TL;DR: Omdia’s 2025 survey found that 99% of organisations are implementing or planning microsegmentation, but only 9% have protected more than 80% of critical systems, while 69% of industrial ransomware incidents in 2024 targeted manufacturing, according to Dragos. The execution gap, not the strategy gap, is now the decisive risk variable for manufacturing security teams.
At a glance
What this is: This survey analysis shows that manufacturing has strong intent to adopt microsegmentation, but actual coverage remains too low to materially slow lateral movement and ransomware spread.
Why it matters: It matters because manufacturing networks still depend on broad trust zones, and identity-aware microsegmentation is becoming a practical control issue for OT, IAM, and resilience teams.
By the numbers:
- 99% are implementing or planning microsegmentation, but only 9% have more than 80% of critical systems protected.
- 69% of all industrial ransomware incidents in 2024 targeted manufacturing entities, with 75% resulting in partial or full operational shutdowns.
- Nearly half of manufacturing organizations experienced a lateral movement attack in the past 12 months.
👉 Read Elisity's analysis of the Omdia microsegmentation survey for manufacturing
Context
Microsegmentation is the practice of limiting east-west traffic so compromise in one area does not freely spread across a network. In manufacturing, that problem is amplified by OT, IT, and vendor access paths that were never designed around modern trust boundaries, which is why the article’s core question is whether identity-aware policy can finally close the gap between intent and operational coverage.
The identity angle is genuine here because modern microsegmentation increasingly depends on device identity, user context, and privileged access boundaries rather than only subnets and IP ranges. That makes the topic relevant to IAM, PAM, and NHI governance teams as well as OT security owners, especially where remote engineers, vendor laptops, and service identities can all become lateral movement paths.
The survey results suggest the starting position is typical for industrial environments rather than exceptional: organisations want the control, but legacy network methods, skills gaps, and production constraints keep coverage shallow.
Key questions
Q: What breaks when manufacturing networks rely on VLANs for segmentation?
A: VLANs create broad trust zones, so once an attacker enters a segment, they can often move laterally to other reachable devices inside the same zone. In manufacturing, that is especially dangerous because OT assets often share infrastructure and cannot all be protected with agents or frequent redesign. The control fails when location is treated as trust.
Q: Why do industrial environments need identity-based microsegmentation?
A: Industrial environments need identity-based microsegmentation because IP addresses and subnets do not capture who is connecting, what device is connecting, or what that device is allowed to reach. Identity-aware policy is better suited to mixed OT, vendor, and remote engineering access because it can express narrow, task-specific trust boundaries.
Q: How do security teams know if microsegmentation is actually working?
A: Look for evidence that critical systems are protected, not just that policies exist. Useful signals include coverage of high-value assets, reduction in lateral movement paths, fewer connectivity exceptions, and fewer manual workarounds for production traffic. If broad east-west access still exists, the programme is not yet containing blast radius effectively.
Q: Who is accountable when microsegmentation gaps contribute to ransomware impact?
A: Accountability usually sits across OT security, network engineering, and IAM or PAM teams, because segmentation failures often reflect shared governance gaps. The control spans asset visibility, access policy, and operational change management, so ownership must be explicit. Frameworks such as NIST CSF and IEC 62443 help assign duties more clearly.
Technical breakdown
Why legacy segmentation fails against lateral movement in OT
Traditional VLANs and ACLs create broad network zones, but they do not stop an attacker from moving laterally once inside a segment. In industrial environments, that matters because PLCs, HMIs, historians, and building management systems often share infrastructure yet cannot run agents or tolerate disruptive redesign. Agent-based segmentation can be too brittle for these assets, which leaves coarse controls in place while adversaries move between reachable hosts. The core technical issue is that network location is not the same as device trust, and static boundary controls cannot express that difference.
Practical implication: Map where coarse VLAN or ACL trust zones still allow unrestricted east-west access and treat those areas as priority containment gaps.
Identity-based microsegmentation shifts policy from IPs to trust signals
Identity-based microsegmentation uses device identity, user context, and flow characteristics to decide whether traffic should be allowed. That is a different model from subnet-based segmentation because policy can distinguish a remote engineer’s authenticated session from an unmanaged vendor laptop or an engineering workstation talking to a specific PLC. The article shows why this matters in OT: manufacturing access is not just about where a device connects, but who is using it, what it is, and what it is allowed to reach. That is the architectural shift practitioners need to understand.
Practical implication: Build policies around device class, user role, and approved communication paths instead of relying on static network placement.
Operational overhead is the hidden blocker to microsegmentation scale
The survey’s change-control and troubleshooting data shows why many programmes stall after pilots. Microsegmentation becomes hard when every policy change requires hours of testing, exception handling, and connectivity validation across production systems. In manufacturing, small delays can have outsized operational impact, so teams often stop short of broad enforcement even when they understand the risk. The real technical challenge is not only designing policy, but managing the lifecycle of that policy across heterogeneous OT assets and narrow change windows.
Practical implication: Plan phased enforcement with discovery, simulation, and limited rollout before extending policy to production-critical assets.
Threat narrative
Attacker objective: The attacker wants to move from initial foothold to production disruption without being stopped by internal network boundaries.
- Entry typically occurs through an exposed remote access path, a compromised engineering workstation, or another initial foothold that lands inside a trusted manufacturing zone.
- Escalation follows when the attacker reuses broad intra-segment access to pivot from one reachable system to another, including OT assets that share the same trust boundary.
- Impact arrives when ransomware or destructive malware reaches production systems, halts lines, or disrupts supplier-linked operations across the plant environment.
NHI Mgmt Group analysis
Microsegmentation in manufacturing is now an identity governance problem, not just a network design issue. The article shows that manufacturers are not short on awareness, but on enforceable trust boundaries that can distinguish one user, device, or workload from another. As environments mix OT assets, vendor access, and remote engineering sessions, identity context becomes the only practical way to express least privilege at runtime. Practitioners should treat segmentation policy as an access governance control, not a routing exercise.
Standing trust inside industrial networks is the real failure mode this survey exposes. VLANs, ACLs, and broad trusted zones assume that once a device is inside the segment, movement remains acceptable. That assumption breaks down under ransomware because attackers live off the same internal reachability that operators rely on. The result is a control gap that looks like network architecture but behaves like privilege sprawl. Teams should look for any internal path that is still trusted by default and treat it as a containment defect.
Identity-based microsegmentation is the named control shift the industry is converging on. This is the move from IP-centric segmentation to policy that understands device identity, user role, and allowed flows. That shift matters because manufacturing networks contain assets that cannot tolerate agents or frequent redesign, so the policy model has to work with operational reality. For practitioners, the conclusion is clear: if identity is not part of the segmentation decision, lateral movement is still being governed too broadly.
The maturity gap is less about tools than about operational confidence. The survey shows that many organisations want microsegmentation but lack hands-on experience, which explains why deployment lags behind intent. That is a classic governance problem: security teams know the control matters, but they have not made it routine enough to own at scale. The practical takeaway is that segmentation programmes need ownership, testing discipline, and a policy lifecycle, not just a product decision.
For manufacturing resilience, microsegmentation should be evaluated as a ransomware containment control first. The strongest business case is not abstract Zero Trust language, but stopping initial compromise from becoming plant-wide disruption. That aligns the control with operational risk, insurance pressure, and recovery planning. Security leaders should position the programme as a blast-radius reduction capability and measure it by how much of the environment is actually protected.
What this signals
Microsegmentation programmes will increasingly be judged by identity coverage, not network feature depth. For manufacturers, that means the next phase is less about which segmentation architecture is installed and more about whether user context, device identity, and privileged access are actually part of enforcement. Teams that cannot map those relationships will keep finding the same internal paths reopened after every incident.
Identity-aware containment is becoming a resilience control as much as a security control. The manufacturing lesson is that ransomware risk is now inseparable from operational continuity, which pushes access governance closer to OT change management and recovery planning. This is where internal control design starts to overlap with broader identity discipline, including privileged access boundaries and workload-level restrictions.
Coverage metrics should become board-visible because partial deployment creates a false sense of protection. A plant that has microsegmentation in name only may still have most critical systems reachable from compromised internal segments. Security leaders should therefore report protected-system coverage, exception drift, and containment test results alongside traditional compliance metrics.
For practitioners
- Inventory reachable trust zones across OT and IT paths Identify where VLANs, ACLs, vendor tunnels, and remote engineer access still allow broad east-west movement. Prioritise the paths that connect engineering workstations, PLCs, HMIs, historians, and building management systems.
- Define policies using identity and approved flows Use device identity, user role, and application-specific communication patterns to express policy. Avoid relying on IP ranges alone, because IP-based controls cannot distinguish legitimate industrial traffic from an attacker pivoting within a trusted zone.
- Roll out enforcement in phases with simulation first Start with discovery and passive mapping, then simulate rules before enforcement. Move highest-risk segments first, and keep rollback procedures ready for production-critical systems where downtime tolerance is low.
- Measure coverage against critical-system exposure Track the percentage of critical systems actually protected, not just the number of policies created. Use coverage, exception volume, and unresolved connectivity issues as the main indicators of whether microsegmentation is operational or still aspirational.
Key takeaways
- Manufacturing microsegmentation is failing at the execution layer, where intent has far outpaced protected-system coverage.
- The threat is lateral movement, but the control problem is broader trust assumptions across OT, vendor, and engineering access paths.
- Identity-based policy, phased enforcement, and measurable coverage are the controls most likely to turn microsegmentation into real containment.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0040 , Impact | The article focuses on lateral movement and operational disruption in manufacturing networks. |
| NIST CSF 2.0 | PR.AC-4 | Identity-aware access control is central to limiting internal movement across manufacturing assets. |
| NIST SP 800-53 Rev 5 | AC-4 | Information flow enforcement is the closest control match to microsegmentation policy. |
| CIS Controls v8 | CIS-12 , Network Infrastructure Management | The article is about managing internal segmentation and network containment in industrial environments. |
| ISO/IEC 27001:2022 | A.8.22 | Segmentation and network controls are directly relevant to industrial containment and resilience. |
Map exposed internal paths to lateral movement techniques and test whether segmentation blocks impact.
Key terms
- Microsegmentation: Microsegmentation is a way of limiting communication between systems so an attacker cannot easily move from one compromised asset to another. In practice, it uses fine-grained policy to reduce blast radius and constrain trust within networked environments, especially where critical systems need stricter separation than traditional zones provide.
- Lateral Movement: Lateral movement is the phase of an intrusion where an attacker pivots from one system to another after gaining an initial foothold. It matters because internal reachability often exposes more valuable assets than the original entry point, and containment controls are designed to interrupt that progression before impact expands.
- Identity-Based Segmentation: Identity-based segmentation applies policy using device identity, user context, or workload attributes rather than just IP addresses or subnets. This approach is useful in mixed environments because it can express who or what should communicate, which is essential when assets are mobile, shared, or too constrained for agents.
- Operational Technology: Operational technology is the hardware and software that monitor or control physical processes in industrial environments. Unlike standard IT systems, OT often prioritises uptime and deterministic performance, which means security controls must be designed to protect production without introducing disruptive latency or agent-based overhead.
What's in the full report
Elisity's full article covers the operational detail this post intentionally leaves for the source:
- The full Omdia survey breakdown by manufacturing and healthcare, including deployment maturity and feature priorities.
- The detailed comparison of legacy segmentation methods against identity-based microsegmentation in OT environments.
- The operational change-control data behind the deployment slowdown, including time spent on policy creation and troubleshooting.
- The survey's breakdown of user types, device classes, and integration priorities for production environments.
👉 Elisity's full post covers the survey data, deployment gap, and OT-specific segmentation challenges.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is designed for practitioners who need to connect identity controls to operational risk across modern environments.
Published by the NHIMG editorial team on 2026-05-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org