IT/OT segmentation matters because it creates an enforceable boundary that limits lateral movement and preserves a clean production zone even when corporate IT is compromised. Without that boundary, teams may have no option except to stop production while they investigate. With it, responders can isolate the IT side and keep essential operations running.
Why This Matters for Security Teams
IT/OT segmentation is not just a network design preference during ransomware events. It is the control that determines whether an incident stays contained to business systems or crosses into production systems that run plants, utilities, logistics, or medical operations. Current guidance from the ENISA Threat Landscape and incident reporting across critical sectors both point to the same failure pattern: once attackers can pivot from corporate IT into OT, response options shrink fast.
That boundary matters even more when identity systems are involved, because ransomware crews often use valid credentials, remote access tools, or compromised non-human identities to move laterally before payload deployment. NHIMG research on MGM Resorts Breach 2023 - Scattered Spider and Caesars Entertainment Breach 2023 - Scattered Spider shows how access abuse can turn a single intrusion into broad operational disruption. In practice, many security teams discover the value of segmentation only after production integrity has already been put at risk.
How It Works in Practice
Effective IT/OT segmentation creates separate trust zones, strict routing controls, and monitored choke points between enterprise systems and operational assets. The goal is not absolute isolation in every environment, but controlled connectivity with explicit business justification. That usually means firewalls with deny-by-default rules, industrial DMZs, tightly governed jump hosts, and one-way or protocol-restricted flows where feasible. NIST guidance on boundary protection and zero trust is useful here, but OT environments need stronger change control and deeper asset awareness than typical enterprise networks. See NIST Cybersecurity Framework and CISA Zero Trust Maturity Model for the control logic that underpins this approach.
Segmentation only works when responders already know which pathways must stay available during an event. That requires documenting dependencies, remote maintenance paths, service accounts, vendor access, and backup or historian flows before an incident. It also requires identity controls, because the cleanest network boundary can still be crossed by stolen credentials or over-privileged service identities. NHIMG data from the Ultimate Guide to Non-Human Identities shows that 97% of NHIs carry excessive privileges and only 5.7% of organisations have full visibility into service accounts, which makes lateral movement easier than many operators expect.
- Segment by function, not just by VLAN, so engineering, safety, and production systems have distinct trust assumptions.
- Restrict OT administration to named jump paths, logged sessions, and time-bound access.
- Separate backup infrastructure and credentials so ransomware cannot encrypt both production and recovery paths at once.
- Test isolation procedures during exercises, not during the first live incident.
These controls tend to break down when flat legacy networks, unsupported controllers, or ad hoc vendor tunnels make it impossible to enforce consistent policy at the boundary.
Common Variations and Edge Cases
Tighter segmentation often increases operational friction, requiring organisations to balance resilience against downtime risk, vendor access, and maintenance latency. That tradeoff is real in brownfield plants, distributed utilities, and highly automated logistics sites where downtime windows are narrow and equipment is old.
Best practice is evolving for environments where OT cannot be fully modernised. In those cases, current guidance suggests compensating controls: stronger monitoring at the IT/OT boundary, allow-listed protocols, MFA for remote access, and explicit break-glass procedures with after-the-fact review. For identity-heavy attack paths, this is where a ZTNA or PAM layer can help, but only if service accounts, certificates, and API keys are governed as rigorously as human access. NHIMG has consistently shown that identity compromise is a common precondition for ransomware spread, especially when secrets are stored outside hardened vaults or remain valid long after compromise.
Sector context also matters. In regulated critical infrastructure, segmentation is not only a technical control but part of resilience planning, incident reporting, and recovery assurance. Where business continuity depends on keeping a minimum OT footprint alive, the question is not whether isolation is perfect, but whether the design preserves safe operations while stopping IT-side contamination. That is the standard operators should test against.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the technical controls, and NIS2 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Segmentation depends on restricting access paths between trust zones. |
| NIST Zero Trust (SP 800-207) | SC-7 | Boundary protection is the core mechanism behind IT/OT isolation. |
| NIS2 | Critical infrastructure operators must demonstrate resilience and containment. | |
| NIST AI RMF | Identity-driven automation and AI-assisted response need governed trust boundaries. | |
| OWASP Non-Human Identity Top 10 | Non-human identities often provide the lateral movement path across segments. |
Document segmentation and recovery controls as part of operational resilience and incident readiness.
Related resources from NHI Mgmt Group
- How should security teams use data context during a ransomware incident?
- Why does non-human identity governance matter in ransomware response?
- Why does machine identity matter more in OT than in standard enterprise networks?
- What is the difference between OT network segmentation and identity-based access control?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org