TL;DR: OT security incidents affected 22% of organisations in the past year, and 40% of those incidents caused operational disruption, according to SANS, while Dragos reported 708 ransomware incidents against industrial entities in Q1 2025. The decisive control is identity-based segmentation that contains lateral movement before it reaches production systems.
At a glance
What this is: This is a 2026 comparison of OT security vendors, with the key finding that detection and visibility are not enough without enforcement that stops lateral movement.
Why it matters: It matters because OT programmes protecting industrial, healthcare, and manufacturing environments need identity-aware controls that reduce blast radius across connected devices, users, and workloads.
By the numbers:
- 22% of organizations experienced a cybersecurity incident affecting their ICS or OT systems in the past year.
- 40% of those incidents caused operational disruption.
- 708 ransomware incidents hitting industrial entities in Q1 2025 alone.
- 55% of OT environments now contain four or more remote access tools.
👉 Read Elisity's OT security vendor comparison for 2026
Context
OT security is the discipline of protecting industrial systems, control networks, and the connected devices that keep physical operations running. The article argues that many organisations still over-rely on visibility and detection, while the real governance gap is whether access can be constrained before lateral movement reaches production.
For identity and access teams, the practical issue is not whether an OT stack includes a monitoring platform, but whether the environment has enforceable segmentation across users, workloads, devices, and unmanaged assets. In brownfield environments, that distinction shapes whether a compromise becomes an alert or an outage.
The article’s vendor comparison is therefore most useful as a map of two lanes: detection and visibility on one side, and segmentation and enforcement on the other. That split is typical for mature OT programmes, and it mirrors how most enterprises now have to build layered controls rather than depend on a single tool.
Key questions
Q: How should security teams segment OT networks without disrupting production?
A: Start with identity-based policy over existing infrastructure, not a forklift redesign. Map critical communications, define allowed east-west flows, and enforce those rules in a way that can be rolled back safely. The goal is to contain movement while preserving uptime, which is why brownfield plants need non-disruptive segmentation rather than brittle re-architecture.
Q: Why do OT environments need both visibility and enforcement?
A: Visibility tells you what exists and what is happening. Enforcement decides what is allowed to happen. In OT, detection alone does not prevent lateral movement, so teams need a control that can block risky traffic and limit blast radius while monitoring tools continue to provide operational context.
Q: What breaks when OT security relies only on detection tools?
A: The programme can see intrusions but still fail to contain them. That means an attacker may move from a monitored enclave into production systems before anyone can respond. Detection without enforcement creates awareness without containment, which is not enough in environments where disruption is the primary risk.
Q: What should organisations do first when building OT zero trust controls?
A: Define the trust boundaries around devices, users, workloads, and remote access paths before choosing tooling. Then align those boundaries with least privilege and segmentation rules. Zero trust in OT is less about broad policy language and more about making allowed communication explicit and enforceable.
Technical breakdown
Identity-based microsegmentation in OT networks
Identity-based microsegmentation assigns policy to the identity of a device, user, or workload instead of relying on IP address, VLAN placement, or static network zones alone. In OT, that matters because assets are often unmanaged, long-lived, and difficult to replatform. The enforcement point sits in the network layer already in use, which lets teams restrict east-west traffic without changing the production architecture. This is why segmentation can work in brownfield plants where downtime is unacceptable and legacy controllers cannot accept agents.
Practical implication: define allowable communications by identity and process path before trying to harden every asset individually.
OT detection and visibility versus enforcement
Detection tools observe traffic, map assets, and flag anomalies, while enforcement controls decide whether communication is allowed at all. Both are useful, but they solve different problems. Detection gives situational awareness after a risky event is visible. Enforcement changes the outcome by blocking movement even when an attacker already has a foothold. In OT, where operational continuity is critical, the combination of the two is what lets teams see intrusions and limit their blast radius at the same time.
Practical implication: treat monitoring as a detection layer and segmentation as the containment layer, not as interchangeable controls.
Why remote access sprawl expands OT attack surface
Remote access tools widen the number of paths into operational environments, especially when multiple vendors, integrators, and plant support teams are involved. Every additional access path increases policy complexity and makes trust harder to reason about. That is a governance problem as much as a technical one, because access is no longer easy to inventory or review in a consistent way. The article’s point is that remote access sprawl makes identity-aware enforcement more valuable, not less.
Practical implication: inventory all remote access paths before you design segmentation rules, or your policy model will miss the real trust boundaries.
Threat narrative
Attacker objective: The attacker aims to move from initial foothold to production-impacting systems without being contained by network boundaries.
- Entry often begins through remote access tooling, exposed services, or a vendor pathway that reaches the OT environment without strong segmentation.
- Escalation occurs when the intruder can move laterally from one enclave or asset class to another because trust is too broad for the network topology.
- Impact follows when movement reaches operational systems, turning a compromise into downtime, safety risk, or production disruption.
Breaches seen in the wild
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
OT segmentation has become the governance control that decides whether intrusion becomes outage. Detection platforms remain essential, but in industrial environments they do not change the attacker’s path. When lateral movement is the stage that matters most, identity-based enforcement is the control that turns observability into containment, and that is the real decision point for OT and IAM teams.
Identity-based microsegmentation is the right named concept for this market shift. The article describes a model where policy follows the identity of the device, workload, or user rather than the network location alone. That matters because OT environments are full of unmanaged and ephemeral endpoints that cannot be treated like normal enterprise assets. Practitioners should read this as a move from static zoning to identity-centric blast-radius control.
Layered OT security is now a structural requirement, not a procurement preference. The market split between detection and enforcement is not accidental. It reflects the fact that one class of tools answers what moved, while another class determines what is allowed to move. Security leaders should stop treating those as substitutes, because mature OT governance needs both visibility and constraint to be credible.
The article shows why brownfield OT breaks legacy segmentation assumptions. Many plants cannot tolerate new hardware, agents, or rearchitecture, so controls that assume a clean network refresh cycle fail operationally before they fail technically. The implication is that OT governance must account for device longevity, production uptime, and unmanaged endpoints as design constraints, not edge cases.
OT and identity teams need a shared control model for remote access and east-west traffic. The article’s comparison makes clear that industrial risk is no longer just perimeter exposure. Access review, least privilege, and segmentation all matter together when third parties, operators, and devices coexist on the same operational network. Practitioners should align network enforcement with identity governance rather than manage them as separate disciplines.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, according to the same survey, which shows how quickly governance lags behind adoption.
- For the underlying governance model, see Top 10 NHI Issues for the control gaps that recur across machine identity programmes.
What this signals
OT programmes are now being judged by their ability to enforce, not just observe. As remote access sprawl grows, the practical question is whether your containment model can survive brownfield constraints, unmanaged devices, and production uptime requirements at the same time.
Identity-based microsegmentation: this is the control pattern that gives OT teams a path out of flat trust assumptions. It matters because the same access logic that governs users and workloads is increasingly the logic needed to contain OT traffic, especially where east-west movement is the decisive risk.
The governance lesson extends beyond OT. With 70% of organisations already granting AI systems more access than human employees, per The 2026 Infrastructure Identity Survey, the industry is normalising identity decisions that outgrow static perimeter thinking.
For practitioners
- Separate detection from enforcement in your OT architecture Map which controls only observe and which ones can actually block communication. If a platform cannot stop east-west movement, treat it as visibility tooling and pair it with a containment layer that can enforce identity-based policy.
- Inventory remote access paths before designing segmentation List every vendor, support, and operator pathway into OT, including temporary and emergency channels. Use that inventory to define the trust boundaries that segmentation must enforce, instead of assuming the network diagram already reflects reality.
- Prioritise identity over IP when defining OT policy Build allowlists around device identity, user identity, and workload identity where possible, because OT assets move slowly and network addresses do not capture operational trust relationships. That makes policy more durable across lifecycle changes.
- Use layered control ownership for IT/OT convergence Assign monitoring, segmentation, and incident response responsibilities across network, security, and operations teams so no single group owns an incomplete control model. For context on containment patterns, review the 52 NHI Breaches Analysis and the Ultimate Guide to NHIs.
Key takeaways
- OT security in 2026 is a containment problem as much as a detection problem, because lateral movement is what turns compromise into operational disruption.
- The evidence base points to real production risk, with 22% of organisations reporting OT incidents and 40% of those incidents causing disruption.
- Identity-based segmentation is the control most likely to reduce blast radius in brownfield environments where agents, hardware refreshes, and network redesigns are not realistic.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | OT segmentation and access boundaries map directly to managed access control. |
| NIST Zero Trust (SP 800-207) | The article is built around zero trust segmentation and continuous verification. | |
| NIST SP 800-53 Rev 5 | AC-4 | Boundary and flow enforcement in OT aligns with system and information flow control. |
| CIS Controls v8 | CIS-12 , Network Infrastructure Management | OT segmentation depends on managing network paths and policy enforcement consistently. |
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0040 , Impact | The article repeatedly frames OT risk around lateral movement leading to disruption. |
Document OT network paths under CIS-12 and verify that segmentation rules reflect current topology.
Key terms
- Identity-based microsegmentation: A segmentation approach that allows or blocks traffic based on the identity of the asset, user, or workload rather than only on network location. In OT environments, it helps contain lateral movement without forcing a redesign of fragile industrial networks.
- Lateral movement: The phase of an intrusion where an attacker moves from the initial foothold to other systems, segments, or privileges. In OT, it is often the moment a compromise starts to threaten production availability, safety, or operational continuity.
- Brownfield OT environment: An industrial environment built around existing systems that cannot be replaced quickly or safely. These sites often include legacy controllers, unmanaged devices, and long asset lifecycles, which makes non-disruptive security controls more practical than re-architecture.
What's in the full article
Elisity's full guide covers the operational detail this post intentionally leaves for the source:
- Vendor-by-vendor deployment considerations for OT segmentation in brownfield networks
- Analyst comparison tables showing which products map to detection, visibility, or enforcement
- Architectural examples for combining microsegmentation with OT monitoring and incident response
- Implementation notes for teams standardising across IT, OT, and IoT environments
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-02-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org