.png)
Goldman Sachs built an OT device qualification lab to stop cybersecurity approvals from becoming rollout blockers—using QA/prod/offline networks to test devices before field deployment
Instead of treating OT cybersecurity approvals as a late-stage gate, Goldman Sachs built a dedicated device qualification lab to test hardware and integrations upstream. The goal: prevent security and networking requirements from stalling deployments after money has already been spent and sites are already mobilized.
The lab is set up with multiple environments, including QA networks, production-like networks, and “off-network” configurations. This allows teams to test devices under realistic boundary conditions rather than sanitized demo setups. Devices and integrations can be evaluated for how they behave across segmentation rules, authentication schemes, and network constraints that mirror real buildings.
That structure supports a standardized intake and validation model across regions with very different regulatory and infrastructure realities. Goldman explicitly points to differences across China, APAC, India, and EMEA—regions where assumptions made in North American pilots often break down. By qualifying devices centrally, the firm reduces the risk that regional rollouts surface disqualifying issues late, forcing redesigns or site-by-site exceptions.
The setup enables faster rollouts with fewer surprises, and tighter control over what enters production networks. What remains unproven is how transferable this model is for owners without Goldman’s scale or resources. A full lab is a heavy lift. But the underlying lesson applies broadly: pushing OT security validation upstream is cheaper than fixing it mid-deployment.
Learn more:
- Watch the full presentation from NexusCon 2025
- Sign up for the Nexus Labs newsletter to get five similar stories for owners each Wednesday:
Instead of treating OT cybersecurity approvals as a late-stage gate, Goldman Sachs built a dedicated device qualification lab to test hardware and integrations upstream. The goal: prevent security and networking requirements from stalling deployments after money has already been spent and sites are already mobilized.
The lab is set up with multiple environments, including QA networks, production-like networks, and “off-network” configurations. This allows teams to test devices under realistic boundary conditions rather than sanitized demo setups. Devices and integrations can be evaluated for how they behave across segmentation rules, authentication schemes, and network constraints that mirror real buildings.
That structure supports a standardized intake and validation model across regions with very different regulatory and infrastructure realities. Goldman explicitly points to differences across China, APAC, India, and EMEA—regions where assumptions made in North American pilots often break down. By qualifying devices centrally, the firm reduces the risk that regional rollouts surface disqualifying issues late, forcing redesigns or site-by-site exceptions.
The setup enables faster rollouts with fewer surprises, and tighter control over what enters production networks. What remains unproven is how transferable this model is for owners without Goldman’s scale or resources. A full lab is a heavy lift. But the underlying lesson applies broadly: pushing OT security validation upstream is cheaper than fixing it mid-deployment.
Learn more:
- Watch the full presentation from NexusCon 2025
- Sign up for the Nexus Labs newsletter to get five similar stories for owners each Wednesday:
This is a great piece!
I agree.