In Part One of our conversation, we explored the principles of Zero Trust and why it matters for remote access in smart buildings. But understanding the why is only half the equation. For those designing and deploying OT networks, the real challenge is the how—how to implement Zero Trust without breaking legacy systems, interrupting operations, or getting lost in complexity.
I sat back down with Aaron Brondum, Sr. Director of Business Development at Neeve, to talk through the technical side of Zero Trust, and how Neeve is helping real-world organizations deploy it in a way that’s actually usable in the field.
Greg Fitzpatrick, CxA, Business Development Leader, Cochrane Supply
Aaron, thanks for joining me again. Last time we covered the fundamentals of Zero Trust. Today, I want to dive into the more technical side of things. For those out there trying to figure out how to actually apply Zero Trust to an OT network, where should they be thinking about placing the solution?
Aaron Brondum, Sr. Director of Business Development, Neeve
Great question, and placement is everything. In OT networks, the best place to start is at the IT/OT boundary. That’s where the biggest risk is, and it’s where Zero Trust can act as a secure gateway. Every connection trying to cross that boundary gets verified—user identity, device health, even where the traffic is coming from and going to.
From there, we look inside the OT network and apply micro-segmentation. Instead of treating the entire OT environment as one big trusted zone, we break it into smaller ones, HVAC, lighting, elevators, each with their own access rules. That way, even if something is compromised, it can’t spread.
Greg:
That makes sense, sort of like building a wall, then putting locks on every door inside it. But what about remote access? That’s where a lot of threats get in. How does Neeve handle that differently?
Aaron:
Exactly—and you’re right, remote access is the biggest attack vector in most smart buildings today. That’s why we don’t rely on VPNs. VPNs are a one-and-done deal: you authenticate once, and suddenly you’ve got a tunnel to the entire network.
We use Zero Trust Network Access (ZTNA) instead. It’s more surgical. A technician accessing HVAC controllers only gets access to those, and only for a set time. Every session is authenticated and encrypted, and we can revoke access at any point. It’s dynamic, and it’s role-based.
Greg:
That’s a huge improvement, especially when you’ve got vendors logging in from who knows where. But what about older systems—those legacy devices in OT that weren’t built with any of this in mind?
Aaron:
That’s probably the biggest misconception we hear: “Zero Trust won’t work because my gear is too old.” The truth is, we don’t need the devices themselves to support modern security protocols.
Neeve secures the network layer, not the device layer. We look at the traffic moving between devices, enforce policies at the edge, and isolate anything that shouldn’t be talking. So even if a 20-year-old controller has no encryption, it can still live inside a secure, Zero Trust architecture.
Greg:
So it’s not about upgrading all your gear, it’s about controlling what talks to what?
Aaron:
Exactly. We like to say: protect the flow, not the box. You don’t need to replace every sensor or controller. You just need to know what normal looks like, then put the guardrails in place to make sure it stays that way.
Greg:
Let’s talk monitoring. Zero Trust is all about verification—but what kind of visibility do you need to really make it work?
Aaron:
You need full telemetry. That’s part of the power of our platform. We offer real-time monitoring of every connection and session—who connected, when, from where, and what they did. That allows us to:
- Spot anomalies quickly,
- Detect lateral movement attempts,
- And adjust access policies dynamically.
It’s especially useful in OT environments where normal behavior is pretty stable. If a lighting controller suddenly starts trying to talk to an elevator PLC? That’s a red flag.
Greg:
That kind of real-time insight would be huge for incident response too. Have you seen this deployed in the real world?
Aaron:
Yeah—one great example is Kilroy Realty. They came to us with growing concerns around remote vendor access and a need to strengthen security across multiple buildings.
We started with a risk assessment, then implemented micro-segmentation and ZTNA. Vendors only got access to the exact systems they needed, with MFA and session limits. All traffic was monitored in real time. No more open VPN tunnels.
The result? Tighter control, better compliance, and no disruptions to building operations.
Greg:
That’s the sweet spot—better security, but nothing breaks. So, what are some best practices for firms trying to take this on themselves?
Aaron:
Here’s a simple roadmap we’ve seen work:
- Start with an asset and communication map. Know what’s connected and how it communicates.
- Segment your network. Start coarse, then work toward micro-segmentation.
- Use role-based access and MFA. Make sure only the right people have access to the right systems.
- Replace VPNs with ZTNA. That alone is a major leap forward.
- Continuously monitor. Know what’s normal so you can spot what’s not.
- Roll out in phases. Don’t try to do the whole network at once. Start where the risk is highest.
Greg:
Last question, what do you say to the folks who still think Zero Trust is too expensive or complex?
Aaron:
I’d say they’re not wrong to worry, but they’re probably looking at the wrong solutions. Neeve was built specifically for OT environments, so we focus on using what’s already there. We don’t force forklift upgrades. We integrate gradually, and we secure networks that were never built to be secure.
In most cases, we’re helping organizations improve security without increasing operational cost. That’s the power of doing it right.
Greg:
This has been incredibly helpful, Aaron. For anyone serious about OT cybersecurity, this kind of approach isn’t just smart, it’s necessary. Zero Trust isn’t a buzzword. It’s a technical strategy that works. And with solutions like Neeve, it’s finally accessible to the people who need it.
Aaron:
Appreciate it, Greg. It’s always a pleasure to talk real-world security with someone who gets the OT side. Looking forward to more of these conversations, there’s a lot more ground to cover as this space continues to evolve.
As OT networks become more connected and remote access becomes more common, a Zero Trust architecture, especially one that can be deployed without disrupting legacy systems, is becoming the new standard. With practical tools like Neeve and a phased deployment strategy, cybersecurity is no longer a barrier to smart building innovation. It’s the foundation.
