Applying Zero Trust to OT Systems with Microsegmentation

Table of Contents

Rising OT Security Threats
What Is OT Segmentation?
The Challenges of Securing OT Environments
OT/IT Convergence: Why OT Security Starts with IT
Strengthening OT Security with Microsegmentation
Modern OT Segmentation: Key Capabilities
Unified Microsegmentation for IT/OT Networks

Rising OT Security Threats

The numbers are clear: operational technology (OT) attacks are on the rise.

Ransomware attacks against industrial organizations increased 87% in 2024, defying a declining trend in malware as attackers continue to exploit outdated legacy technology in the manufacturing industry.

Meanwhile, the number of ransomware groups impacting OT/Industrial Control Systems (ICS) rose 60% last year as adversaries that would have once been unaware of or ignored OT entirely now view it as a powerful attack vector. In other words, OT is no longer a niche target.

But it’s not just the manufacturing floor in hackers’ crosshairs: while the vulnerable nature of OT environments makes them an appealing destination for attackers, 75% of attacks targeting OT systems start as IT breaches.

To secure critical systems in an era of rising OT threats, organizations need to tightly segment their networks and prevent lateral movement across environments. We’ll outline the importance of OT segmentation, typical OT security barriers, and how unified OT/IT microsegmentation supports a resilient Zero Trust architecture.

What Is OT Segmentation?

Operational technology (OT) segmentation is the process of logically dividing industrial control systems (ICS), sensors, programmable logic controllers (PLCs), and other OT infrastructure from broader IT networks and from each other.

OT segmentation reduces the attack surface and limits lateral movement between systems, protecting industrial organizations from the costly risk of downtime.

OT Network Segmentation vs. OT Microsegmentation

OT network segmentation isolates the network into secure zones. OT microsegmentation further secures the infrastructure by controlling traffic between individual assets within those zones.

The Challenges of Securing OT Environments

OT networks weren’t exactly built with today’s cyber threats in mind. The typical OT environment contains hundreds, or even thousands, of unmanaged devices from myriad vendors dating back decades. OT networks are hard to monitor, hard to control, and dangerous to disrupt – properly securing them is a near-impossible feat.

Legacy, Unmanaged Devices

Since most OT assets weren’t designed with cybersecurity in mind, their proprietary protocols and unsupported software create vulnerabilities.

Fragility and Risk Aversion

A single misconfigured rule or software update can halt production, damage equipment, or create safety hazards. This fragility means manufacturing organizations are often reluctant to pursue OT security projects.

Visibility Gaps

Few organizations have a complete inventory of their OT devices, much less an understanding of how they communicate. Without this baseline, it’s nearly impossible to assess risk or enforce policy.

Resistance to Change

Due to tight operational tolerances and legacy processes, security teams are often blocked from touching OT environments – OT security projects are frequently postponed, leaving manufacturers vulnerable to supply chain attacks, production disruptions, and other malicious activities.

These realities make traditional segmentation approaches unscalable and ineffective in most OT environments.

OT/IT Convergence: Why OT Security Starts with IT

The days of air-gapped industrial networks are gone. OT systems are now deeply intertwined with enterprise IT infrastructure due to cloud adoption, IoT, remote operations, and business pressures around efficiency and uptime.

In today’s interconnected environments, effective OT segmentation isn’t just about isolating PLCs or firewalls between systems. With 70% of OT systems projected to connect to IT networks by next year, manufacturing organizations can’t afford to ignore the fact that most attacks on OT systems start with an IT breach.

While OT threats have risen sharply in recent years, a whopping 75% of attacks targeting OT systems start in IT. Hackers gain access through vulnerabilities in the corporate environment – like VPNs, web apps, or compromised credentials – and pivot to their true targets: fragile, under protected, high-value OT assets. Easily bypassing traditional perimeter defenses, attackers gain initial access to the IT network move laterally using legitimate admin tools and credentials.

In other words, one compromised IT asset can take down physical production lines, compromise safety systems, or expose proprietary manufacturing data. That’s why the foundational Zero Trust principle of "never trust, always verify" must extend from IT into OT. The first step in that direction is rethinking OT segmentation to focus security strategies on a converged IT/OT environment.

Strengthening OT Security with Microsegmentation

When done right, microsegmentation can completely lock down lateral movement and block ransomware by applying a firewall “bubble” around every asset in the network, allowing only necessary traffic.

Rather than relying on perimeter controls or coarse zoning, microsegmentation applies granular, least-privilege policies between individual assets. Only approved connections are allowed – everything else is blocked by default.

For OT, this strategy has powerful benefits:

Stops lateral movement from IT to OT or between OT assets
Reduces blast radius by immediately isolating compromised devices
Supports Zero Trust architectures by enforcing continuous validation

But despite its clear benefits, microsegmentation has not been widely adopted at scale – only 2% of manufacturing security leaders say they’re microsegmenting their networks today. Legacy microsegmentation solutions, using software firewalls, require agents that are difficult to deploy and maintain, sit in line with traffic, eat up space, and stretch security budgets. Most importantly, traditional solutions require manual rule creation, which is a tedious, labor-intensive process that often ends in broken applications or a semi-segmented network at best.

As a result, many organizations never manage to microsegment their entire network – even after dedicating years to the pursuit. Microsegmentation for OT assets is particularly complex, as most of these devices are unmanaged and often do not have a firewall.

To effectively strengthen network security – including OT environments – organizations need a next-gen solution, capable of overcoming complexity and legacy constraints while addressing the modern threat landscape.

Modern OT Segmentation: Key Capabilities

A modern approach to OT segmentation ideally addresses both security and operational requirements with capabilities like:

Automated Learning and Policy Creation

After observing traffic over a learning period to understand what normal communication looks like, the network segmentation solution should then automatically generate least-privilege rules that allow only necessary flows – no guesswork or manual tagging required, making it easier to protect sprawling OT/IT infrastructures.

Just-in-Time Access Controls

For privileged connections, such as remote vendor maintenance or sensitive protocol access, solutions should apply just-in-time multi-factor authentication (MFA) to prevent abuse of high-risk ports without requiring 24/7 access blocks.

Agentless Approach

Rather than installing agents on endpoints, an effective solution should leverage native OS controls like host-based firewalls and access control lists (ACLs) to enforce policy at the closest point to each asset, securing legacy and fragile OT systems without disruptions.

Unified IT/OT Coverage

Because IT breaches are typically the entry point for OT attacks, controls should be unified across IT, OT, and cloud environments with policies applied consistently across segments, regardless of the environment.

Continuous Monitoring

Threats evolve. Network behavior changes. Organizations that over-rely on manual processes are bound to leave gaps for attackers. Instead, segmentation solutions should continuously monitor new activity and adapt rules dynamically, ensuring long-term security.

Unified Microsegmentation for IT/OT Networks

Zero Networks’ radically different architecture enables effortless microsegmentation at scale for both IT and OT systems.

After learning all network connections over a period of up to 30 days, Zero automatically creates corresponding rules and highly accurate least-privilege policies for IT and OT networks. Once an easy review is completed, the rules and policies are centrally applied using automation to the host-based firewalls of managed IT devices and to ACLs of the switches connecting the unmanaged OT devices.

The policies created by Zero’s automation engine block all traffic by default, allowing only legitimate traffic required for normal operations. In addition, Zero applies just-in-time network layer MFA to privileged ports and sensitive devices, adding an extra layer of security to attackers’ favorite exploit: admin protocols like RDP, SSH, RPC, WMI and SMB.

Zero Networks is a unified, single-pane-of-glass solution for both IT and OT microsegmentation:

	(to) IT Devices	(to) OT Networks
(from) IT Devices	Least-privilege permissions applied to all device firewalls (clients and servers), effectively preventing lateral movement. Privileged ports are protected with Just-In-Time MFA, enabling IT teams to perform remote maintenance operations when needed while blocking all other traffic at the network level.	Unless automated learning has indicated a need to keep a specific connection open, all outbound connection requests from IT to OT are blocked. When access to an OT device is required, users must authenticate with MFA to gain temporary access. This outbound block and MFA effectively prevent attackers from moving laterally into the OT network after compromising the IT network.
(from) OT Devices	All connection requests from OT to IT are blocked, unless the learning process has indicated that a certain connection needs to remain open. This prevents an attacker who has compromised an OT asset from moving laterally into the IT network.	The automation engine creates a granular, least-privilege policy and applies it via ACL to all OT routers and switches. These rules allow or block traffic through the ACL to the OT devices, preventing an attacker who has compromised an OT asset from moving laterally within the OT network.

(to) IT Devices

(to) OT Networks

(from) IT Devices

Least-privilege permissions applied to all device firewalls (clients and servers), effectively preventing lateral movement.

Privileged ports are protected with Just-In-Time MFA, enabling IT teams to perform remote maintenance operations when needed while blocking all other traffic at the network level.

Unless automated learning has indicated a need to keep a specific connection open, all outbound connection requests from IT to OT are blocked.

When access to an OT device is required, users must authenticate with MFA to gain temporary access. This outbound block and MFA effectively prevent attackers from moving laterally into the OT network after compromising the IT network.

(from) OT Devices

All connection requests from OT to IT are blocked, unless the learning process has indicated that a certain connection needs to remain open. This prevents an attacker who has compromised an OT asset from moving laterally into the IT network.

The automation engine creates a granular, least-privilege policy and applies it via ACL to all OT routers and switches. These rules allow or block traffic through the ACL to the OT devices, preventing an attacker who has compromised an OT asset from moving laterally within the OT network.

How it Works: Zero Networks Solution Architecture

The process begins with installing a Zero Networks Segment Server on the network. A Segment Server is a simple, stateless virtual appliance that doesn’t require any backups or maintenance and is not in line with network traffic.

Fully Automated

The Segment Server monitors all network connections for a recommended period of 30 days. When the learning period is over, the Automation Engine creates accurate security policies that only allow strictly necessary network traffic, blocking any other communication by default. The policies are propagated to all network devices in a click.

Easy Implementation, Low Maintenance

Zero Networks deployment is 100% agentless, making it highly scalable across large, complex networks. The period from installation to coverage takes only a few weeks, as opposed to months or years with legacy vendors.

By relying on native OS controls like host firewalls and ACLs, Zero ensures a safe yet robust implementation that’s easy on the implementing IT team to boot.

As key tasks like asset tagging and policy creation are fully automated, Zero Networks eliminates the need for professional services and significant manual effort.

Future-Proof

Zero Networks’ day 2 automation makes it easy to keep up with evolving networks. The automation engine detects new network changes and provides policy updates that can be deployed at a click across the network.

A Simple, Effective Platform for Converged IT and OT Microsegmentation

With one engine, one interface, and one set of rules for microsegmenting every network environment – from data centers, cloud, and K8 to OT, legacy systems, and beyond – Zero Networks gives security teams centralized control and peace of mind.

As cyber attackers increasingly target OT systems via IT network breaches, a unified and adaptive solution is key to securing modern interconnected infrastructures. Take a self-guided product tour to see how Zero Networks simplifies microsegmentation across every environment.

The Zero Networks Platform

Maturity Quiz

Zero Networks Blog