Deployment of endurance in a photovoltaic plant: use case

In today’s energy transition context, a photovoltaic plant has become critical infrastructure for the stability of the power grid. This involves not only operational and technical challenges, but also new regulatory pressure regarding cybersecurity. These plants can no longer be seen as isolated facilities that “run on their own.” They are distributed, automated, and highly connected systems, where OT networks, industrial protocols, SCADA software, smart devices (inverters, PLCs, RTUs), and various human actors accessing remotely from multiple locations coexist.

In this scenario, Endurance positions itself as a strategic solution: a shielded remote workspace, a comprehensive protection infrastructure for industrial asset control that acts as a shield between humans and critical systems.

The following use case describes a realistic Endurance deployment in a 60 MWp photovoltaic plant, explaining its integration, technical implications, and operational benefits in an environment combining industrial technology, distributed operation, and regulatory compliance requirements.

Environment and Challenges at a photovoltaic plant

The target photovoltaic plant has a distributed topology including:

• A SCADA system that centralizes plant operation and monitoring.
• Photovoltaic inverters connected via Modbus/TCP and RS-485 through industrial gateways.
• A set of PLCs and dataloggers for data collection and control functions.
• Industrial switches and routers managing LAN and WAN communications.
• Frequent remote access by maintenance technicians, subcontractors, inverter manufacturers, and control center operators.

Up until now, remote access to these systems relied on VPNs, remote desktops (RDP), and direct web access to configuration portals, with credentials stored in shared spreadsheets. This situation created several critical risks:

• Exposed firewall ports to allow direct access to industrial devices.
• No real traceability of who accessed which device, when, how, or why.
• Password reuse among technicians, with no control over rotation or expiration.
• High dependency on VPN connections, which are hard to audit and vulnerable to misconfiguration.

Additionally, the plant’s owning company needed to begin aligning with the requirements of the NIS2 Directive, especially around access management, third-party control, and compliance evidence.

Endurance Implementation at photovoltaic plant

To address these challenges, a tailored Endurance deployment was designed to cover both logical access and physical/logical shielding of assets.

Access via sheltered Remote Desktop

A key element was the replacement of all traditional access methods (VPN, RDP, VNC, direct HTTP) with Endurance’s Remote Shielded Workspace (RSW). This component acts as an intermediate capsule in which the technician never establishes a direct connection with the actual device. The asset is never exposed, not its IP, credentials, port, or even operating system.

Only four types of data travel across the network: keyboard, mouse, video, and audio events, all encapsulated and encrypted. This model ensures the device cannot be compromised from the outside, even if the technician connects from a public network or an infected machine. Technically, this means industrial protocols (Modbus, DNP3, HTTP, SSH, etc.) never leave the OT network. They are only viewed and controlled from a secure virtual instance, with all events fully audited.

Credential Control via Encrypted Vault

In parallel, Endurance integrated an internal encrypted credential vault, where all access credentials were stored, SCADA servers, routers, inverters, manufacturer web interfaces, etc. This vault not only protects credentials but ensures that users never actually see them. Access is granted through temporary delegation, without revealing passwords to the technician. Additionally, automatic rotation and expiration policies were configured to prevent compromised credentials from remaining active over time.

This approach eliminates shared documents with passwords and reduces the risk of unauthorized access or lateral movement within the network.

Connection Broker and Isolation

The connection broker allows Endurance to act as a logical firewall between the user environment and critical systems, as the connection is never direct. Every session passes through the broker, which verifies permissions, logs activity, and enables real-time control. From a technical standpoint, this reinforces a Zero Trust architecture, where no user or network is inherently trusted, and every access must be justified, audited, and authorized.

This logical isolation enabled the removal of insecure firewall configurations, closure of unnecessary ports, and the elimination of VPN tunnels, replacing them with a more secure, granular control layer.

Technical Benefits Achieved at photovoltaic plant

The Endurance deployment brought immediate benefits across several critical dimensions:

Complete Asset Isolation

Industrial devices at the photovoltaic plant (inverters, gateways, servers) are no longer exposed to any direct external connection. This reduced the attack surface and minimized risks from firmware vulnerabilities, web interfaces, or embedded services.

Proactive Security Against Human Error and Insider Threats

With RSW, technicians cannot upload files, copy configurations, or run scripts beyond what policy allows. Dangerous commands or unauthorized actions are blocked, even from skilled users. This mitigates both human error and intentional sabotage.

Full Forensic Traceability

Every session was recorded on video with a digital signature, linked to a user, device, timestamp, and specific action. This allowed the security team to audit critical access, reconstruct incidents, and provide evidence for internal or external audits. Real-time session monitoring was also enabled, with instant disconnection capability if abnormal behavior was detected.

Elimination of VPN Exposure

Thanks to the connection broker and encapsulated architecture, VPN connections were no longer needed for industrial asset access. This resulted in major improvements in operational simplicity, security, and control.

Integration with OT Environment

A major strength of the deployment was native compatibility with the existing OT environment. Endurance operated seamlessly on:

• Legacy Windows Embedded and Windows Server in the SCADA system.
• Industrial web interfaces requiring outdated browsers.
• Proprietary inverter and PLC configurators that don’t support agent installation.
• Star, redundant ring, or mesh topologies, without reconfiguring switches or firewalls.

No software had to be installed on the assets, no reconfiguration, and no operational interruption occurred.

Alignment with NIS2 and Industrial Standards

Thanks to the Endurance deployment, the plant made concrete progress toward compliance with key articles of the NIS2 Directive, including:

• Privileged access control (Art. 21)
• Prevention of unauthorized access (Art. 20)
• Secure management of third parties and suppliers (Art. 23)
• Auditability, traceability, and incident response (Art. 24 & 25)

It also helped prepare for future cybersecurity certifications such as ISO/IEC 27001, IEC 62443, or the National Security Framework (ENS) by providing concrete evidence of access control, privilege management, and user behavior monitoring.

Conclusion

The deployment of Endurance in this photovoltaic plant was not a mere tech upgrade, it was a fundamental transformation in how access to critical infrastructure is managed, protected, and supervised. In an environment where 80% of operational time is remote, having a sheltered, auditable, and asset-isolated environment is no longer optional, it’s essential.

Endurance doesn’t replace the human, it protects them from themselves and from the hostile digital environment in which they work. And for an asset that produces energy and is connected to the national grid, that is exactly what is needed.