.svg)
Share this
by Charlie Treadwell on Feb 28, 2026 11:31:13 PM
Last year I sat across the table from an OT Security Manager at a global manufacturer. His team had spent 14 months deploying a NAC solution across their production facilities. The IT side was done. Laptops, printers, phones, all enrolled and authenticating through 802.1X like the vendor promised.
Then I asked about the plant floor. He paused. "We got maybe 40% of the OT devices into the system," he said. "The rest can't run a supplicant. Some of them are running firmware from 2009. Our Siemens S7-300s, our Allen-Bradley ControlLogix PLCs, the HMIs on the packaging lines. None of them speak 802.1X. So we're using MAC Authentication Bypass for everything else, which basically means we're trusting MAC addresses." He knew what that meant. MAC addresses are trivially spoofable. His NAC project was technically complete, but the devices that actually needed protection were still running on implicit trust.
That conversation stuck with me because it's not an outlier. It's the pattern. I've heard versions of it from OT security teams in pharmaceuticals, energy, food and beverage, and automotive manufacturing. The story is always the same: NAC works fine on the IT side and breaks down the moment it hits the plant floor.
This post is about why that happens, what the best NAC for industrial systems actually looks like, and how identity-based microsegmentation solves the problem NAC was never designed to address.
The OT NAC gap in numbers
- 0.3% of detected wireless networks in OT environments use enterprise-grade 802.1X authentication (Nozomi Networks, OT/IoT Cybersecurity Trends & Insights, February 2026)
- 65% of connected assets across organizations are non-traditional IT devices that lack standard authentication capabilities (Forescout, Riskiest Connected Devices of 2025)
- 119 ransomware groups targeted 3,300 industrial organizations in 2025, a 49% increase from the prior year (Dragos, 2026 OT Cybersecurity Year in Review)
- Only 32% of ICS/OT organizations invested in network segmentation in 2025, despite it being a foundational security control (SANS, State of ICS/OT Security 2025)
The scale of the problem
The numbers tell a story that any OT security professional already feels intuitively. According to Nozomi Networks' February 2026 OT/IoT Cybersecurity Trends report, only 0.3% of detected wireless networks in operational environments use enterprise-grade 802.1X authentication. That's not a typo. The vast majority of observed wireless networks rely on non-enterprise authentication methods such as pre-shared keys rather than certificate-based 802.1X. NAC's core mechanism, 802.1X port-based authentication, is essentially absent from the environments where access control matters most.
Meanwhile, the attack surface keeps expanding. IoT Analytics estimated 21.1 billion connected IoT devices globally as of the end of 2025, with industrial IoT representing one of the largest growth segments. Forescout's Vedere Labs analysis across 10 million devices found that 65% of connected assets in organizations are now non-traditional IT devices. These are the cameras, PLCs, HMIs, sensors, badge readers, and building automation controllers that NAC was never architected to handle.
And adversaries have noticed. The Dragos 2026 OT Cybersecurity Year in Review tracked 119 ransomware groups targeting industrial organizations, up from 80 the previous year. More concerning, Dragos found that threat actors are moving beyond pre-positioning to actively mapping control loops and understanding how to manipulate physical processes. These aren't IT-focused attacks that accidentally spill into OT. They're targeting industrial systems deliberately.
Why traditional NAC fails in industrial and OT environments
I don't think NAC is a bad technology. It does what it was designed to do: authenticate managed IT endpoints using 802.1X, assign them to a VLAN, and enforce port-based access policies. The problem is that OT environments break every assumption NAC was built on. Here are the five architectural limitations I see over and over again.
1. 802.1X assumes every device has a supplicant
The foundation of NAC is 802.1X authentication, which requires a software supplicant on the endpoint. The supplicant communicates with the authenticator (the switch) and the authentication server (RADIUS) to prove the device's identity before granting network access.
Here's the thing: PLCs don't have supplicants. Neither do HMIs, RTUs, SCADA terminals, variable frequency drives, safety instrumented systems, or the thousands of sensors and actuators that make up a modern production environment. A Siemens S7-1500 running PROFINET doesn't have a certificate enrollment client. An Allen-Bradley ControlLogix communicating over EtherNet/IP wasn't designed to authenticate to a RADIUS server. These devices were built to control physical processes reliably, not to participate in enterprise authentication frameworks.
So NAC vendors offer MAC Authentication Bypass (MAB) as the fallback. MAB identifies devices by their MAC address, which is about as secure as identifying someone by their t-shirt color. MAC addresses can be spoofed in seconds. Any device that relies on MAB for access control is running on implicit trust, which is exactly the problem you bought NAC to solve.
2. Agent-based approaches don't work on headless devices
Some NAC platforms try to compensate for the 802.1X gap by deploying software agents that perform posture assessment and continuous monitoring. This works on Windows laptops and managed servers. It doesn't work on a PLC running a proprietary RTOS, a 15-year-old HMI running Windows XP Embedded, or a BACnet controller managing your HVAC system.
You can't install an agent on most OT devices. Even when the operating system technically supports it, plant operations teams won't allow software installations on production equipment. Every change requires a maintenance window, a change management process, and often validation testing to ensure the agent doesn't interfere with the control process. For a facility with thousands of OT endpoints, that's not a deployment. It's a multi-year project that will never finish.
3. VLAN-centric enforcement requires network redesign
NAC's enforcement model is fundamentally tied to VLANs. When a device authenticates (or gets assigned via MAB), NAC places it in a VLAN that determines what it can access. This means your security architecture is inseparable from your network topology.
In OT environments, re-VLANing is genuinely dangerous. Changing a device's VLAN means changing its IP address, which can break communication between PLCs and their associated HMIs, historians, and engineering workstations. I've talked to plant engineers who have Purdue Level 2 networks that haven't been re-addressed in a decade because the production dependencies are too complex to untangle. When your segmentation strategy requires re-IPing a process control network, you've created a project that operations will block indefinitely. And rightfully so.
The result is VLAN sprawl. Organizations end up with hundreds of VLANs, each requiring ACLs, routing rules, and ongoing management. At scale, this becomes unmanageable. One misconfigured ACL can take down a production line.
4. IT-centric policy models don't map to OT
NAC policy models were designed around IT concepts: user identity, device compliance posture, endpoint health checks, OS patch level. OT security operates on a completely different set of requirements defined by frameworks like IEC 62443 and the Purdue Model.
IEC 62443 organizes industrial environments into zones and conduits: logical groupings of assets based on their security requirements and the communication flows between them. A proper OT security policy needs to understand that a PLC in Zone 3 should communicate with its HMI in Zone 2 over specific industrial protocols (PROFINET, EtherNet/IP, Modbus TCP), and that nothing else should be able to reach it. NAC doesn't think this way. NAC thinks in terms of authenticated versus unauthenticated, compliant versus non-compliant, and VLAN assignment. The gap between these models is architectural, not just operational.
5. Deployment timelines exceed OT patience
The SANS 2025 State of ICS/OT Security survey found that asset inventory and visibility was the number one technology investment area at 50% of respondents, while only 32% invested in network segmentation. Part of the reason for that segmentation gap is deployment complexity. Traditional NAC projects in industrial environments routinely take 12 to 18 months per site. For organizations with dozens or hundreds of facilities globally, that timeline means you're looking at years before you have meaningful access control across your OT footprint.
I've seen more NAC projects stall than succeed in OT environments. The pattern is predictable: successful IT pilot, enthusiastic expansion plan, slow realization that OT is a fundamentally different problem, and eventual plateau where the project is "done" but 60% or more of the devices that needed protection are still unprotected. If you've lived through this cycle, you're not alone. I wrote about the broader pattern in why NAC projects stall.
What to actually look for in OT network access control
After watching these failures play out, I've developed a set of criteria that I use when evaluating any access control approach for OT environments. These aren't abstract evaluation categories. They come directly from the failure modes I just described. If a solution can't clear these bars, it will hit the same walls that NAC does.
| Evaluation criteria | What to look for | Why it matters in OT |
|---|---|---|
| Agentless discovery and classification | Discovers and classifies all devices without requiring software agents or 802.1X supplicants | PLCs, HMIs, RTUs, and sensors can't run agents. Any approach that requires them will leave your most critical assets unprotected. |
| OT protocol awareness | Understands PROFINET, EtherNet/IP, Modbus TCP, OPC UA, BACnet, and other industrial protocols | Policies need to reflect actual OT communication patterns, not just IP/port combinations. Protocol-level context is essential for IEC 62443 zone enforcement. |
| Identity-based policy model | Assigns security policy to the device's identity (type, function, manufacturer, firmware, Purdue level), not to a port or VLAN | Devices move, ports get reassigned, VLANs change. Policy should follow the device's identity, not its network location. |
| Switch-native enforcement | Enforces policy using existing network switching infrastructure without requiring new hardware, overlay networks, or inline appliances | OT environments can't tolerate forklift upgrades or new failure domains. Your enforcement architecture needs to work with the switches you already have. |
| IEC 62443 alignment | Maps directly to IEC 62443 zones and conduits architecture, supporting zone-based policy groupings and conduit enforcement | IEC 62443 is the global standard for industrial cybersecurity. If your access control doesn't support zones and conduits natively, you're bolting compliance on after the fact. |
| Deployment speed | Can deploy to a new site in days or weeks, not months. No re-IPing, no VLAN redesign, no production downtime. | If deployment takes 12 months per site, you'll never achieve meaningful coverage. Speed isn't a convenience feature; it's a security requirement. |
| OT platform integration | Integrates with OT security platforms like Claroty, Nozomi Networks, and Armis for enriched device context | OT discovery platforms provide deep device intelligence (manufacturer, model, firmware version, known vulnerabilities). Your access control should consume and act on that context. |
NAC vs. network segmentation vs. microsegmentation for OT
Before going further, it's worth clarifying the three terms that get used interchangeably in too many OT security conversations. They're different architectures with different outcomes. Understanding the distinction matters when you're evaluating what will actually protect your industrial environment.
Network Access Control (NAC) answers the question: "Should this device be allowed on the network?" It's a gate at the door. Once a device is authenticated and admitted, NAC has limited ability to control what that device does inside the network. It doesn't prevent lateral movement between devices on the same VLAN. It doesn't restrict which OT protocols a device can use. In OT terms, NAC controls north-south admission but does almost nothing for east-west traffic.
Network segmentation (macro-segmentation) divides the network into broad zones using VLANs, firewalls, and ACLs. It's the traditional approach for implementing the Purdue Model: separate your enterprise IT from your control systems from your field devices. It works at a coarse level, but it doesn't provide granularity within zones. If a compromised device is in the same zone as its target, segmentation won't stop the lateral movement.
Microsegmentation applies security policy at the individual device or workload level. It controls not just whether a device is on the network, but exactly what it can communicate with, over which protocols, and under what conditions. Identity-based microsegmentation does this by assigning policy to the device's identity rather than its network location, which means policy follows the device regardless of which port or VLAN it's on.
| Capability | Traditional NAC | Network segmentation | Identity-based microsegmentation |
|---|---|---|---|
| Enforcement granularity | Port/VLAN level | Zone/subnet level | Individual device level |
| OT device support | Limited (MAB fallback) | Basic (VLAN placement) | Full (agentless, no 802.1X required) |
| Lateral movement prevention | Minimal (within-VLAN blind) | Partial (stops cross-zone only) | Granular (device-to-device policy) |
| IEC 62443 alignment | Weak | Moderate (manual zone mapping) | Strong (virtual zones and conduits) |
| Deployment impact on OT | High (VLAN redesign, re-IPing) | High (firewall rules, topology changes) | Low (uses existing infrastructure, no downtime) |
| Typical deployment timeline per site | 6 to 18 months | 3 to 12 months | Days to weeks |
The takeaway: NAC and macro-segmentation solve different problems, and neither one provides the granularity that OT environments require. Lateral movement within an OT zone is how ransomware spreads from an engineer's workstation to a PLC, and neither NAC nor VLAN-based segmentation stops it. For a detailed breakdown of the 9 lateral movement techniques that flat OT networks enable, including credential exploitation, RDP abuse, and supply chain pivots, see our techniques guide. Identity-based microsegmentation addresses the actual attack path.
How identity-based microsegmentation solves the OT NAC problem
The core architectural shift is this: instead of asking "can this device authenticate through 802.1X?" you ask "what is this device, and what should it be allowed to do?" That's the difference between port-based access control and zero trust, identity-based policy.
In practice, here's how it works. An identity-based microsegmentation platform passively discovers every device on the network without requiring agents, supplicants, or 802.1X enrollment. It classifies each device by type, manufacturer, model, firmware version, behavior, and communication patterns. It correlates this information with intelligence from OT discovery platforms like Claroty xDome, Nozomi Networks, or Armis, building a rich identity profile that includes the device's Purdue level, its role in the production process, and its known vulnerabilities.
Policy is then assigned to that identity, not to a port or VLAN. A Siemens S7-1500 PLC at Purdue Level 1 gets a policy that allows it to communicate with its associated HMI over PROFINET, with its historian over OPC UA, and with nothing else. That policy follows the device regardless of which switch port it's connected to. No VLAN reassignment. No ACL changes. No re-IPing. The enforcement happens at the switch level using the existing network infrastructure already in place.
This maps directly to the IEC 62443 zones and conduits model. Instead of building physical zones with firewalls and separate network segments (which is the traditional approach that takes years), you create virtual zones and conduits defined by device identity and enforced at the switch port. The security architecture aligns with the compliance framework without requiring a network redesign. For organizations building a zero trust architecture in their OT environment, this is the enforcement layer that makes zero trust operational rather than aspirational.
What deployment actually looks like
I want to ground this in real numbers because deployment speed is where the difference between NAC and identity-based microsegmentation becomes most tangible.
GSK, one of the world's largest pharmaceutical companies, had an approved plan to implement segmentation across 275 global sites using legacy firewall technology. The projected timeline was one year per location. The projected cost was $200 million. After evaluating the identity-based microsegmentation approach, they cut deployment to one week for 3 to 4 sites and reduced total project cost to $50 million, a 75% TCO reduction. That's not a marginal improvement. That's a fundamentally different operational model.
A top-10 US health system had planned to deploy Cisco ISE for microsegmentation. That plan required 14 dedicated employees and 300 hours per site, plus re-IPing a significant number of IoMT devices that would have required on-site vendor visits. With identity-based microsegmentation, they needed 2 full-time employees, 2 to 8 hours of configuration time, and achieved 99% device discovery within 4 hours of deployment with no downtime or patient network disruption. Total projected spend dropped from $38 million to $9 million.
A global industrial electronics manufacturer with 53 facilities chose identity-based microsegmentation over a planned deployment of legacy firewalls and Cisco TrustSec. The results: 33% reduction in OT device onboarding costs, 75% reduction in firewall management overhead, 50% faster troubleshooting, and $18.5 million in capital cost savings by eliminating the need for new switching and firewall infrastructure.
These are specific, measurable outcomes from real Elisity deployments, and they address the deployment timeline problem that kills NAC projects in OT environments. When you can deploy to a site in a week instead of a year, you can actually achieve coverage before the threat landscape shifts under your feet.
Comparison: traditional NAC vs. identity-based microsegmentation for OT
For those evaluating both approaches side by side, here's how they compare on the criteria that matter most in OT environments.
| Criteria | Traditional NAC (Cisco ISE, Aruba ClearPass, Forescout) | Identity-based microsegmentation |
|---|---|---|
| Authentication method | 802.1X with MAB fallback | Passive identity discovery (no supplicant or agent required) |
| OT/IoT device coverage | Partial (MAB for non-802.1X devices) | Complete (all devices discovered and classified agentlessly) |
| Policy model | Port-based, VLAN-centric | Identity-based, follows the device |
| Lateral movement control | Within-VLAN traffic uncontrolled | Device-to-device policy enforcement |
| Infrastructure requirements | RADIUS servers, VLAN redesign, potential re-IPing, dedicated appliances | Uses existing switches and access points. No new hardware. |
| Deployment time per site | 6 to 18 months | Days to weeks |
| Staffing requirements | 14+ FTEs across security ops, network engineering, platform management | 1 to 2 FTEs |
| IEC 62443 support | Limited (not designed for zones and conduits) | Native support for virtual zones and conduits |
| Production downtime | Required for VLAN changes and re-IPing | Zero downtime deployment |
| Third-party validation | Gartner MQ for NAC (legacy category) | Gartner Cool Vendors in CPS Security 2025, Gartner Hype Cycle for Enterprise Networking 2025 |
Gartner's own analysis supports the architectural direction here. The 2025 Gartner Cool Vendors in Cyber-Physical Systems Security report described the evolution as a move "from a network-centric, reactive model focused on firewalls and prevention to a more mature discipline centered on proactive defense, asset-centric protection, and rapid recovery." That's not Elisity's marketing language. That's Gartner describing the direction the market is heading.
Making the transition from NAC to identity-based microsegmentation
To be clear, I'm not suggesting you rip out your NAC tomorrow. If you have a functioning NAC deployment covering your IT assets, it can continue serving that role. The question is what you do about the 60% or more of your devices that NAC can't protect, which happen to be the devices controlling your physical processes. OT-specific microsegmentation fills that gap.
The practical path forward is to layer identity-based microsegmentation alongside your existing infrastructure. You keep your NAC for IT endpoints if it's working. You deploy microsegmentation for everything else: the PLCs, HMIs, RTUs, sensors, cameras, badge readers, and building automation systems that NAC was never designed to handle. Over time, organizations often find that microsegmentation subsumes the NAC function entirely because it provides everything NAC does plus granular east-west control, but that's an evolution, not a day-one requirement.
What matters is getting meaningful access control over your OT assets in a timeline that matches the threat environment. The Dragos 2026 report found that adversaries are now actively mapping control loops in industrial environments. The average dwell time for ransomware in OT environments was 42 days, though organizations with full OT visibility detected and contained incidents in an average of 5 days. You can't afford to spend 18 months deploying access control site by site while threat actors are already inside your networks.
The best NAC for industrial and OT networks isn't a better NAC. It's a different architecture that was built for the devices, protocols, and operational constraints that define OT. Identity-based microsegmentation isn't a theoretical alternative anymore. It's deployed in pharmaceutical manufacturing, healthcare, industrial electronics, critical infrastructure, and education. The proof points exist. The deployment timelines are measured in weeks, not years. And the devices that NAC can't protect are the ones that need protection most.
Frequently asked questions about NAC for industrial and OT networks
What is the best NAC solution for industrial and OT networks?
The most effective access control for industrial and OT networks isn't traditional NAC. It's identity-based microsegmentation. Traditional NAC relies on 802.1X authentication, which most OT devices (PLCs, HMIs, RTUs, sensors) don't support. Identity-based microsegmentation discovers and classifies every device agentlessly, then enforces granular policy based on what the device is rather than whether it can authenticate. This approach covers 100% of assets, including the unmanaged OT devices that NAC leaves exposed.
Why does traditional NAC fail in OT and industrial environments?
NAC fails in OT for five specific reasons: OT devices can't run 802.1X supplicants, headless devices can't host software agents, VLAN-based enforcement requires network redesigns that operations teams won't tolerate, IT-centric policy models don't map to IEC 62443 zones and conduits, and deployment timelines of 12 to 18 months per site mean coverage never reaches critical OT assets. According to Nozomi Networks' 2026 research, only 0.3% of OT wireless networks use enterprise-grade 802.1X authentication.
What is the difference between NAC and network segmentation for OT security?
NAC controls whether a device is admitted to the network (north-south). Network segmentation divides the network into zones (macro-segmentation). Microsegmentation enforces policy at the individual device level (east-west). For OT security aligned with IEC 62443, you need microsegmentation that can enforce zone and conduit policies at the device level, which neither NAC nor traditional segmentation provides on its own.
Do OT and IoT devices support 802.1X authentication?
The vast majority don't. PLCs, HMIs, RTUs, SCADA terminals, sensors, and actuators weren't designed with enterprise authentication in mind. They lack supplicant software and can't enroll certificates. NAC vendors offer MAC Authentication Bypass (MAB) as a workaround, but MAB relies on MAC addresses that are trivially spoofable. It provides device identification, not authentication. Any access control strategy for OT needs to work without 802.1X.
How do you modernize network access control without replacing infrastructure?
Identity-based microsegmentation enforces policy using the switches and access points you already have. There's no new hardware, no overlay networks, no VLAN redesign, and no re-IPing. Policy is defined in the cloud and pushed to the existing switching infrastructure for enforcement at the port level. This is how organizations like GSK have deployed microsegmentation across hundreds of global sites at a fraction of the cost and timeline of traditional approaches. For a deeper comparison, see the NAC alternative breakdown.
Further reading
- Why NAC projects stall: the hidden technical complexities
- The modern NAC alternative for Zero Trust security
- IEC 62443 network segmentation requirements and changes
- Microsegmentation: the essential guide to network security
- Elisity for industrial and manufacturing environments
- Understanding and preventing lateral movement attacks
- Network segmentation: stopping lateral movement and east-west attacks
- Elisity and Claroty xDome integration
- Elisity and Nozomi Networks integration
- Elisity and Armis integration
Charlie Treadwell
Chief Marketing Officer, Elisity
Charlie Treadwell leads marketing at Elisity, where he works closely with security teams deploying identity-based microsegmentation across industrial, healthcare, and enterprise environments. His writing draws on direct experience with OT security programs at global manufacturers, critical infrastructure operators, and Fortune 500 organizations. Connect with him on LinkedIn.
No Comments Yet
Let us know what you think