Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

NAC for OT networks: why the plant floor still resists 802.1X


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: Traditional NAC depends on 802.1X, supplicants, and VLAN-centric enforcement, but industrial devices such as PLCs, HMIs, and sensors often cannot support those assumptions, leaving most OT assets on weaker fallbacks like MAC Authentication Bypass, according to Elisity. The result is an access-control model that looks complete in IT but leaves the plant floor governed by implicit trust.

NHIMG editorial — based on content published by Elisity: Best Network Access Control for Industrial and OT Networks [2026]

By the numbers:

Questions worth separating out

Q: What breaks when traditional NAC is used on OT networks?

A: Traditional NAC breaks when OT devices cannot run 802.1X supplicants, cannot accept agents, or cannot tolerate VLAN-driven redesigns.

Q: Why do OT devices complicate zero trust architecture?

A: OT devices complicate zero trust because many of them are persistent, unmanaged, and unable to participate in normal identity proofs.

Q: How do security teams know whether OT segmentation is actually working?

A: Security teams should measure whether policy is enforced around the assets that matter most, not whether a NAC rollout is complete on paper.

Practitioner guidance

  • Audit the MAB footprint Identify every OT segment where MAC Authentication Bypass is the default path to access, then rank those devices by criticality and ease of spoofing.
  • Map device identity to allowed communications Document each PLC, HMI, sensor, and controller by role, Purdue level, and required protocols such as PROFINET, EtherNet/IP, or Modbus TCP.
  • Minimise VLAN-dependent control changes Avoid access models that require re-IPing or large-scale VLAN redesign in live plants.

What's in the full article

Elisity's full post covers the operational detail this post intentionally leaves for the source:

  • A step-by-step comparison of traditional NAC, network segmentation, and identity-based microsegmentation in OT environments.
  • Practical evaluation criteria for OT access control platforms, including device support, deployment speed, and protocol awareness.
  • Detailed guidance on how the enforcement model fits industrial protocols and existing switch infrastructure.
  • Real-world deployment considerations for plants that cannot tolerate re-IPing or broad VLAN redesign.

👉 Read Elisity's analysis of best NAC for industrial and OT networks →

NAC for OT networks: why the plant floor still resists 802.1X?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

OT access control is an NHI governance problem as much as a network problem. Industrial devices behave like persistent machine identities, yet many environments still govern them with controls designed for human logins and managed endpoints. That mismatch is why MAB, static VLANs, and manual exceptions keep reappearing. The practical conclusion is that OT programmes need identity-aware governance for devices, not only perimeter admission checks.

A question worth separating out:

Q: Who is accountable when an industrial network control fails to protect plant-floor devices?

A: Accountability sits with the teams that selected and governed the control model, not only the operators who deploy it. OT security, network engineering, and identity governance all share responsibility when a design assumes 802.1X or VLAN redesign can protect devices that cannot support those mechanisms. Frameworks such as IEC 62443 and NIST CSF help formalise that ownership.

👉 Read our full editorial: Why NAC breaks down on industrial networks and OT devices



   
ReplyQuote
Share: