Why Utilities Need Both: The Hybrid Agent/Agentless Approach to Segmenting Modern Electric Grid Infrastructure

In the world of cybersecurity, passionate debates often emerge about the "right" approach to microsegment critical systems. For years, vendors have staked claims on either agent-based or agentless segmentation, advocating their chosen method as the superior solution. But what if the reality - especially for complex environments like electric utilities - requires a more nuanced perspective?

At Zentera, we've deliberately taken a different path. Rather than forcing customers to choose between agent-based or agentless security, we've built our platform to support both approaches. This wasn't a marketing decision - it was driven by understanding the true nature of modern utility infrastructure and the impossible choice utilities would face if limited to just one model.

The Unique Reality of Utility Infrastructure

Electric utilities operate some of the most complex and diverse technology environments in existence. In a single organization, you might find:

• Control systems running on 30-year-old hardware that cannot be modified
• SCADA infrastructure from multiple vendors and generations
• Modern IT systems connected to cloud services
• Critical infrastructure subject to strict regulatory requirements
• Remote substations with minimal computing resources
• Operational networks with strict latency requirements

No other industry manages such a wide technological spectrum under such high-stakes conditions. The electrical grid must maintain "five nines" reliability (99.999% uptime) while facing increasingly sophisticated threats like those from Volt Typhoon and other state-sponsored actors.

Given this complexity, why would we force utilities to choose a single security model?

Where Agent-Only Approaches Fall Short

Many security vendors advocate agent-based protection, which requires installing software on each protected system. This approach offers excellent visibility and control, but creates insurmountable challenges in utility environments:

• Legacy OT Systems: Many PLCs, RTUs, and control systems run proprietary firmware that cannot be modified
• Certification Concerns: Adding agents to safety-certified systems may void certifications or warranties
• Resource Limitations: Embedded systems often lack CPU and memory resources to support agents
• Change Management: Utility change control processes can make agent deployment a months-long endeavor

For utilities, these aren't edge cases - they represent critical infrastructure components that simply cannot accommodate agent-based security.

The Limitations of Agentless-Only Solutions

There are a variety of approaches to agentless microsegmentation, and they are not all equal. Vendors who champion agentless approaches often gloss over the inherent limitations of their chosen architecture.

The first category of agentless microsegmentation solutions out there are essentially tools that manage the existing network on your behalf. Once installed, these tools take over the management of VLANs, ACLs, and firewalls to implement your policies in the network. But the downsides of this approach include:

• Infrastructure Incompatibilities: There’s no such thing as a “common API” for switches and routers. Compatibility issues can cause segmentation to work differently in different environments
• Hardware Limitations: Switches and routers may not be able to support fine-grained microsegmentation in their finite TCAM/ACL storage

• Confused Responsibilities: Many organizations already have programmed ACLs for compliance reasons, which the new tools may not know about or respect

• Overscoped Control: With full API level access to query and program switch and router settings, any vendor bugs have the potential to impact production at scale

The second category includes agentless approaches that effectively reroute application traffic to a defined inspection point in the network. This can be done, for example, by changing the default gateway of machines to point to a microsegmentation enforcement point. The downsides of this approach include:

• Application Rerouting: Dramatic changes in the application path can impact performance and functionality
• Network Overloading: Funnels all network traffic to a single point, creating a chokepoint in a network that was not designed for it
• Availability Concerns: This approach sets up the microsegmentation box as a single point of failure and may not be compatible with redundancy requirements that are often found in utility control networks

These limitations can significantly reduce security effectiveness and carry the potential to create more problems than they solve.

Why Zentera Built a Hybrid Approach

When we designed our Zero Trust platform, we recognized that forcing utilities to choose between these models would inevitably leave critical systems unprotected. Instead, we designed an architecture where:

1. Modern systems benefit from agent-based protection with deep application awareness
2. Legacy OT systems remain protected through agentless enforcement
3. Security policies remain consistent across both models
4. Management is centralized regardless of enforcement mechanism

This wasn't the easy path - building both capabilities required significant investment - but it was the right approach for the operational realities of electric utilities.

When to Use Agent-Based Protection

For systems that can support agents, this approach offers significant advantages:

• Engineering Workstations benefit from application-level control that prevents malware from spreading even when users have administrator privileges
• Control Center Servers gain identity-based access control tied to application functions, not just network access
• Cloud-Connected Workloads maintain consistent protection across on-premises and cloud environments
• IT Systems integrate with identity management, privileged access controls, and endpoint protection

The agent approach provides deeper visibility into system behavior, more granular control over applications, and stronger enforcement at the workload level - all critical capabilities for systems that form the operational backbone of modern utilities.

When Agentless Protection Is Essential

For systems that cannot be modified, agentless protection becomes the only viable option:

• Legacy PLCs and SCADA Systems gain protection without modification through network-based enforcement
• Vendor-Locked Equipment remains protected without voiding warranties or support agreements
• Resource-Constrained Devices receive security benefits without performance impacts
• Certification-Sensitive Systems maintain compliance with regulatory and safety certifications

For the reasons listed above, Zentera took a different approach to agentless protection. Our Microsegmentation Gatekeeper (MSG) acts as an inline filter for these systems, applying identity-based security policies through network enforcement rather than on-device agents. This creates a logical security boundary - essentially a virtual chamber - around critical OT assets, all without changing the path application packets take through the network.

The MSG deploys transparently, making a “bump in the wire” compatible with redundancy protocols like HSR and PRP, and supports configurable fail-open to preserve availability in the event of software or hardware failure.

A Real-World Implementation Strategy

For utilities implementing a hybrid security approach, we recommend:

1. Take an inventory of critical systems, classifying which assets can support agents and which require agentless protection, and starting with those that present high risk
2. Define consistent security policies that can be enforced through either mechanism
3. Implement "secure bubbles" around high-value assets using agentless protection
4. Deploy agents on systems that support them for deeper protection
5. Establish unified monitoring across both enforcement mechanisms
6. Document the approach for regulatory compliance (NERC CIP)

This methodology allows utilities to implement Zero Trust architecture across their entire infrastructure without facing the impossible task of standardizing their technology stack.

Case Study: Protecting a Typical Utility

Consider a medium-sized electric utility with generation, transmission, and distribution operations. Their environment includes:

• Legacy SCADA systems for generation control
• Modern energy management systems for grid operations
• Remote substations with minimal local computing
• Engineering workstations for system maintenance
• Cloud connections for data analytics and reporting

With a hybrid security approach, this utility can:

• Protect legacy SCADA systems agentlessly without modification
• Secure engineering workstations with agents that prevent lateral movement
• Apply consistent access policies for contractors regardless of system type
• Create "virtual OT DMZ" boundaries without network reconfiguration
• Establish identity-based access controls across both IT and OT
• Generate comprehensive audit trails for NERC CIP compliance

By implementing both models under a unified policy framework, the utility achieves comprehensive protection without sacrificing operational reliability.

The Path Forward for Utility Cybersecurity

As utility infrastructure continues to evolve, the need for flexible security approaches will only increase. Digital transformation initiatives, grid modernization, and renewable integration are creating even more technological diversity.

The future belongs not to dogmatic security models but to flexible approaches that adapt to operational realities. For utilities facing sophisticated threats while maintaining critical infrastructure, the hybrid agent/agentless model offers the best path forward - comprehensive protection without operational compromise.

At Zentera, we remain committed to this reality-based approach. We believe that security must adapt to the infrastructure it protects, not the other way around. By embracing both agent-based and agentless models, we're ensuring that no critical system remains unprotected due to technological limitations.

Ready to implement a hybrid security approach for your utility infrastructure? Learn more about securing vendor access in our detailed guide on vendor access management for utility cybersecurity, and discover how Zero Trust architecture aligns with regulatory requirements in our comprehensive NERC CIP Zero Trust white paper. For a personalized consultation on protecting your grid infrastructure with Zentera's hybrid agent/agentless platform, contact our team today.