By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: IllumioPublished August 28, 2025

TL;DR: OT teams are facing a security transformation deficit as IT/OT convergence, hybrid environments, and legacy industrial systems expand the attack surface, with 58% of organisations hit by cyberattacks reporting operational stoppages, according to Illumio. Static perimeters and air-gapped assumptions no longer match modern OT reality, making continuous validation and segmentation the practical baseline.


At a glance

What this is: This is a vendor analysis of modern OT security, arguing that IT/OT convergence has outgrown air gaps and static perimeters.

Why it matters: It matters to IAM and security practitioners because OT resilience now depends on access boundaries, segmentation, and policy enforcement that can keep pace with hybrid operational environments.

By the numbers:

👉 Read Illumio's analysis of Zero Trust security for modern OT environments


Context

OT security has shifted from protecting isolated industrial networks to governing access across connected, software-defined environments. As factories and utilities converge with IT, cloud platforms, and virtualised gateways, the old assumption that separation alone reduces risk no longer holds.

For identity and access teams, the real issue is not just network segmentation but who and what can communicate across operational boundaries. In mixed IT, OT, and IoT estates, access governance becomes part of resilience, not just an IT control problem.


Key questions

Q: How should security teams segment OT networks without disrupting production?

A: Start with identity-based policy over existing infrastructure, not a forklift redesign. Map critical communications, define allowed east-west flows, and enforce those rules in a way that can be rolled back safely. The goal is to contain movement while preserving uptime, which is why brownfield plants need non-disruptive segmentation rather than brittle re-architecture.

Q: Why do air gaps and static perimeters fail in IT/OT convergence?

A: Air gaps and static perimeters fail because modern OT rarely stays isolated. Hybrid connectivity, remote administration, and virtualised gateways create new paths that traditional zone designs do not capture. Once those paths exist, attackers can traverse them laterally unless access policy, monitoring, and containment are updated to reflect the live environment.

Q: What breaks when OT containment cannot act on live telemetry?

A: When containment cannot act on live telemetry, detection becomes documentation rather than defence. Teams may see suspicious protocol behaviour or unexpected external connections, but they cannot narrow traffic or isolate the device before the event spreads. In OT, that delay can translate into process disruption, so enforcement must be linked to monitoring.

Q: Which frameworks help teams evaluate Zero Trust metrics and access governance?

A: NIST SP 800-207 is the best anchor for Zero Trust architecture, while the OWASP Non-Human Identity Top 10 helps teams evaluate identity sprawl, privilege, and secret handling. For human authentication, NIST SP 800-63 is relevant. Together they help teams align dashboard metrics with the actual trust decisions the programme is meant to control.


Technical breakdown

Why the Purdue Model breaks under IT/OT convergence

The Purdue Model was built for environments where industrial control systems could be separated into stable layers with limited external connectivity. That assumption weakens when organisations add containerised gateways, SASE, IaaS, and PaaS integrations, because traffic paths multiply and trust boundaries become dynamic. The model can still inform segmentation, but it no longer describes the full operating reality of modern OT. Security teams now need policy that follows the asset and the workload, not only the network zone.

Practical implication: map where legacy zone boundaries no longer reflect actual traffic flows and revise segmentation rules accordingly.

How closed-loop segmentation changes OT containment

Closed-loop segmentation links visibility and enforcement so that detection signals can change access decisions quickly. In OT settings, that matters because dwell time and lateral movement can disrupt physical processes, not just data systems. If passive monitoring detects suspicious protocol activity or unexpected external communications, the control plane can narrow communication paths or isolate affected devices without waiting for manual review. The goal is to shrink the blast radius while preserving operational uptime.

Practical implication: integrate monitoring and enforcement so suspicious OT communications can trigger immediate containment.

Agentless control for fragile industrial assets

Many OT devices cannot tolerate traditional endpoint agents, deep inspection, or frequent software changes. Agentless approaches use passive telemetry and network enforcement instead, which is safer for PLCs, RTUs, and SCADA controllers that must remain stable. This is an architecture choice as much as a tooling choice: the more fragile the asset, the more the control strategy has to avoid touching the endpoint itself. That constraint is central to production-grade OT security.

Practical implication: prefer agentless visibility and enforcement for legacy assets that cannot safely host security software.


Threat narrative

Attacker objective: The attacker aims to move from exposed connectivity into operational disruption, ransomware impact, or business downtime.

  1. Entry occurs when IT/OT convergence exposes industrial assets through hybrid links, shared services, or virtualised gateways that were never designed for broad external reach.
  2. Escalation follows as an attacker moves laterally across SCADA, DCS, MES, or ERP-connected systems through overly broad trust relationships and weak segmentation.
  3. Impact comes when the attacker reaches operational systems that can halt processes, disrupt production, or force downtime with direct business and safety consequences.

NHI Mgmt Group analysis

Static perimeter security is the wrong control model for modern OT. Once OT environments include cloud connectivity, virtualised gateways, and shared services, separation by zone alone stops being sufficient. Security decisions have to follow runtime communication patterns, not just plant diagrams. Practitioners should treat segmentation as a live governance problem, not a one-time network design choice.

The security transformation deficit is the real OT risk. Modernisation often adds complexity faster than the control stack can absorb it, leaving organisations with connected systems and legacy assumptions. That gap is especially dangerous where the business impact includes downtime, revenue loss, and physical process interruption. Practitioners should measure whether their security investment pace matches their OT architecture change rate.

OT access governance: the boundary between network control and identity control is collapsing. When workloads, devices, and users all participate in industrial traffic flows, access policy becomes a shared responsibility across IAM, PAM, network security, and operations. That means privilege scope, communication rights, and device trust all need explicit governance. Practitioners should align OT controls with identity-aware segmentation and least-privilege principles.

Closed-loop containment is the practical Zero Trust test for OT. Detection that cannot influence enforcement is too slow for environments where every minute of dwell time can translate into production loss. The important question is whether suspicious activity can trigger a policy change before the event becomes a safety or availability incident. Practitioners should validate that their containment path is automated, auditable, and safe for fragile systems.

What this signals

OT modernisation is turning access control into a resilience issue. As hybrid connectivity expands, teams need to think beyond perimeter design and treat communication rights as an operational dependency. For identity-adjacent programmes, that means clearer ownership for machine and service access across industrial environments.

Security teams should expect more demand for evidence that segmentation can change with risk. Static policies are increasingly hard to defend when the environment itself changes continuously. The control question is whether an organisation can prove, before an incident, that its containment path is both automated and safe for production systems.


For practitioners

  • Map OT communication paths to actual runtime behavior Inventory how SCADA, DCS, MES, ERP, cloud services, and gateways really talk to each other, then compare that picture with your documented zone model. Where the two diverge, update segmentation logic before a change or incident forces the issue.
  • Build containment rules that can act on suspicious OT telemetry Tie passive monitoring to enforcement actions such as traffic narrowing, device isolation, or protocol-specific restriction. Test those actions in controlled scenarios so the response remains safe for PLCs, RTUs, and other fragile devices.
  • Treat OT modernisation as a governance programme Track whether each new gateway, integration, or cloud link comes with an access policy, an owner, and a rollback path. If the environment is changing faster than policy can be updated, you have created a security transformation deficit.
  • Validate audit readiness before the next plant change Use policy simulations, pre-change checks, and immutable logs to show what will happen before you alter industrial traffic. That helps operations teams approve changes with less fear and gives compliance teams evidence for frameworks such as NIST, IEC 62443, and ISO 27001.

Key takeaways

  • Modern OT environments have outgrown the air-gap and perimeter assumptions that once made industrial security simpler.
  • The business cost of OT compromise is already measurable, with operational stoppages, revenue loss, and brand damage showing up in real incident data.
  • Practitioners should connect visibility, segmentation, and containment so that policy can change as fast as the environment does.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4OT segmentation and least privilege align with controlling access pathways in hybrid industrial environments.
NIST SP 800-53 Rev 5AC-4Access enforcement is central to separating critical OT traffic from broader enterprise connectivity.
CIS Controls v8CIS-12 , Network Infrastructure ManagementNetwork segmentation and boundary control are core to containing lateral movement in OT environments.
ISO/IEC 27001:2022A.8.20Network security controls support policy enforcement across hybrid OT connectivity.
NIST Zero Trust (SP 800-207)Zero Trust principles fit the article's continuous validation and adaptive policy model for OT.

Apply CIS-12 to document, segment, and monitor industrial network boundaries and allowed communications.


Key terms

  • Operational Technology: Operational technology is the hardware and software that monitor or control physical processes, such as factories, utilities, and industrial automation. Unlike standard IT, OT often prioritises availability and safety, so security controls must avoid disrupting sensitive equipment while still limiting misuse and lateral movement.
  • IT/OT Convergence: The integration of enterprise information systems with industrial operations so data, users and workflows move across both environments. In manufacturing, convergence improves visibility and efficiency, but it also forces identity controls to work across systems that were historically governed very differently.
  • Closed-Loop Segmentation: Closed-loop segmentation is a model where detection and enforcement work together so that suspicious activity can quickly change allowed communications. In OT, this matters because the response must be fast enough to reduce blast radius, yet stable enough to preserve production systems and safety requirements.
  • Security Transformation Deficit: Security transformation deficit describes the gap that appears when modernisation outpaces the controls needed to protect it. In OT, that means new gateways, cloud links, and hybrid services arrive faster than segmentation, governance, and containment can be updated.

What's in the full article

Illumio's full article covers the operational detail this post intentionally leaves for the source:

  • How the Illumio and Armis integration maps IT, OT, and IoT visibility into segmentation decisions.
  • The specific behaviour signals Armis uses to flag suspicious devices and communications before enforcement kicks in.
  • Examples of how policy simulation and pre-change checks support regulated industrial change management.
  • The VEN/NEN architecture details behind agentless enforcement for fragile OT assets.

👉 The full Illumio article covers the Armis and Illumio workflow, audit-ready checks, and OT containment details.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity. It helps security and identity practitioners translate governance principles into controls that fit real enterprise environments.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org