Detection tools tell you an attack is happening, but they do not stop an attacker from spreading once access is established. OT and CPS environments need segmentation because many systems cannot tolerate broad outages, so access pathways must be constrained in advance. The right model combines visibility with enforced isolation so compromise stays local.
Why This Matters for Security Teams
OT and CPS teams already use detection for visibility, but visibility alone does not limit blast radius. In environments where uptime, safety, and physical process continuity matter, a lateral move can turn a single foothold into plant-wide disruption. Segmentation is what constrains that movement before alarms are even triggered, aligning with the broader resilience goals described in the NIST Cybersecurity Framework 2.0.
This is especially important when identity and access paths are shared across engineering workstations, remote support channels, and vendor connections. NHIMG research on the Ultimate Guide to NHIs shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is a useful reminder that OT compromise often starts with credentials, not malware alone. In practice, many security teams discover the need for segmentation only after detection tools have already logged repeated east-west movement and process interference.
How It Works in Practice
Segmentation in OT and CPS is not just about splitting networks into zones. It is about defining which assets, protocols, and identities are allowed to communicate, then enforcing those rules with technical controls that do not depend on perfect detection or human response. The goal is to make the environment fail closed when an attacker or misconfiguration tries to move beyond an approved path.
Current guidance from NIST Cybersecurity Framework 2.0 supports layered protection and containment, which in OT typically means cell-and-zone design, industrial firewalls, allowlisting, one-way gateways where appropriate, and tightly controlled remote access. Detection tools still matter, but they work best when they are paired with enforced boundaries that reduce the amount of traffic they must inspect.
- Separate safety-critical controllers, engineering assets, historian systems, and business IT connections into distinct trust zones.
- Restrict protocols to known-good flows rather than allowing broad subnet connectivity.
- Limit vendor and maintenance access to time-bound, monitored paths with strong authentication.
- Use identity controls for service accounts and machine-to-machine access, because OT environments often rely on non-human credentials that are easy to overextend.
- Test segmentation changes against process availability so security controls do not interrupt control loops or failover logic.
NHIMG’s NHI Lifecycle Management Guide is relevant here because many OT exposures now involve long-lived service credentials, remote tooling, and third-party integrations that operate like NHIs. Segmentation reduces the chance that one exposed credential becomes a route into the wider operational environment. These controls tend to break down when flat networks, legacy PLC dependencies, or unmanaged vendor tunnels force exceptions that create hidden lateral paths.
Common Variations and Edge Cases
Tighter segmentation often increases operational overhead, requiring organisations to balance containment against maintenance complexity and uptime risk. That tradeoff is real in brownfield plants, critical infrastructure, and hybrid CPS estates where some legacy devices cannot support modern authentication or inline inspection.
There is no universal standard for this yet, but current guidance suggests adapting segmentation to the process dependency model rather than applying an IT-only perimeter. For example, safety systems may need stricter isolation than telemetry collectors, while remote service access may need temporary exceptions with compensating controls. In regulated environments, this is also where governance and exception management become as important as packet filtering.
The practical edge cases are the ones where detection creates false confidence: engineers assume they will see malicious movement early enough to respond, but OT response windows are often too short and too operationally constrained. That is why segmentation should be treated as a resilience control, not a compliance checkbox. NHIMG’s research on Top 10 NHI Issues is a useful parallel because it highlights how excess privilege and weak lifecycle governance amplify risk across machine identities as well as industrial access paths.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the technical controls, and NIS2 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-5 | Segmenting OT/CPS limits network pathways and lateral movement. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero trust supports enforced boundaries instead of implicit network trust. |
| OWASP Non-Human Identity Top 10 | NHI-07 | Machine credentials often enable the spread that segmentation should contain. |
| NIS2 | Critical infrastructure operators must show resilient network and access controls. | |
| NIST SP 800-63 | AAL2 | Strong authentication helps reduce abuse of remote support and vendor access. |
Document segmentation, remote access, and incident containment as part of operational resilience.
Related resources from NHI Mgmt Group
- Why do mobile apps need PKCE even when they already use an identity provider?
- Why do identity teams miss value in tools they already own?
- Why do AI tools create shadow governance risk even when they improve productivity?
- Why do sysadmin tools create identity governance risk even when they improve efficiency?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org