By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: AppgatePublished August 14, 2025

TL;DR: Operational technology environments need identity-aware, protocol-aware Zero Trust because VPNs and static perimeters over-provision access and leave persistent tunnels that attackers can exploit, according to Appgate. The governance challenge is not whether Zero Trust applies to OT, but whether access policy, segmentation, and operational resilience are designed for legacy systems and human workflows.


At a glance

What this is: This is an analysis of why OT security needs adapted Zero Trust controls, with identity-based access, micro-segmentation, and phased rollout as the core findings.

Why it matters: It matters to IAM, PAM, and security architecture teams because OT access patterns still rely on broad trust, while modern governance needs to scope who or what can reach critical systems without disrupting operations.

👉 Read Appgate's white paper on a Zero Trust blueprint for OT security


Context

Operational technology security is fundamentally different from enterprise IT security because the systems were built for uptime, longevity, and specialised protocols rather than modern identity controls. In practice, that means badge readers, PLCs, SCADA platforms, and HVAC controllers often sit behind broad network trust and static access paths that are hard to govern safely.

The identity angle is real here because OT access is still mediated through credentials, tunnels, and administrative pathways, even when the assets themselves are not human-facing. That creates a governance problem for IAM and PAM teams: how to replace persistent, over-provisioned access with policy that respects operational constraints instead of breaking them.


Key questions

Q: What breaks when OT remote access relies on VPNs and broad network trust?

A: OT remote access breaks down when a single connection grants too much reach. Broad tunnels let users or vendors move laterally, ignore task boundaries, and bypass asset-level controls. In critical environments, that increases the chance of disruption, especially when the network is flat or the protocol stack is legacy. The safer pattern is scoped, identity-based access to specific systems only.

Q: When should organisations prioritise Zero Trust for OT over perimeter upgrades?

A: Organisations should prioritise Zero Trust when OT access is still mediated by persistent tunnels, shared paths, or third-party connections. Perimeter upgrades do not fix broad trust once an attacker is inside. If the goal is to reduce blast radius without disrupting operations, explicit access policy and segmentation should come before another VPN refresh.

Q: What do security teams get wrong about segmentation in OT environments?

A: Teams often assume segmentation is just a network design exercise. In OT, segmentation must reflect protocol behaviour, device dependencies, and production workflows. If the policy ignores how industrial systems actually communicate, it either blocks essential traffic or leaves exceptions that recreate the original exposure. Effective segmentation is operational design, not only topology management.

Q: Who is accountable when OT Zero Trust changes disrupt production workflows?

A: Accountability sits with the programme owners who approve the operating model, not only with network or OT engineering teams. If Zero Trust changes affect production, the issue is usually weak change governance or missing stakeholder alignment. Resilience, access policy, and operational sign-off need to be owned together so security controls do not become a source of avoidable downtime.


Technical breakdown

Why VPN-based OT access creates a standing trust problem

Traditional VPNs extend a user or administrator into a network segment for the duration of the session, which is convenient but weak for OT governance. Once inside, that connection often carries more reach than the task requires, especially in environments where legacy protocols and non-federated systems limit fine-grained enforcement. The result is a standing trust problem: access is granted broadly, then defended with perimeter assumptions that no longer hold. In OT, the issue is amplified because availability matters as much as confidentiality, so controls must avoid latency, outage risk, and operational disruption.

Practical implication: replace broad remote access paths with identity-based, task-scoped access that can be constrained by asset, protocol, and operator role.

How micro-segmentation and protocol awareness change OT control

Micro-segmentation reduces lateral movement by separating communications into small, policy-defined paths rather than allowing flat network reach. In OT, that only works when the control plane understands industrial protocols and topology, because Modbus, BACnet, and similar traffic cannot be treated like ordinary office traffic. Protocol-aware enforcement lets teams express policy around devices, workflows, and dependencies instead of only subnets. That matters because the security objective is not full isolation. It is controlled connectivity that preserves process continuity while denying unnecessary access.

Practical implication: map critical OT dependencies first, then enforce segmented policies only after protocol-aware simulation confirms the rules will not interrupt operations.

Why phased Zero Trust programmes matter more in OT than in IT

The article’s four-phase blueprint reflects a basic OT reality: security change must be sequenced around business continuity. Assessment identifies constraints, strategy aligns sponsors and operating model, roadmap separates policy design from capability build-out, and execution uses incremental rollout with measurable impact. This is not just project management. It is governance under constraint. OT programmes fail when controls are introduced as abstract compliance targets rather than operational changes that plant teams can sustain.

Practical implication: build OT Zero Trust in phases, with explicit operational metrics such as reduced over-provisioning and fewer help desk exceptions.


Threat narrative

Attacker objective: The objective is to gain broad, durable access into OT networks so operations can be disrupted, manipulated, or held at risk for extortion or sabotage.

  1. Entry often begins through remote access paths that were created for convenience, such as VPNs or third-party connections with broad internal reach.
  2. Escalation occurs when attackers or insiders move from that entry point into multiple OT assets because the environment lacks granular, identity-based segmentation.
  3. Impact follows when broad trust lets an intruder disrupt operations, manipulate controllers, or expand a network event into downtime and safety risk.

NHI Mgmt Group analysis

OT identity governance fails when remote access is treated as a network problem rather than an access problem. The article shows why VPNs and static perimeters are structurally weak in environments that depend on persistent industrial systems and third-party support. For IAM and PAM teams, the lesson is that OT governance must scope who or what can connect, for how long, and to which protocol or asset. The practitioner conclusion is simple: eliminate standing reach before you try to harden the perimeter.

Protocol-aware segmentation is the named control gap that separates workable OT Zero Trust from generic segmentation theatre. OT traffic is not interchangeable with office traffic, and a policy model that ignores industrial protocol behaviour will either over-block or over-permit. That creates a governance debt that operations teams eventually pay for through exceptions, shadow access, and manual bypasses. The practitioner conclusion is to make protocol awareness a design requirement, not an optional enhancement.

OT modernisation succeeds when policy design and operational resilience are co-engineered. The article is right to separate assessment, strategy, roadmap, and execution because OT access controls fail when they are deployed without change management and production constraints in mind. This is where identity intersects with resilience: access policy is only useful if it can be enforced during outages, maintenance windows, and third-party support cycles. The practitioner conclusion is to treat resilience as part of the access control model.

Zero Trust for OT is now a governance baseline, not a future architecture discussion. The article reflects a broader market shift away from broad trust and toward explicit, measurable access decisions for critical systems. That shift aligns with how security teams now think about NHI and privileged access in other domains: scope, duration, and enforcement matter more than network location. The practitioner conclusion is to re-evaluate any OT programme that still depends on persistent tunnels or implicit network trust.

OT access controls must account for human operators and non-human pathways at the same time. Many OT environments blend engineers, vendors, service accounts, and embedded systems in one operational plane, so identity governance cannot stop at user authentication. The practitioner conclusion is to inventory all access paths, including third-party and machine-mediated ones, before defining the trust boundary.

What this signals

OT programmes are now converging on the same governance pattern seen in machine identity security: persistent access creates avoidable blast radius. That is why identity-aware segmentation and task-scoped access should be treated as resilience controls, not just security controls.

Standing OT reach is the real governance debt: any programme that still depends on broad tunnels, shared admin paths, or permanent vendor connectivity is carrying risk that cannot be reduced by monitoring alone. The practical shift is toward explicit access boundaries backed by policy enforcement.

For identity teams, the lesson is that OT cannot be modernised by copying office IAM patterns into industrial networks. Access design has to account for non-federated systems, maintenance cycles, and recovery requirements, which makes governance as important as enforcement.


For practitioners

  • Replace persistent VPN reach with scoped remote access Constrain OT remote access to the specific asset, protocol, and task required. Avoid broad network extension that lets a user move laterally once connected. Use short-lived access windows and explicit approvals for higher-risk systems.
  • Build a protocol-aware segmentation map Document which OT protocols and devices must communicate, then segment around those dependencies rather than subnets alone. Validate the design in simulation before enforcing policy so you do not break safety or availability.
  • Separate policy design from technical rollout Use a phased programme that first defines access policy for critical assets, then deploys the enabling controls. This reduces exception-driven implementation and keeps OT stakeholders involved in the change process.
  • Track over-provisioned access as an OT risk metric Measure how many OT accounts, vendor paths, and administrative sessions have more access than the job requires. Treat over-provisioning as a security and resilience issue, not just an audit finding.

Key takeaways

  • OT security fails when remote access is broad, persistent, and treated as a network exception rather than an identity decision.
  • The operational evidence points to protocol-aware segmentation, task-scoped access, and phased rollout as the controls that matter most.
  • Teams that still rely on VPN reach and implicit trust should rework access governance before they try to harden the perimeter again.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4OT access control and least privilege are central to the article's Zero Trust model.
NIST SP 800-53 Rev 5AC-4The article emphasises controlling information flow between systems and protocols.
NIST Zero Trust (SP 800-207)Section 3.1The article is fundamentally about applying Zero Trust principles to OT environments.
CIS Controls v8CIS-6 , Access Control ManagementThe article focuses on controlling remote access and reducing over-provisioned paths.
ISO/IEC 27001:2022A.8.20Network security controls are directly relevant to OT segmentation and access paths.

Apply Zero Trust principles to OT with explicit verification, least privilege, and continuous policy enforcement.


Key terms

  • Operational technology: Operational technology is the hardware and software that monitors or controls physical processes, such as manufacturing, utilities, building systems, and industrial automation. Its primary security challenge is not just confidentiality, but safe, continuous operation under strict uptime constraints.
  • Protocol-aware enforcement: Protocol-aware enforcement means applying access policy with understanding of the industrial traffic and device behaviour being protected. In OT, that includes recognising that different control protocols carry different operational risks and cannot be governed with generic office-network assumptions.
  • Micro-segmentation: Micro-segmentation divides a network into small, controlled communication paths so systems only talk where necessary. In OT, it reduces lateral movement and blast radius, but it only works when the policy mirrors real production dependencies and avoids operational disruption.
  • Standing trust: Standing trust is the condition where a user, vendor, or system connection is broadly trusted for longer than the immediate task requires. In critical environments, it becomes a governance problem because broad, persistent access is easier to abuse and harder to contain.

What's in the full article

Appgate's full white paper covers the operational detail this post intentionally leaves for the source:

  • A four-phase OT Zero Trust blueprint with assessment, strategy, roadmap, and execution steps.
  • Specific criteria for OT-ready access control, including protocol awareness, localized enforcement, and high availability.
  • Examples of how policy simulation can reduce disruption before enforcement begins.
  • The operational reasoning behind encrypted micro-segmentation in legacy industrial networks.

👉 The full Appgate white paper explains how to adapt access policy, segmentation, and rollout planning to OT constraints.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management through an identity-first lens. It helps security and IAM practitioners apply stronger access discipline across human, machine, and service accounts.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org