Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

IT/OT network segmentation: is your production boundary real?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Manufacturing ransomware has driven $17 billion in downtime across 858 incidents since 2018, while mature microsegmentation is associated with 71.4% faster breach containment and network segmentation is one of 12 controls insurers evaluate, according to Infosecurity Magazine, the European Journal of Computer Science and Information Technology, and Marsh McLennan. The governance question is no longer whether to segment, but whether production can stay online when IT is compromised.

NHIMG editorial — based on content published by Elisity: IT/OT network segmentation and manufacturing ransomware containment

By the numbers:

Questions worth separating out

Q: What breaks when IT and OT networks are not segmented?

A: When IT and OT are not segmented, ransomware can move from business systems into production systems, and defenders often cannot prove where compromise stops.

Q: Why does IT/OT segmentation matter during ransomware events?

A: IT/OT segmentation matters because it creates an enforceable boundary that limits lateral movement and preserves a clean production zone even when corporate IT is compromised.

Q: How do security teams know whether segmentation is actually working?

A: Security teams should verify segmentation with live traffic evidence, not just diagrams or firewall intentions.

Practitioner guidance

  • Define and test the IT-to-OT boundary Document every permitted path between business IT and production OT, then remove any cross-zone communication that is not required for an explicit production process.
  • Assign identity to engineering access Require verified identity for engineering workstations and vendor maintenance sessions, and limit each one to the specific controllers or servers it needs.
  • Prebuild containment tiers for critical assets Create different isolation rules for email, ERP, SCADA, lab systems, and life-critical production lines so responders know what to preserve during an incident.

What's in the full article

Elisity's full article covers the operational detail this post intentionally leaves for the source:

  • Policy examples for IT-to-OT boundary enforcement across corporate networks and production controllers
  • How identity-based microsegmentation is implemented on existing switching infrastructure without production agents
  • Insurance and underwriting considerations, including how segmentation evidence affects risk discussions
  • Practical examples for isolating SCADA, lab, plasma line, vendor, and environmental systems

👉 Read Elisity's analysis of IT/OT network segmentation for manufacturing ransomware containment →

IT/OT network segmentation: is your production boundary real?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

IT/OT segmentation has become an availability control, not just a security control. The article shows that the real risk is not only malware spread, but forced operational shutdown when leaders cannot prove what is and is not affected. That shifts the governance conversation from perimeter defense to containment design. For manufacturers, the deciding question is whether the network can preserve production while isolating compromise.

A question worth separating out:

Q: Who should be accountable for IT/OT segmentation decisions?

A: Accountability should sit with both security and operations leadership because segmentation affects cyber risk and production continuity at the same time. The right owners are the people who understand the business process, the controllers, and the incident response trade-offs. If those groups are not aligned before an event, containment decisions will be made under pressure.

👉 Read our full editorial: IT/OT network segmentation is the ransomware containment line



   
ReplyQuote
Share: