When your mission depends on remote assets, a “normal” enterprise security model breaks down fast. Field-deployed sensors, IP cameras, SCADA/OT endpoints, and edge compute nodes often live on networks you do not fully control. Links are intermittent. Ports get blocked. Devices are legacy or end-of-life. And adversaries may actively probe, filter, and disrupt connectivity.

In this Signal Media webinar sponsored by CSOI (Cybersecurity Operations Infrastructure), CSOI Principal Solutions Architect Steven Lemons walked through a practical approach to cyber protection and secure access in contested environments. The core message was simple: move security controls closer to the device, make access policy-driven, and keep your control plane resilient even when networks are hostile or constrained.

Why contested environments break traditional remote access

Traditional perimeter and network-centric controls assume a stable boundary: known subnets, open management ports, and predictable routing. In the real world, especially for OT, IIoT, surveillance, and remote field deployments, that assumption fails.

Common friction points include:

• Legacy or unpatchable devices that cannot run modern security agents or host-based firewalls

• Exposed management interfaces (web consoles, RDP/SSH, vendor portals) that become discoverable and targetable

• Port blocking or filtering that breaks command-and-control channels and remote operations

• Operational complexity including ACL sprawl, brittle VPNs, and one-off access exceptions

CSOI’s approach is operations-first and Zero Trust aligned: deny-by-default connectivity, then explicitly allow only what is needed, down to the device level.

CSOI’s model: an OSI 3.5 shim for authentication and authorization

CSOI inserts itself as an “OSI 3.5 shim.” In practical terms, this means security controls are enforced between traditional Layer 3 networking and higher-layer communications, requiring authentication and authorization before devices can communicate.

Instead of trusting network location, CSOI enforces:

1. Authentication through a unique cryptographic identity per device

2. Authorization through explicit policy-based trust

3. Deny-by-default behavior when no policy exists

This shifts security from IP-based assumptions to identity-driven access control.

The “red diamond” overlay: security on top of your existing network

CSOI uses a simple three-layer deployment model:

• Underlay: the existing network (on-prem, cloud, hybrid, tactical)

• Identity layer (“red diamond”): the overlay that enforces identity and control

• Overlay policies: rules defining exactly which devices may communicate

This design minimizes dependency on fragile perimeter defenses and focuses on device-to-device trust.

Conductor: centralized visibility and policy control

CSOI’s Conductor dashboard serves as the operational control plane:

• Real-time visibility into devices, throughput, and overlays

• Status monitoring of deployed enforcement points (airwalls)

• Rapid access changes using policy instead of firewall reconfiguration

For lean IT and security teams, this enables faster response during incidents, maintenance, or redeployment.

Field example: protecting an IP camera behind a small gateway

The webinar demonstrated a realistic field scenario using an IP camera connected downstream from a compact CSOI gateway over a satellite link.

The demo showed:

• Authorized users could access the protected camera

• Unauthorized systems could not discover or reach it

• Access could be granted instantly through policy

• Access could be revoked just as quickly

This illustrates Zero Trust at the device level: access is explicit, controlled, and reversible.

Maintaining command-and-control when ports are blocked

In constrained or hostile networks, non-standard ports are often blocked. If control-plane traffic relies on those ports, visibility and enforcement can be lost.

CSOI mitigates this by allowing agents to communicate with Conductor using WebSocket Secure over TCP 443. Because 443 is broadly permitted, control-plane connectivity is more resilient.

Operational benefits include:

• Greater likelihood of maintaining connectivity

• Continuous policy enforcement under port filtering

• Reliable operational visibility in contested environments

Relays: improving reachability across complex paths

CSOI supports relay gateways to help bridge connectivity across congested or unreliable network paths.

Relays are useful when:

• Direct paths are unstable or blocked

• Field assets cannot reliably reach central control

• Visibility is needed without flattening the network

This preserves segmented access while improving operational reach.

Low-footprint considerations: tuning ports to reduce detection risk

In contested environments, reducing network footprint matters. CSOI allows tuning of service ports to avoid standing out in monitored environments while maintaining encrypted communications.

This flexibility supports environments where traffic patterns and port usage must remain discreet without sacrificing security.

Why this aligns with Zero Trust

The webinar Q&A reinforced CSOI’s Zero Trust alignment:

• Identity is decoupled from IP address

• Mutual cryptographic authentication is required

• Deny-by-default is enforced

• Devices cannot see or probe each other without policy

This makes protected assets effectively invisible until trust is explicitly established.

Where this applies immediately

This architecture is well-suited for:

• Utilities and SCADA environments

• Energy production and distribution

• Surveillance and physical security networks

• Government and distributed enterprise operations