Critical InfrastructureSecurity ArchitectureTechnical DesignOT Security

OT Active Directory Architecture for Energy Management Systems

Designed a multi-forest Active Directory architecture for operational technology environments, establishing secure identity management across OT DMZ, SCADA, and energy management system (EMS) domains.

The Challenge

Understanding the Problem

A major utility provider was upgrading their platforms and needed to establish secure identity and access management for their operational technology environment. The project required separating OT systems from corporate IT while maintaining necessary integration points for operations staff. The environment included SCADA systems, energy management systems controlling generation and distribution, and partner connectivity zones. The architecture needed to address specific governance requirements of the Australian Energy Sector Cyber Security Framework (AESCSF) while enabling both ICT operations teams and OT system administrators to manage their respective domains effectively.

Our Approach

How We Helped

We designed a multi-forest, multi-domain Active Directory architecture with clear security boundaries between IT and OT environments. The solution established a root domain topology incorporating an OT DMZ layer that acts as an aggregation point between corporate IT and operational technology systems. A separate forest for the OT DMZ environment was established with dedicated domain controllers, integrating the OT Administrator (OTA) role to support EMS operations through a defined one-way trust relationship. The EMS environment itself comprises a single-forest, two-domain architecture with distinct DMZ and Control domains, segmented using Organisation Units across Production, Development, Staging, QAS, Training, and Partner zones. One-way and implied two-way trusts between forests and domain controllers enable appropriate segmentation while allowing operational teams to manage multiple environments using single sign-on.

Results

Key Outcomes

01

Multi-forest architecture with dedicated OT DMZ as secure aggregation layer

02

Root domain topology supporting EMS, SCADA, and partner SCADA connectivity

03

OTA role design and integration enabling OT administrators to support EMS operations

04

Single-forest two-domain model separating DMZ and Control environments

05

Organisation Unit structure for granular access control across environments

06

Trust relationship design meeting AESCSF governance requirements

07

Detailed technical design enabling implementation by internal teams

Facing similar challenges?

Get in touch to discuss how we can help your organisation.

Contact UsMore Case Studies

This case study has been anonymised to protect client confidentiality. Industry sector and engagement details have been generalised where necessary.