Subscribe to the Non-Human & AI Identity Journal

Why do unpatchable IoT and OT devices require separate containment controls?

Because patching cannot reliably remove their exposure, so the main defence is limiting what can reach them and what they can reach in turn. Shared segments let one weak device become a bridge to other systems. Separate containment reduces blast radius and preserves operational continuity even when the device itself stays vulnerable.

Why This Matters for Security Teams

Unpatchable IoT and OT devices are not just a lifecycle problem, they are an exposure-management problem. If a device cannot be reliably updated, security teams must assume the vulnerability remains and design controls around reachability, trust boundaries, and recovery. That is especially important in industrial and clinical environments, where availability matters as much as confidentiality. NIST Cybersecurity Framework 2.0 frames this as a governance and protective control issue, not a one-time remediation exercise.

This becomes sharper when devices handle privileged connectivity or act as implicit bridges into business networks. NHIMG research on the Ultimate Guide to NHIs – Standards highlights how identity and access boundaries become critical when machine credentials and unmanaged devices are left in place. In practice, many security teams encounter containment failures only after an engineer connects a legacy device to a shared segment and an attacker uses that path to move laterally.

How It Works in Practice

Separate containment means putting unpatchable devices into tightly bounded zones, then limiting both inbound and outbound communication to the minimum required for operations. The goal is not to make the device safe in an absolute sense. The goal is to make compromise less useful. That usually means dedicated VLANs or physical segmentation, firewalled jump paths, protocol allow-listing, strong logging, and strict administrative access through controlled bastions. Where the device supports it, identity-aware access and per-device credentials reduce the chance that one compromised system can impersonate another.

For OT, containment often needs to respect process dependencies and safety constraints. For IoT, the same logic applies to telemetry, update channels, and cloud brokers. Current guidance suggests treating these devices as high-risk assets that need explicit trust zones and continuous monitoring, aligned to NIST Cybersecurity Framework 2.0. NHIMG’s reporting on the Schneider Electric credentials breach is a useful reminder that unmanaged credentials and weak segmentation often travel together.

  • Keep unpatchable devices on dedicated segments, not shared enterprise subnets.
  • Allow only the exact protocols, ports, and destinations the device needs.
  • Use jump hosts or brokers for administration instead of direct device access.
  • Monitor for unusual east-west traffic, outbound beacons, and unexpected management calls.
  • Document compensating controls and review them as the surrounding network changes.

These controls tend to break down when legacy OT equipment must interoperate with modern IT services through ad hoc exceptions, because temporary connectivity often becomes permanent.

Common Variations and Edge Cases

Tighter containment often increases operational overhead, requiring organisations to balance security improvement against maintenance complexity and uptime risk. That tradeoff is especially visible in plants, hospitals, utilities, and building management systems where downtime is expensive or unsafe. Best practice is evolving, but there is no universal standard for how much isolation is enough; the right answer depends on the device’s function, vendor support, and how easily it can be replaced.

Some devices cannot tolerate aggressive filtering because they rely on proprietary protocols, multicast discovery, or legacy polling patterns. In those cases, teams usually shift from broad network trust to exception-based design: explicit paths, highly monitored brokers, and well-documented compensating controls. For internet-connected IoT, outbound containment is often as important as inbound blocking because compromised devices may be used for data exfiltration or botnet enrollment. Where identity is involved, such as devices authenticated with API keys or machine certificates, the containment plan should include secret rotation and revocation, not just network rules. That is why NHIMG’s research on the DeepSeek breach is relevant to the broader lesson: exposed credentials and weak boundaries amplify each other. In environments with safety-critical OT, containment should be tested against failover and emergency operating modes before deployment.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST Zero Trust (SP 800-207), CIS-Controls and NIST SP 800-53 Rev 5 set the technical controls, while NIS2 define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC Segmentation and restricted access are central to containing unpatchable devices.
NIST Zero Trust (SP 800-207) SC-7 Zero Trust supports limiting lateral movement from compromised legacy devices.
CIS-Controls Control 12 Network infrastructure management covers segmentation and boundary enforcement.
NIS2 Critical operators need resilience measures when patching is not viable.
NIST SP 800-53 Rev 5 SC-7 Boundary protection is the core control family for isolating unmanaged devices.

Define device trust zones and enforce least-access paths with continuous review.