worse still, many OT networks assume implicit trust — anyone who gets onto the network can talk to anything. This flat-trust model is a liability in a threat environment that’s anything but flat.

Crux VPN in action

Crux VPN creates a cryptographic perimeter around OT devices and control systems by delivering short-lived symmetric keys to authenticated nodes. Devices connect securely over serial links, Ethernet, or wireless — even if they can't run a full OS or support traditional crypto libraries.

Crux VPN can be deployed at the edge via gateways, or embedded directly into higher-functioning endpoints. Keys are brokered via a minimal trust backend, with no static credentials or PKI overhead. Communications are locked down by default, authenticated at the session level, and always encrypted.

Example deployment

flowchart LR
    subgraph OT_Network_1 [OT Network A]
        PLC1[PLC A1]
        PLC2[PLC A2]
    end

    subgraph Crux_Node_1 ["Sirius 'H1' Node A <br/> (Edge Gateway)"]
        RouterA[Crux VPN Agent]
    end

    subgraph LAN/WAN/Internet
        WireTunnel["Post-Quantum Safe Encrypted Tunnel"]
    end

    subgraph Crux_Node_2 ["Sirius 'H1' Node B <br/> (Remote Site)"]
        RouterB[Crux VPN Agent]
    end

    subgraph OT_Network_2 [OT Network B]
        PLC3[PLC B1]
        PLC4[PLC B2]
    end

    RouterA <-- "Key Agreement Platform <br/> (SKA-P)" --> RouterB

    PLC1 -- unencrypted --> RouterA
    PLC2 -- unencrypted --> RouterA

    RouterA <--> WireTunnel <--> RouterB

    RouterB -- unencrypted --> PLC3
    RouterB -- unencrypted --> PLC4

Design highlights

  • No reliance on certificates or pre-shared keys — zero-touch authentication and keying
  • Session-specific symmetric keys with built-in forward secrecy
  • No changes to OT hardware or protocols — deploy alongside legacy systems
  • Small binary footprint, works even in resource-constrained environments
  • Compatible with serial, TCP/IP, and broadcast/multicast topologies

Benefits

Area Advantage
Security Enforces least privilege and authenticated comms across legacy OT
Simplicity Drop-in overlay, no impact on process logic or PLC configs
Compatibility Runs on or alongside existing field devices and protocols
Resilience Reduces lateral movement, locks down unauthorized access
Operational Fit Designed for uptime-sensitive and safety-critical systems

When to use Crux VPN

Crux VPN is ideal for operators and integrators securing:

  • Critical infrastructure (water, energy, transport)
  • ICS/SCADA systems in manufacturing or logistics
  • OT networks requiring segmentation, monitoring, or remote access
  • Edge environments with mixed-trust devices and limited compute
  • Legacy systems that need modern encryption without modernization