Microsegmentation in Manufacturing: Omdia Survey Findings on Ransomware and Lateral Movement

Nearly half of manufacturing organizations experienced a lateral movement attack in the past 12 months. Meanwhile, 69% of all industrial ransomware incidents in 2024 targeted manufacturing entities, with 75% resulting in partial or full operational shutdowns, according to Dragos's 2024 OT Cybersecurity Year in Review.

Yet when we commissioned the Omdia 2025 microsegmentation survey (N=352 cybersecurity decision makers, including 176 in manufacturing), we found that microsegmentation in manufacturing faces a stark gap: while 99% of organizations are implementing or planning microsegmentation, only 9% have protected more than 80% of their critical systems. Over 90% of manufacturers are falling behind on the one control most likely to stop ransomware from spreading across their networks.

This post unpacks the survey findings through a manufacturing cybersecurity lens, identifies what's holding the industry back, and outlines what modern OT microsegmentation actually looks like when it works.

Get the full survey data: Download the Omdia 2025 microsegmentation report — 352 enterprise security leaders, with full breakdowns by manufacturing and healthcare.

The lateral movement crisis in manufacturing is quantified

Manufacturing has become the most targeted industrial sector for ransomware, and it's not close. Dragos documented 1,693 ransomware attacks against industrial organizations in 2024, an 87% increase over the prior year. Manufacturing absorbed 69% of those attacks across 26 distinct subsectors. In Q1 2025, the trend accelerated: 480 manufacturing incidents, up from 424 the previous quarter, still accounting for 68% of all industrial ransomware activity.

The Omdia survey corroborates the threat at the network level. Half of respondents reported lateral movement attacks within their environments over the past 12 months. For manufacturers, the consequences extend far beyond data loss: production line shutdowns, IP theft of proprietary designs and CAD files, and malware spreading through supplier networks to create cascading supply chain disruptions.

As one survey respondent put it, attacks "can halt automated production lines, causing long-term downtimes." These aren't hypothetical scenarios. As we documented in our analysis of IT/OT network segmentation for ransomware containment, $17 billion in manufacturing downtime costs have accumulated across 858 incidents since 2018.

Intent is high, execution is dangerously low

The Omdia survey reveals a striking paradox. Nearly every organization (99%) is either implementing or planning microsegmentation. Among those actively deploying, 57% list it as a top priority specifically for lateral movement prevention. The intent is there.

But the execution data tells a different story. Only 24% of organizations have actually deployed microsegmentation. And of those who have, just 9% report that more than 80% of their critical systems are protected. The remaining 91% sit at various stages of incomplete coverage: 40% have only 21-50% of systems microsegmented, 28% have 51-80%, and a combined 24% have 20% or less.

If you're a manufacturing CISO, that gap between intent and execution should concern you. Every unprotected segment is a potential pathway for lateral movement, and attackers consistently exploit exactly these gaps. The 80 ransomware groups now targeting industrial organizations (a 60% increase from 2023, per Dragos) are specifically designed to move laterally once they gain initial access.

What's driving the urgency

The business drivers behind microsegmentation initiatives are clear and multi-layered. The Omdia survey found that Zero Trust strategy tops the list at 68%, followed by regulatory compliance at 60%, risk reduction from ransomware and lateral movement at 54%, and improved operational efficiency at 47%. Cyber insurance requirements, at 32%, represent a growing but underappreciated driver. As we noted in our ransomware containment analysis, insurers are increasingly requiring segmentation controls, and organizations with demonstrable microsegmentation programs are seeing 15-25% premium reductions.

Why legacy segmentation is failing microsegmentation in manufacturing

When the Omdia survey asked which segmentation methods organizations have tried, legacy approaches dominated: VLANs (53%), access control lists (49%), host-based firewalls (44%), and network access control (35%). Modern approaches lagged significantly, with fabric overlay segmentation at just 17% and agent-based segmentation at only 12%.

These numbers explain the execution gap. Legacy methods weren't designed for mixed IT/OT/IoT environments, and they impose an operational burden that becomes unsustainable at scale.

The hidden time tax

Consider the operational overhead the survey uncovered. Organizations spend an average of 18.4 hours per change on change control processes, 15.5 hours on troubleshooting connectivity issues, 13.2 hours testing new policies, and 12.7 hours creating those policies in the first place. That's nearly 60 hours of skilled engineering time per policy change cycle. In a manufacturing environment where change windows are narrow and downtime tolerance is zero, this pace makes meaningful microsegmentation coverage mathematically impractical.

The financial burden extends beyond labor. Hidden costs from previous segmentation projects included professional services (21%), ongoing maintenance (18%), hardware (15%), and network redesign (15%), all compounding as organizations try to scale legacy approaches across hundreds of OT assets.

Why legacy methods fail in OT environments

The fundamental mismatch is architectural. VLANs provide coarse macro-segmentation: all devices in a VLAN can still communicate freely with each other, allowing lateral movement within the segment. ACLs operate on IP addresses and ports, not device identity, which means they can't differentiate between a legitimate PLC firmware update and an attacker pivoting through an engineering workstation. Host-based firewalls require software agents, which can't be installed on PLCs, HMIs, building management systems, or the vast majority of OT devices.

The survey confirmed this directly: 70% of respondents agree that traditional network segmentation is no longer sufficient, and 59% report that segmentation policies have caused business disruptions in their environments.

The familiarity gap slowing microsegmentation in manufacturing

Perhaps the most revealing finding in the Omdia survey is about awareness, not technology. When asked how familiar they are with modern microsegmentation solutions, only 22% of respondents described themselves as "very familiar" with hands-on experience. The remaining 78% ranged from "moderately familiar" (42%, understanding basics but no direct experience) to "slightly familiar" (31%) to "not familiar at all" (5%).

This is a significant insight for manufacturers evaluating their security posture. The technology has evolved substantially, but the market's awareness hasn't caught up. As the OT security landscape analysis we published earlier this year details, manufacturing accounts for 25.7% of all cyber incidents, with 71% involving ransomware. The tools to address this exist. The gap is education, not innovation.

Encouragingly, 62% of survey respondents agree that modern microsegmentation solutions are easier to deploy and manage than previous generations. The challenge is getting from awareness to evaluation to deployment before the next lateral movement attack succeeds.

Manufacturing-specific segmentation challenges

Manufacturing networks present unique constraints that generic segmentation approaches can't accommodate. The Omdia survey identified two critical dimensions: user types and device types.

User complexity

Remote engineers top the list of user types requiring special consideration at 70%, followed by manufacturing operators at 58%, equipment vendors at 41%, and a cluster of temporary workers, equipment suppliers, and maintenance staff all at 39%. Each of these user types needs different levels of access to different systems at different times, often from different locations.

A remote engineer updating firmware on a robotic welding cell needs temporary, scoped access to that specific system. A maintenance contractor needs building management access but not production control. A temporary worker needs specific HMI stations and nothing else. Legacy methods that rely on static VLAN assignments or IP-based ACLs can't express these granular, identity-based policies. For a deeper look at aligning IT and OT security teams around these challenges, see our guide to IT/OT/SOC team alignment.

Device complexity

On the device side, building management systems (59%) and ICS/SCADA systems (53%) were identified as the hardest device types to segment. These are the crown jewels of manufacturing operations, and they're the most resistant to traditional segmentation approaches.

Building management systems control HVAC, fire suppression, and physical access; they run proprietary protocols, can't accept agents, and were designed decades before cybersecurity was a consideration. ICS/SCADA systems share these characteristics, with the added constraint that even milliseconds of latency can affect production quality.

The survey also highlighted persistent visibility gaps. Among manufacturing respondents, 56% reported gaps in visibility into cloud service connections, 47% lacked visibility into legacy system connections, and 38% had blind spots around vendor remote access. You can't segment what you can't see, and 44% of respondents specifically cited comprehensive device visibility as a critical feature they need from a microsegmentation platform.

Legacy vs. modern microsegmentation: a comparison

Understanding why modern identity-based microsegmentation differs from legacy approaches is essential for any manufacturing security team evaluating options. The following comparison, informed by the Omdia survey findings and the full research, summarizes the key distinctions:

Identity-based microsegmentation is what manufacturers want

The Omdia survey asked respondents directly which features matter most in a modern microsegmentation solution. The results were unambiguous: identity-based microsegmentation was the top choice at 69%, followed by lateral movement prevention (54%), fast deployments (51%), cloud-delivered management (48%), and comprehensive device visibility (44%).

These aren't wish-list items. They describe a specific architectural approach: agentless microsegmentation that operates on existing network switching infrastructure, managed from the cloud, with policies based on device and user identity rather than IP addresses.

Why identity-based policy matters for manufacturing

Consider a practical scenario. A manufacturing plant has engineering workstations, PLCs, HMIs, a historian server, building management controllers, and vendor laptops all sharing the same network. With VLAN-based segmentation, a compromised engineering workstation still has broad access to every PLC on its VLAN, and ACLs between VLANs are static and brittle.

Identity-based microsegmentation works differently. It discovers every device and user, classifies them by identity (device type, manufacturer, firmware version, user role), and enforces granular policies: this specific workstation, used by this authenticated engineer, can communicate with these three PLCs using this industrial protocol, during these hours. Everything else is denied by default.

The result is what 85% of survey respondents agreed on: modern microsegmentation provides greater risk reduction than previous approaches. And it achieves this without the operational overhead that stalled earlier projects. No agents to install on PLCs. No network redesign. No production downtime.

Integration with the security stack

Manufacturing security teams don't operate microsegmentation in isolation. The Omdia survey mapped integration requirements clearly: SIEM (67%), EDR (54%), SOAR platforms (49%), identity systems (43%), network/infrastructure security (40%), and asset management (38%). Modern microsegmentation platforms that integrate with OT-specific tools from vendors like Claroty, Nozomi, and Armis provide the asset intelligence layer that makes identity-based policy possible across IT, OT, and IoT environments simultaneously.

Aligning microsegmentation with IEC 62443

For manufacturers operating under IEC 62443 requirements, microsegmentation isn't just a security best practice; it's a compliance accelerator. The IEC 62443 standard defines a zones-and-conduits model where industrial assets are grouped into security zones based on risk level, and communication between zones is controlled through defined conduits.

Traditionally, implementing zones and conduits required physical network segmentation: separate switches, firewalls between zones, and manual conduit configuration. This creates rigid architecture that manufacturing environments struggle to maintain as production requirements change.

Modern identity-based microsegmentation implements virtual zones and conduits without physical rewiring. Each device is automatically classified and assigned to a zone based on its identity and function. Conduit policies are defined in software and enforced at the switch level. New devices are automatically classified and zoned. When production requirements change, policies update dynamically.

This approach directly addresses the 2025 updates to IEC 62443, which place enhanced focus on microsegmentation below Layer 3. As Gartner recognized in naming Elisity a 2025 Cool Vendor in Cyber-Physical Systems Security, the convergence of identity-based policy with existing network infrastructure represents a meaningful shift in how manufacturers can achieve both compliance and operational security.

A practical path forward for manufacturing security teams

The Omdia survey data points to a clear trajectory. Ransomware incidents in manufacturing surged 87% year over year in 2024. Intent is near-universal: 99% recognize they need microsegmentation. But execution remains critically behind, driven by legacy method limitations and lack of familiarity with modern alternatives.

For manufacturing CISOs and security architects evaluating their options, the survey suggests focusing on four priorities:

1. Close the visibility gap. You can't protect assets you haven't discovered, and 44% of respondents flagged device visibility as a critical need.
2. Evaluate identity-based approaches. The 69% who identified this as the most important feature are responding to real architectural requirements, not vendor marketing.
3. Prioritize IEC 62443 alignment. Regulatory compliance (60%) is the second-highest business driver, and modern microsegmentation maps directly to the zones-and-conduits model.
4. Demand integration. With 67% requiring SIEM integration and 54% requiring EDR, microsegmentation must fit within your existing security operations, not create another silo.

The gap between the 99% planning microsegmentation and the 9% with comprehensive coverage won't close overnight. But the 62% who agree modern solutions are easier to deploy suggest the technology barrier is lower than many assume. The real barrier is awareness. If you haven't evaluated identity-based microsegmentation in manufacturing, the data suggests now is the time.

Frequently asked questions about microsegmentation in manufacturing

Why are over 90% of manufacturing organizations falling behind on microsegmentation?

According to the Omdia 2025 microsegmentation survey (N=352), 99% of organizations are implementing or planning microsegmentation, but only 9% have more than 80% of critical systems protected. The primary causes are reliance on legacy methods that consume 18+ hours per change cycle and a familiarity gap where 78% of decision makers lack hands-on experience with modern platforms.

How does identity-based microsegmentation differ from traditional network segmentation in manufacturing?

Traditional segmentation uses VLANs, ACLs, and subnet boundaries to create broad zones with policies tied to IP addresses. Identity-based microsegmentation enforces granular, per-device policies based on device type, user context, and behavioral attributes. A PLC is segmented based on what it is rather than where it sits on the network. This approach is agentless, operates on existing switches, and creates virtual IEC 62443 zones without physical redesign.

What are the biggest cybersecurity challenges for manufacturing networks?

The Omdia survey identified three dimensions. User complexity: remote engineers (70%), manufacturing operators (58%), and equipment vendors (41%) all need special consideration. Device complexity: building management systems (59%) and ICS/SCADA (53%) are hardest to segment. Visibility gaps: 56% lack visibility into cloud connections, 47% into legacy systems, 38% into vendor remote access. Meanwhile, Dragos reported manufacturing absorbed 69% of all industrial ransomware attacks in 2024.

How can manufacturers implement microsegmentation without disrupting production?

Modern identity-based microsegmentation operates as an overlay on existing switches, requiring no agents and no network redesign. The phased approach: discover and classify all devices, monitor traffic to map communication flows, simulate policies before enforcement, then enforce gradually starting with highest-risk segments. The Omdia survey found 62% agree modern solutions are easier to deploy than previous generations, and 51% cited fast deployment as a critical feature.

How the industry covered the Omdia survey

Coverage of the survey ran across leading industrial cybersecurity, cyber insurance, and security trade publications. Each outlet surfaced findings that resonate directly with manufacturing security teams.

Industrial Cyber framed the survey as an execution-gap story rooted in legacy tooling, calling specific attention to the 44% device-visibility shortfall and to manufacturing customer testimony from Shaw Industries. Industrial Cyber highlighted that microsegmentation ranks first among planned Zero Trust initiatives yet sits at just 24% in current deployment, a gap that hits hardest in industrial environments where OT visibility is already thin. Read the Industrial Cyber coverage.

Cyber Insurance News reframed the survey as an underwriting problem, noting that binary "do you have segmentation, yes or no" questionnaires can't distinguish legacy VLAN architectures from modern identity-based segmentation. Their analysis emphasized that agent-based tools cannot protect PLCs, HMIs, or industrial control systems, exactly the assets that ransomware operators target for maximum operational impact. Read the Cyber Insurance News coverage.

CYBR.SEC.Media built its piece around the "say-do gap" language (99% want microsegmentation, 9% achieve it) and surfaced concrete operational consequences for manufacturers: production halts, hijacked industrial robots, and ransomware moving laterally between plants. Their coverage included Elisity CEO James Winebrenner's perspective on the resource constraints security teams face when extending segmentation across OT environments. Read the CYBR.SEC.Media coverage.

Further reading

• Omdia 2025 microsegmentation survey: full report download
• Industrial Cyber: 99% back microsegmentation but over 90% fall short
• IT/OT network segmentation: how manufacturers contain ransomware without killing production
• OT security: securing industrial and manufacturing environments with Armis and microsegmentation
• The ultimate guide to IT, OT, IoMT, and SOC team alignment
• IEC 62443 microsegmentation white paper
• IEC 62443 in 2025: network segmentation requirements and changes
• Gartner Cool Vendors in Cyber-Physical Systems Security 2025

Infographic: The microsegmentation say-do gap at a glance