By NHI Mgmt Group Editorial TeamPublished 2026-03-01Domain: Cyber SecuritySource: Elisity

TL;DR: Traditional NAC depends on 802.1X, supplicants, and VLAN-centric enforcement, but industrial devices such as PLCs, HMIs, and sensors often cannot support those assumptions, leaving most OT assets on weaker fallbacks like MAC Authentication Bypass, according to Elisity. The result is an access-control model that looks complete in IT but leaves the plant floor governed by implicit trust.


At a glance

What this is: This analysis explains why traditional NAC works in IT environments but breaks down on industrial and OT networks, especially where devices cannot support 802.1X or agent-based enforcement.

Why it matters: It matters because OT and IAM teams need access control that fits unmanaged devices, flat plant networks, and zero-trust segmentation goals without creating outages or impossible deployment projects.

By the numbers:

👉 Read Elisity's analysis of best NAC for industrial and OT networks


Context

Industrial access control fails when it assumes every device can authenticate like a managed laptop. In OT environments, many assets are old, headless, or protocol-specific, so 802.1X, agents, and VLAN-heavy designs often leave the most important systems outside the protection boundary.

This matters to identity and access teams because industrial devices behave more like non-human identities than human endpoints: they are persistent, task-specific, and difficult to retrofit into traditional IAM workflows. The governance problem is not just network access, but how to enforce identity-based policy without breaking production.


Key questions

Q: What breaks when traditional NAC is used on OT networks?

A: Traditional NAC breaks when OT devices cannot run 802.1X supplicants, cannot accept agents, or cannot tolerate VLAN-driven redesigns. In those environments, the control often falls back to MAC Authentication Bypass, which is device recognition rather than authentication. The result is a weak trust boundary that leaves critical plant-floor systems exposed to spoofing and lateral movement.

Q: Why do OT devices complicate zero trust architecture?

A: OT devices complicate zero trust because many of them are persistent, unmanaged, and unable to participate in normal identity proofs. Zero trust still applies, but the enforcement mechanism has to be identity-aware and agentless. If the control depends on managed endpoints or frequent re-authentication, it will not fit industrial reality.

Q: How do security teams know whether OT segmentation is actually working?

A: Security teams should measure whether policy is enforced around the assets that matter most, not whether a NAC rollout is complete on paper. Useful signals include the reduction of MAB dependencies, the share of critical devices with explicit allowlists, and the amount of east-west traffic that is blocked by design rather than by emergency response.

Q: Who is accountable when an industrial network control fails to protect plant-floor devices?

A: Accountability sits with the teams that selected and governed the control model, not only the operators who deploy it. OT security, network engineering, and identity governance all share responsibility when a design assumes 802.1X or VLAN redesign can protect devices that cannot support those mechanisms. Frameworks such as IEC 62443 and NIST CSF help formalise that ownership.


Technical breakdown

Why 802.1X and supplicants do not fit OT devices

802.1X is built around an endpoint supplicant proving identity to a switch through an authentication server, usually RADIUS. That model works for managed IT devices with modern operating systems and certificate support. It fails for PLCs, RTUs, HMIs, drives, and sensors that were never designed to run authentication clients. When vendors fall back to MAC Authentication Bypass, the control becomes device recognition, not real authentication. MAC addresses are easy to clone, so the enforcement model quietly reverts to implicit trust.

Practical implication: Treat MAB as a weak fallback, not a control objective, and inventory which OT assets still depend on it.

Why VLAN-centric NAC creates operational risk in industrial networks

Traditional NAC often ties access decisions to VLAN assignment, which means security policy depends on network topology. In OT, re-VLANing can change IP addresses, break PLC-to-HMI communication, and trigger production downtime. That creates a structural mismatch between access-control design and operational continuity. The problem is not only scale but brittleness: every ACL, routing rule, and zone change increases the chance of interrupting a live process. In a plant, security controls must follow device identity, not force the network to reshape itself around the control plane.

Practical implication: Use segmentation methods that preserve existing addressing and communication paths wherever possible.

How identity-based microsegmentation maps better to OT policy

Identity-based microsegmentation assigns policy to the device itself, not to the port or VLAN it uses at any moment. That lets teams classify a PLC by role, manufacturer, and communication pattern, then allow only the protocols and peers it actually needs. This aligns far better with zone-and-conduit thinking from IEC 62443 than does port-based NAC. The key architectural shift is that policy follows the identity across the network, which reduces dependency on supplicants, agents, and re-IP projects while improving east-west control.

Practical implication: Model OT policy around device identity and permitted communications, then enforce it with existing switching infrastructure.


Threat narrative

Attacker objective: The attacker’s objective is to gain trusted access to industrial assets and move laterally into systems that can affect production or safety.

  1. Entry occurs when unmanaged OT devices are admitted through MAC-based bypass or other weak fallbacks after 802.1X fails.
  2. Escalation happens when an attacker spoofs or reuses a device MAC address to inherit access that was meant to be restricted.
  3. Impact follows when the compromised device reaches plant-floor systems that lack granular east-west segmentation, enabling lateral movement or process disruption.

NHI Mgmt Group analysis

OT access control is an NHI governance problem as much as a network problem. Industrial devices behave like persistent machine identities, yet many environments still govern them with controls designed for human logins and managed endpoints. That mismatch is why MAB, static VLANs, and manual exceptions keep reappearing. The practical conclusion is that OT programmes need identity-aware governance for devices, not only perimeter admission checks.

MAC-based fallback creates a false sense of control. Once MAC Authentication Bypass becomes the default for unsupported assets, the organisation has shifted from authentication to device labelling. That is a weak trust boundary because the label can be cloned, reused, or misapplied. The real governance gap is not that OT devices are unusual, but that the control model stops being verifiable when supplicants are absent. Practitioners should treat any large MAB population as a risk signal, not an implementation detail.

Identity-based microsegmentation is the more realistic control model for industrial environments. The article’s core lesson is that enforcement should follow device identity and communication intent, not a switch port or VLAN. That aligns with zero trust principles and with OT zone-and-conduit thinking. For IAM and PAM teams, the intersection is clear: unmanaged devices still need lifecycle-aware policy, even when they cannot participate in traditional authentication flows.

Deployment friction is itself part of the security problem. If a control takes 12 to 18 months per site, coverage will lag the asset base and leave the highest-risk systems exposed longest. This is a governance debt issue, not simply an engineering delay. The organisation must choose controls that are operable at plant scale, or accept that partial coverage will persist indefinitely.

OT segmentation success will be measured by operational continuity, not policy elegance. Industrial access control only matters if it can be deployed without breaking production dependencies. The article points toward a market shift where teams will value agentless discovery, protocol awareness, and identity-centric enforcement over architectures that require re-IPing or broad network redesign. Practitioners should evaluate controls on whether they can protect legacy devices at speed.

What this signals

OT security programmes are moving toward identity-based enforcement because topology-based control does not scale to legacy devices. The practical shift is from admission control to policy that follows the asset wherever it connects, which is closer to how machine identity is governed in other environments. For teams that already manage service accounts and workload identities, the lesson is familiar: unmanaged systems still need lifecycle-aware access boundaries.

As industrial estates fill with unmanaged devices, the governance boundary between NAC and identity management gets thinner. That means OT, IAM, and architecture teams need common language for device identity, access scope, and exception handling. The more a plant depends on fallback mechanisms, the more important it becomes to treat those fallbacks as temporary risk, not normal operations.

OT access control should be evaluated with the same discipline used for NHI programmes: visibility first, then scope, then lifecycle control. Without that sequence, segmentation becomes another partial control that looks comprehensive from a distance but fails where the asset mix is least forgiving.


For practitioners

  • Audit the MAB footprint Identify every OT segment where MAC Authentication Bypass is the default path to access, then rank those devices by criticality and ease of spoofing. Use the list to decide where identity-based controls must replace implicit trust first.
  • Map device identity to allowed communications Document each PLC, HMI, sensor, and controller by role, Purdue level, and required protocols such as PROFINET, EtherNet/IP, or Modbus TCP. Build policy from those communications rather than from switch location alone.
  • Minimise VLAN-dependent control changes Avoid access models that require re-IPing or large-scale VLAN redesign in live plants. Prefer enforcement approaches that preserve existing network topology while tightening east-west restrictions around device identity.
  • Measure segmentation coverage by critical asset Track what percentage of plant-floor assets actually sit behind enforceable policy, not how many sites have a NAC project in progress. A high deployment count with weak coverage is a governance failure.

Key takeaways

  • Traditional NAC struggles in OT because many industrial devices cannot participate in 802.1X-based authentication or agent-driven posture checks.
  • The evidence points to a structural control gap, not a minor deployment issue, with only 0.3% of OT wireless networks using enterprise-grade 802.1X and 65% of connected assets being non-traditional IT devices.
  • Identity-based microsegmentation is the more realistic path for industrial environments because it preserves operations while enforcing policy around device identity and allowed communications.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0008 , Lateral Movement; TA0040 , ImpactThe article discusses industrial lateral movement and production disruption.
NIST CSF 2.0PR.AC-4Industrial access control and least privilege map directly to PR.AC-4.
NIST SP 800-53 Rev 5AC-4Information flow enforcement is central to OT segmentation and policy containment.
NIST Zero Trust (SP 800-207)The article argues for identity-based policy aligned with zero trust principles.
CIS Controls v8CIS-12 , Network Infrastructure ManagementThe article focuses on segmentation architecture and network control in OT.

Map OT access paths to ATT&CK tactics and prioritise controls that block lateral movement before impact.


Key terms

  • 802.1X: 802.1X is a port-based network access control standard that authenticates a device before it joins a network. In OT environments, it often fails because many controllers and sensors cannot run the required supplicant or certificate workflow, forcing organisations into weaker fallback methods.
  • MAC Authentication Bypass: MAC Authentication Bypass is a fallback access method that identifies a device by its MAC address when normal authentication is unavailable. It provides convenience for unsupported equipment, but it is not strong authentication because MAC addresses can be spoofed and reused with little effort.
  • Identity-based Microsegmentation: Identity-based microsegmentation assigns access policy to a device’s identity and communication intent rather than to its network location. In industrial environments, it lets teams control exactly which systems a PLC, HMI, or controller may reach without forcing VLAN redesign or re-IPing.
  • Purdue Model: The Purdue Model is a layered reference architecture for industrial control systems that separates enterprise, supervisory, control, and field layers. It helps teams reason about trust boundaries in OT, but it does not by itself solve enforcement, which is why segmentation design still matters.

What's in the full article

Elisity's full post covers the operational detail this post intentionally leaves for the source:

  • A step-by-step comparison of traditional NAC, network segmentation, and identity-based microsegmentation in OT environments.
  • Practical evaluation criteria for OT access control platforms, including device support, deployment speed, and protocol awareness.
  • Detailed guidance on how the enforcement model fits industrial protocols and existing switch infrastructure.
  • Real-world deployment considerations for plants that cannot tolerate re-IPing or broad VLAN redesign.

👉 Elisity's full post covers the OT failure modes, evaluation criteria, and microsegmentation comparison in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management through a practitioner-focused lens. It helps security and identity teams apply lifecycle control to machine identities and related access risks.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-03-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org