The Number That Shouldn’t Exist
A water utility CISO sat across from us and described last year’s vendor maintenance budget. $340,000.
Not for software licenses. Not for security tooling. Not for incident response retainers.
For airline tickets.
Every time a controller needed a firmware update, a vendor flew in. Every time an HMI showed an alarm the local team couldn’t diagnose, a technician flew in. Every time a quarterly maintenance window came up, three vendors flew in. Across 6 sites, 40+ controllers, and dozens of supporting systems, the travel coordination became its own logistics function – bigger than most security operations teams.
The CISO called this “our security architecture.”
It wasn’t. It was operational paralysis with a security label.
This article breaks down the actual cost of physical-access-only OT maintenance – the costs that don’t appear on the security budget but absolutely belong there – and why the Reverse Access architecture that eliminates them isn’t a tradeoff between security and accessibility. It’s both, simultaneously, by design.
What “Physical-Access-Only” Actually Costs
The $340K travel budget is the visible number. It’s also the smallest number. The real cost of physical-access-only OT maintenance breaks down into seven categories, and most CISOs only track one or two of them.
Category 1: Direct Travel Costs
The obvious one. Vendor airfare, hotels, per diem, ground transportation, expedited shipping for replacement parts. For a mid-sized water utility with 6 sites, 40 PLCs, and standard quarterly maintenance:
- 4 quarterly visits × 6 sites × 3 vendor types = 72 vendor visits per year minimum
- Average $4,000–$5,000 per visit including travel + on-site time
- Annual baseline: $290,000–$360,000
That’s the $340K. Documented. Auditable. Painful.
Category 2: Internal Coordination Overhead
Every vendor visit requires internal coordination. Schedule confirmation, security clearance for site access, pre-visit work orders, post-visit documentation, badge issuance, escort assignment. For each visit, conservatively 4–6 hours of internal staff time across IT, OT, and security functions. At a loaded labor cost of $85/hour, that’s $340–$510 per visit. At 72 visits per year – $24K–$37K annually that nobody tracks because it’s distributed across multiple departments.
Category 3: Production Downtime During Maintenance Windows
Most OT maintenance requires the system to be in a controlled state – sometimes offline, sometimes in reduced-capacity mode. The vendor’s flight schedule defines the maintenance window. The maintenance window defines the production impact. A water utility that could perform maintenance during a 2-hour off-peak window must instead schedule for the vendor’s availability – which often means an 8-hour window or a weekend visit at premium rates.
The hidden cost: production capacity that doesn’t get delivered because maintenance runs longer than necessary. For utilities, this translates to either deferred service or capital investments to add capacity that compensates for inefficient maintenance scheduling.
Category 4: Delayed Firmware Updates and Their Consequences
This is the category most CISOs eventually confront – usually after a CVE that affects their controllers makes the news.
Physical-only maintenance means firmware updates happen on the maintenance schedule, not the threat schedule. A critical CVE published Tuesday doesn’t get patched until the next scheduled vendor visit – which might be 90 days away. Or the visit gets delayed because of weather. Or the vendor reschedules. Or the budget for emergency travel hasn’t been approved.
Meanwhile, the controller is exposed. The compensating control is “we have a data diode” or “it’s behind the firewall.” Both true. Neither sufficient. A vendor access security checklist for OT environments documents what actually constitutes adequate access governance – and what falls short of it.
Category 5: Vendor Lock-In Premium
When a vendor is the only entity that can update their equipment, pricing power follows. Service contract renewals come with annual increases that exceed inflation. Emergency response premiums apply outside normal business hours. Out-of-warranty repair quotes assume the customer has no alternative.
This isn’t malicious vendor behavior. It’s market structure. Physical-access-only models concentrate dependency on the vendor that originally installed the equipment. The utility’s BATNA – best alternative to a negotiated agreement – is “fly the technician here ourselves at our cost.” Which isn’t really an alternative.
Category 6: Talent and Retention Costs
OT specialists who spend 60% of their time coordinating physical vendor visits are doing logistics, not engineering. The good ones leave for jobs that let them do actual technical work. The replacements take 12–18 months to reach productivity. The institutional knowledge walks out the door.
This is the cost CFOs least want to acknowledge because it doesn’t fit neatly in a budget line. But the recruiting cost, the training cost, and the productivity gap during transition periods are real – and they accumulate every year that the maintenance model stays unchanged.
Category 7: The Risk Cost That Insurance Now Charges For
Cyber insurance underwriters increasingly ask specific questions about vendor access governance: Are vendor sessions authenticated with named accounts? Are they recorded? Are they time-bounded? Is content from vendors scanned before reaching OT systems?
Physical-access-only environments often have the worst answers to these questions. The vendor walks onto the site, sits at a workstation with shared local credentials, and updates equipment without session recording, without per-operation policy, and without content inspection.
Insurance premiums reflect this. Coalition’s 2024 data showed 82% of denied claims involved organizations without fully implemented MFA across all access paths – and physical-only environments often lack MFA entirely on OT access because “the vendor is on-site, that’s the security control.”
The Total Cost Breakdown
Putting all seven categories into one view for a representative mid-sized water utility:
Cost Category | Annual Cost (Conservative) | Visibility on Budget |
Direct travel (vendors) | $340,000 | Highly visible |
Internal coordination overhead | $30,000 | Distributed, untracked |
Production downtime premium | $80,000 | Operational, not security |
Delayed firmware update risk | Variable, growing | Risk register only |
Vendor lock-in pricing premium | $60,000 | Buried in service contracts |
Talent retention/recruiting | $45,000 | HR, not security |
Insurance premium increase | $50,000+ | Finance, not OT |
Total annual exposure | $605,000+ | Spread across 5+ budgets |
The CISO’s “security budget” was $340K because that’s what showed up on the security ledger. The actual cost of the security architecture they were maintaining was nearly double that – distributed across operations, HR, finance, and the risk register where nobody adds it up.
The Reframe: It’s Not Security. It’s Operational Paralysis.
Physical-only OT maintenance was a defensible architecture in 2014. The threat landscape was different. Remote access tools were less mature. Zero Trust was an academic concept. Air-gapping made operational sense for utilities that had no remote support requirement and no cyber insurance scrutiny.
None of those conditions hold in 2026.
The vendor needs remote support to be commercially viable. The threat landscape requires firmware updates within days, not quarters. Cyber insurance asks specific questions about remote access governance and prices the answers. OT-specific compliance frameworks (NERC CIP for power, AWIA for water, IEC 62443 for industrial) require evidence of access controls that physical-only models cannot produce.
What was a security architecture in 2014 is operational paralysis in 2026. The label hasn’t changed. The reality has.
A practical examination of the three-layer approach to securing IT/OT connectivity documents how modern OT environments handle remote access without sacrificing the segmentation principles that physical-only environments were designed to enforce.
Why CISOs Have Defended This Architecture
When we present the cost breakdown to CISOs operating physical-only environments, the response is rarely “we didn’t know.” It’s usually “we know, but we can’t change it because [specific architectural fear].”
The fears are consistent across organizations:
Fear 1: “Remote access opens the network.”
Traditional remote access does. VPN concentrators expose port 443 to the internet. Remote desktop gateways accept inbound RDP connections. Every inbound port is a scannable, exploitable attack surface – which is why CISOs operating critical infrastructure correctly chose to avoid them.
But Reverse Access architecture inverts the direction. The internal Access Controller initiates outbound connections to the Access Gateway. No inbound ports are opened. The OT network is architecturally invisible from the internet – there is nothing to scan, nothing to find, nothing to exploit. The fear maps to traditional remote access. It doesn’t map to Reverse Access.
Fear 2: “We can’t authenticate vendors with our identity infrastructure.”
True for many OT vendors. Their technicians don’t have accounts in your Active Directory. They use shared credentials or local accounts that violate every governance principle.
Zero Trust Access provides named vendor accounts with time-bounded sessions, per-session MFA, and complete session recording – without requiring vendor technicians to be in your AD. The identity layer integrates federated authentication, RADIUS, RESTful authentication, and SAML, allowing vendor identities to be managed externally while maintaining policy control internally.
Fear 3: “Files from vendors might be malicious.”
Correct concern. Firmware files, configuration backups, and engineering project files from vendors carry legitimate functional content alongside potential malicious content – sometimes deliberately, more often through supply chain compromise upstream of the vendor.
This is what Content Disarm and Reconstruction addresses. Not signature-based scanning that misses unknown threats. Structural file rebuilding that strips active content, embedded scripts, and exploit structures regardless of whether the threat is known. Every file passing into OT through Reverse Access can be CDR-scanned at the SMB Proxy layer before reaching backend storage.
Fear 4: “Compliance won’t accept this.”
The opposite is true. NERC CIP, AWIA, IEC 62443, and CISA ZTMM all require evidence of access controls, session attribution, and content inspection that physical-only environments cannot produce. The platforms that provide Reverse Access + identity-based access + CDR + session recording produce compliance evidence that satisfies these frameworks directly.
A practical guide on replacing multiple OT security vendors with a single Zero Trust platform addresses the procurement-level reality of consolidating remote access, file transfer, session recording, and compliance evidence into one architecture rather than four separate vendor relationships.
The Architectural Alternative
Reverse Access architecture solves the financial problem not by making vendor visits cheaper, but by making most vendor visits unnecessary. The 80% of vendor visits that exist solely to push a firmware file or check an HMI status can be performed remotely with the same security posture as physical access – sometimes stronger, because every operation is logged and recorded.
Here’s what changes architecturally:
Inbound ports: Eliminated. The OT firewall is in deny-all state. The Access Controller inside the OT network initiates an encrypted outbound connection to a Gateway. Vendors connect to the Gateway. The Gateway relays to the Controller. No port is opened on the OT side.
Vendor identity: Per-vendor named accounts replace shared credentials. Per-session MFA replaces “the vendor is on-site.” Time-bounded sessions replace standing access. Federation supports vendor identities without forcing vendor IT integration.
File transfers: Every file from the vendor passes through CDR. Firmware files, configuration backups, project files. Rebuilt from scratch. Active content stripped. Per-operation policy enforces what the vendor can write where.
Session recording: Every vendor session recorded. Video. Keystrokes. File transfers. Identity-attributed audit trail exported to enterprise SIEM.
Compliance evidence: Generated automatically. Not assembled from logs after the fact. The platform produces the audit trail that NERC CIP, AWIA, IEC 62443, and CISA ZTMM evidence requirements demand.
For OT environments still operating with the Purdue Model as their reference architecture, the Zero Trust application of Purdue principles preserves the zone-and-conduit segmentation while replacing the perimeter-based assumptions that physical-only access was designed to enforce.
The Migration Path: A Three-Phase Plan
The financial argument is clear. The architectural argument is clear. The remaining question for CISOs is: how do we get there without disruption?
The migration follows the same phased approach validated across dozens of OT deployments – including the water utility that started this article.
Phase 1: Parallel Deployment (Weeks 1–4)
Deploy the Reverse Access infrastructure alongside the existing physical-access architecture. No disruption to current operations. The data diode (if present) keeps running. Existing vendor visit schedules continue. The new platform connects to the OT network via outbound-only connections and integrates with the agency’s identity infrastructure.
The deliverable of Phase 1 is a fully operational Reverse Access architecture running in parallel – not yet handling production vendor traffic.
Phase 2: Pilot Migration (Weeks 5–8)
Migrate a controlled vendor population to the new platform. Typical pilot: one vendor, one site, one type of maintenance activity. The vendor authenticates through the new platform with named accounts and per-session MFA. Files transfer through CDR scanning. The session is recorded.
Both paths remain operational. If anything goes wrong, the vendor can fall back to the physical visit model. After 2–3 successful pilot maintenance cycles, expand the pilot.
Phase 3: Production Migration and Decommission (Weeks 9–16)
Migrate all vendors and all maintenance activities to the new platform. Track the cost reduction in real-time as travel budget gets reallocated. After 2–3 full maintenance cycles on the new platform, decommission the legacy access infrastructure. The data diode (if present) can be retained, removed, or replaced based on the agency’s compliance posture and risk tolerance.
Total elapsed time: 16 weeks. Travel budget impact: visible from Phase 2. Compliance evidence improvements: documented from Phase 1.
How truePass Gravity Addresses This Specific Use Case
truePass Gravity was designed for exactly this OT cross-network use case. The three-layer architecture provides the complete connectivity capability that physical-access-only replacement requires:
Layer 1 – Reverse Access Infrastructure. Patented technology eliminates the inbound ports that traditional remote access requires. The OT network remains architecturally invisible from the internet. There is nothing to scan, nothing to find, nothing to exploit.
Layer 2 – Heimdall SMB Proxy with CDR. Every file from vendors passes through Content Disarm and Reconstruction. Firmware files. Configuration backups. Engineering project files. Per-operation policy enforces what each vendor can write where. The audit trail captures every file operation with identity attribution.
Layer 3 – Zero Trust Application Access with Session Recording. Per-session RDP, SSH, HTTP, and TCP access with per-vendor named accounts, MFA, device posture verification, and integrated video + keystroke recording. The vendor session that previously required a physical site visit now happens through a recorded, attributed, policy-controlled remote connection.
Compared to traditional VPN-based remote access, Reverse Access provides architectural advantages that make it viable for OT environments where VPN was historically rejected as too risky.
The complete truePass platform extends this approach across IT and OT environments, providing unified policy and audit across the connectivity types that physical-only environments traditionally required separate handling for.
The ROI Calculation for the CFO Conversation
When CISOs present this architecture to CFOs, the conversation is straightforward when the financial framing is correct.
Metric | Year 1 – Physical Only | Year 1 – Reverse Access | 3-Year Cumulative Savings |
Vendor travel | $340,000 | $40,000 (occasional physical visits remain) | $900,000 |
Internal coordination overhead | $30,000 | $8,000 | $66,000 |
Production downtime premium | $80,000 | $20,000 | $180,000 |
Talent retention impact | $45,000 | $15,000 | $90,000 |
Insurance premium reduction | n/a | -$25,000/year (premium reduction) | $75,000 |
Total operational savings | – | – | $1,311,000 |
Platform deployment + Year 1 ops | n/a | $250,000–$350,000 | – |
Net 3-year financial impact | – | – | +$960,000 to +$1,060,000 |
The platform pays for itself in Year 1 from travel reduction alone. The 3-year impact captures the full operational savings plus the insurance premium reduction that insurance underwriters increasingly offer for organizations with documented Zero Trust controls – particularly the 50–60% premium reduction documented for organizations with comprehensive control implementations.
Frequently Asked Questions
Is this just a remote access solution? We’ve evaluated those before.
Reverse Access is architecturally different from traditional remote access. Traditional remote access (VPN, RDP gateway) requires inbound ports on your network. Reverse Access initiates connections from inside your network outward – no inbound ports, no listening services, nothing to scan. This is why it’s deployable in OT environments where VPN was historically rejected.
What about the data diode?
The platform deploys alongside existing data diodes. Most utilities run them in parallel during migration, then make a separate decision about whether to retain, decommission, or replace the diode based on their specific compliance posture and risk tolerance. The platform does not require diode removal.
How do vendors authenticate without our AD accounts?
The platform supports named vendor accounts in its own identity layer, with federated authentication that supports SAML, OpenID, RESTful, and RADIUS. Vendors get individual accounts with per-session MFA. Their identity is managed in your platform – not in your AD – but with the same governance properties (time-bounded access, named attribution, audit trail).
What about operational technology that can’t support modern protocols?
The platform brokers connections at the gateway layer. Legacy controllers using SMB 1.0, proprietary protocols, or any TCP-based communication are accessed through the platform’s protocol support. The legacy device is unchanged. The access path is modernized.
How does this affect our compliance posture?
It improves it in every framework that requires access controls, session attribution, or content inspection. NERC CIP, AWIA, IEC 62443, CISA ZTMM, and cyber insurance underwriting all benefit from the audit trail and control evidence the platform produces. Physical-only environments often have compliance gaps that are documented but not remediated. This architecture closes those gaps.
What’s the realistic deployment timeline?
16 weeks for a typical mid-sized utility with 6 sites and 40+ controllers. Phase 1 (parallel deployment) takes 4 weeks. Phase 2 (pilot migration) takes 4 weeks. Phase 3 (production migration) takes 8 weeks. Travel budget impact appears within Phase 2. Full operational savings realize by week 16.
Can we phase this by site rather than all at once?
Yes – and most utilities do. Single-site deployments validate the architecture and the operational workflow before scaling. The platform supports multi-site deployments where each site operates independently but shares centralized policy and audit. Site-by-site migration takes longer but reduces deployment risk.
Conclusion
The water utility CISO who described the $340,000 travel budget didn’t have a security problem. He had an architectural problem that wore a security label.
Physical-access-only OT maintenance was defensible in 2014. In 2026, it’s an expensive logistics function distributed across travel budgets, internal coordination overhead, production downtime premiums, talent retention impact, vendor lock-in pricing, delayed patch risk, and growing insurance premiums.
The visible cost – the airline tickets – is the smallest one. The total operational cost runs nearly double the visible number. And the architectural fears that kept this model in place – opening the network, vendor authentication, malicious file content, compliance acceptance – all map to traditional remote access architectures, not to Reverse Access.
Reverse Access initiates connections from inside the protected network outward. No inbound ports. Nothing exposed. Nothing scannable. Identity-based vendor access with per-session MFA. CDR scanning on every file. Full session recording. The compliance evidence physical-only environments cannot produce.
The data diode protected the network. It also stopped the operations. The travel budget bridged the gap. Now there’s a way to maintain the protection without the bridge.
The $340K wasn’t a security budget. It was the cost of an architecture that wasn’t fixable – only patchable, by sending humans on planes. The architecture that replaces it doesn’t require a tradeoff. It requires a decision.
