.svg)
.png)
Quick answer: OT security protects operational technology, the industrial control systems, PLCs, and connected devices that run physical processes. The most resilient programs pair detection and monitoring with segmentation and enforcement. Identity-based microsegmentation enforces IEC 62443 zones and conduits, agentlessly and over any data plane, so IT and OT networks are separated without production downtime.
This buyer’s guide to OT security and IT/OT convergence is written for the team that owns the seam between the enterprise network and the plant floor. It explains the two distinct categories of the operational technology security market, how to segment IT and OT networks in a manufacturing plant without causing downtime, how identity-based zones and conduits satisfy IEC 62443, and what the best network access control for operational technology looks like when legacy programmable logic controllers cannot run an agent or an 802.1X supplicant.
“Detection tells you an attacker is inside. Enforcement decides whether they can move. A mature OT security program needs both, and the enforcement layer is where identity-based microsegmentation belongs.” Elisity, on the segmentation-and-enforcement lane of OT security
On this page
- What is OT security?
- The two lanes of the OT security market
- IT/OT convergence and the Purdue Model boundary
- How to segment IT and OT networks without downtime
- The best network access control for operational technology
- IEC 62443 zones and conduits
- Selection criteria for an OT segmentation and enforcement solution
- Frequently asked questions
What is OT security?
OT security is the discipline of protecting operational technology: the hardware and software that monitors and controls physical equipment, processes, and events in industrial environments. It covers industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), programmable logic controllers (PLCs), and the growing population of connected sensors on the factory floor. Where IT security optimizes for confidentiality, OT security optimizes for safety and availability, because an interruption on a production line is not an inconvenience, it is a stopped process and lost output.
The stakes have moved from theoretical to operational. According to the SANS 2025 State of ICS/OT Security Survey, 22% of organizations experienced a cybersecurity incident affecting their ICS or OT systems in the past year, and 40% of those incidents caused operational disruption. Dragos reported 708 ransomware incidents hitting industrial entities in the first quarter of 2025 alone, with manufacturing absorbing 68% of them. The same Dragos analysis estimates OT cyber incidents put 329.5 billion dollars per year at risk globally, with 172.4 billion dollars of that figure coming from business interruption.
Two structural facts make OT harder to secure than IT. First, asset lifecycles are long: where IT refreshes hardware every three to five years, OT equipment commonly runs for 15 to 25 years, which means production environments are full of devices that predate modern authentication. Second, those devices speak proprietary industrial protocols, such as Modbus, DNP3, and EtherNet/IP, that were designed for reliability on an isolated network, not for a world where the plant floor is reachable from the enterprise network. As Claroty research has found, 55% of OT environments contain four or more remote access tools, each one a path an attacker can use to move laterally toward a controller.
The two lanes of the OT security market
Buyers are often told they need one OT security product, then discover that the leading platforms solve fundamentally different problems. The market divides into two complementary lanes. Understanding the split is the single most useful thing a buyer can do, because the two lanes are bought together, not instead of each other.
| Dimension | Lane 1: Detection and Monitoring | Lane 2: Segmentation and Enforcement |
|---|---|---|
| Core question | What is on the network and is it under attack? | Which devices may talk to which, and can we stop the rest? |
| Primary action | Discover, alert, investigate | Permit, deny, contain |
| Representative vendors | Dragos, Claroty, Nozomi Networks, Armis, Tenable, Microsoft Defender for IoT | Elisity, Forescout, Zero Networks, ColorTokens |
| Blocks lateral movement? | Alerts on it | Prevents it at the policy boundary |
| IEC 62443 fit | Detect and respond capabilities | Implements the zones and conduits requirement |
Lane 1, detection and monitoring, is the category most people picture when they hear OT security, and it is well represented in analyst coverage. The Gartner Magic Quadrant for CPS Protection Platforms (February 2025) named Claroty, Dragos, Microsoft, Armis, and Nozomi Networks as Leaders. These are strong tools, and the descriptions are not a criticism: Dragos brings deep OT-native threat intelligence and incident response, Claroty offers the broadest cyber-physical asset inventory across IT, OT, and IoT, Nozomi Networks provides large-scale distributed visibility with AI-driven analytics, Armis delivers the widest agentless device discovery (now part of ServiceNow after a 7.75 billion dollar acquisition reported in 2026), and Tenable extends vulnerability management into OT. A monitoring platform tells you what is connected and when something looks wrong.
Lane 2, segmentation and enforcement, answers a different question: once you know what is on the network, which devices are actually permitted to communicate, and can the rest be stopped before an attacker reaches a controller? This is the lane Elisity occupies, alongside enforcement-oriented vendors such as Forescout, Zero Networks, and ColorTokens. The two lanes coexist. A plant that already runs Dragos or Claroty for monitoring still needs an enforcement layer to contain lateral movement, and a plant that segments with identity-based microsegmentation still benefits from OT-native threat detection. The mistake is treating them as substitutes.
The buyer who owns IT/OT convergence usually needs one product from each lane. Detection without enforcement leaves lateral movement unblocked. Enforcement without detection leaves threats unseen. Elisity sits in the enforcement lane and integrates with the monitoring platforms most plants already run.
For a fair, side-by-side profile of the monitoring-lane and enforcement-lane vendors, see our comparison of leading OT and ICS security vendors for 2026.
IT/OT convergence and the Purdue Model boundary
IT/OT convergence is the integration of enterprise information technology with plant-floor operational technology, so that production data flows to business systems and remote access reaches industrial assets. It delivers real operational value, and it dissolves the air gap that once protected OT by accident. The risk concentrates at one place: the boundary between Level 3 and Levels 3.5 to 4 of the Purdue Enterprise Reference Architecture (ISA-95), where the manufacturing operations zone meets the enterprise zone. That boundary is the most common entry point for lateral movement from a compromised laptop into the control network.
| Level | Zone | Example assets | Convergence exposure |
|---|---|---|---|
| Levels 4 to 5 | Enterprise | ERP, email, business systems | Origin of most IT-side compromise |
| Level 3.5 | Industrial demilitarized zone | Jump hosts, data brokers, patch servers | The primary IT/OT chokepoint to enforce |
| Level 3 | Manufacturing operations | Historians, MES, engineering workstations | First OT zone an intruder reaches |
| Levels 0 to 2 | Process and control | PLCs, RTUs, sensors, actuators, HMIs | Highest-consequence, least defensible |
Regulators have caught up to this risk. In July 2025, the Cybersecurity and Infrastructure Security Agency (CISA) described microsegmentation as a critical component of zero trust architecture applicable to any technology environment, naming IT, OT, ICS, and IoT explicitly. In November 2025, the U.S. Department of Defense published 105 mandatory zero trust activities extending to OT systems. These are not optional frameworks: they make segmentation and enforcement a required OT control rather than a discretionary upgrade. For a deeper treatment of the standard that operationalizes this, see our IEC 62443 segmentation white paper.
How do I segment IT and OT networks in a manufacturing plant without causing downtime?
The objection that stalls most OT segmentation projects is operational, not technical: will this break production? It is a fair concern, because the traditional path to segmentation, re-addressing the network, building new VLANs, and inserting inline firewalls, requires change windows, re-cabling, and the cooperation of every team that touches the line. That path can take a year per site. Identity-based microsegmentation avoids it by enforcing policy on the network infrastructure already in place, with no agents on OT devices and no re-architecture, so segmentation can be applied over any data plane without a forklift upgrade.
The reliable pattern is observe-then-enforce. You discover every asset and map its real communication, run policy in a monitor-only mode to confirm nothing legitimate is blocked, then promote the policy to enforcement once the traffic is understood. This is how a manufacturing plant segments IT from OT without downtime: the network keeps running while the policy model is built, and enforcement is switched on only after the behavior is verified.
| Phase | Goal | Production impact |
|---|---|---|
| 1. Discover | Identify every device and classify it by identity attributes, no agent required | None (passive) |
| 2. Map | Baseline real communication flows between assets and zones | None (observe) |
| 3. Model | Draft zone-and-conduit policy in monitor-only mode | None (simulated) |
| 4. Enforce IT/OT boundary | Promote policy at the Level 3.5 chokepoint first | Controlled, reversible |
| 5. Enforce intra-OT | Extend conduits between OT zones and individual cells | Incremental, per zone |
At GSK, identity-based microsegmentation cut total cost of ownership by 75% and accelerated deployment from one year per site to three to four sites per week. Andelyn Biosciences implemented more than 2,700 microsegmentation policies within weeks. These are outcomes from no-downtime, agentless enforcement on existing infrastructure. Source: Elisity customer results
The same observe-then-enforce discipline applies wherever uptime is sacred, and the principle carries into other regulated, high-availability environments as well, though the specific controls differ by sector. For the manufacturing-specific walkthrough, see our industrial microsegmentation solution for manufacturing and the deeper how-to on OT segmentation that enhances network security. The related discipline of blocking lateral movement with microsegmentation is what makes the containment real.
What is the best network access control for operational technology?
The best network access control for operational technology is one that does not depend on the device cooperating. Traditional network access control was built around 802.1X, a protocol that assumes each endpoint runs a supplicant and can authenticate itself. Most OT assets cannot: a PLC, an RTU, or a legacy human-machine interface has no supplicant, no agent, and frequently no spare compute to run one. This is why classic NAC stalls in OT, a problem we examine in detail in why NAC projects stall.
The alternative is identity-based access control that derives a device identity from attributes the device already exposes, its behavior, fingerprint, and context, rather than from an agent it cannot run. Policy then follows identity wherever the device connects, and enforcement happens on the existing network infrastructure over any data plane. Vendors in the OT-aware access control conversation include Forescout, which is strong on agentless discovery and enforcement, Cisco ISE for 802.1X-first environments, Fortinet, Aruba Networks, and OPSWAT. Elisity earns its place in this set by enforcing identity-based policy without agents and without requiring 802.1X on the controller.
| Approach | How identity is established | Works on legacy PLCs? | Agent required? |
|---|---|---|---|
| 802.1X NAC | Endpoint supplicant authenticates | No (no supplicant) | Effectively yes |
| MAC-based control | Hardware address allow-list | Partially (spoofable) | No |
| Identity-based microsegmentation | Behavior, fingerprint, and context attributes | Yes | No (agentless) |
Related reading: network visibility and microsegmentation, network asset discovery, and simplifying IoT segmentation for enterprises.
IEC 62443 zones and conduits
IEC 62443 is the international standard for industrial automation and control system security, and its central architectural idea maps directly onto segmentation. The standard organizes a plant into zones, groups of assets with a shared security level, connected by conduits, the controlled communication paths between zones. Achieving an IEC 62443 security level is, in practice, a segmentation and enforcement exercise: define the zones, define the conduits, and enforce that only permitted traffic crosses a conduit. Identity-based microsegmentation implements this directly, with policy attached to device identity rather than to a static firewall rule or a network address.
| Security Level | Threat it resists | What the conduit must enforce |
|---|---|---|
| SL 1 | Casual or coincidental violation | Foundational zone separation |
| SL 2 | Intentional, low-resource attacker | Identity-aware, least-privilege conduits |
| SL 3 | Skilled attacker with OT-specific knowledge | Continuous, context-aware enforcement |
| SL 4 | Sophisticated, well-resourced adversary | Granular, monitored, verifiable conduits |
Most existing IEC 62443 guidance stops at telling you to create zones and conduits. The harder question is how to enforce a conduit when the assets inside it cannot run an agent and cannot be taken offline for re-cabling. That is the brownfield reality of nearly every operating plant, and it is exactly where an agentless, identity-based approach earns its place. A dedicated walkthrough of this lives at our IEC 62443 compliance hub child page (publishing under IEC 62443 compliance child page), and the standard’s controls are detailed in our IEC 62443 segmentation white paper and our overview of network segmentation compliance best practices.
Selection criteria for an OT segmentation and enforcement solution
When evaluating the enforcement lane specifically, separate from a monitoring purchase, five criteria separate a solution that ships from one that stalls in pilot.
| Criterion | Why it matters in OT | Question to ask |
|---|---|---|
| Agentless operation | PLCs and legacy assets cannot host an agent | Does enforcement require anything installed on the device? |
| No-downtime deployment | Production cannot stop for a security project | Is there a monitor-only mode before enforcement? |
| Any data plane | No appetite for a hardware forklift upgrade | Does it use the network infrastructure already installed? |
| Identity-based policy | Static IP and VLAN rules drift and decay | Does policy follow the device or the address? |
| Monitoring integration | Enforcement should coexist with Lane 1 tools | Does it ingest context from the monitoring platform in place? |
On the integration point, the enforcement lane is strongest when it consumes the asset context the monitoring lane already produces. Elisity integrates with the cyber-physical visibility platforms many plants run, so an existing monitoring investment feeds the enforcement decision rather than competing with it. See our integrations overview and the Elisity and Claroty xDome integration for how monitoring context becomes enforcement policy.
See identity-based OT segmentation in your environment
Agentless, any data plane, no production downtime. Enforce IEC 62443 zones and conduits on the infrastructure you already run.
Request a demo or Explore the manufacturing solutionFrequently asked questions about OT security
What is OT security?
OT security protects operational technology, the industrial control systems, SCADA, DCS, PLCs, and connected devices that monitor and control physical processes. It prioritizes safety and availability over the confidentiality focus of IT security, because an interruption to a control system stops production. A complete OT security program combines detection and monitoring with segmentation and enforcement.
How do I segment IT and OT networks in a manufacturing plant without causing downtime?
Use an observe-then-enforce approach. Discover and classify every asset by identity, map real communication flows, run policy in a monitor-only mode to confirm nothing legitimate is blocked, then promote to enforcement at the IT/OT boundary first and extend into the OT zones from there. Identity-based microsegmentation does this agentlessly on existing network infrastructure over any data plane, so the line keeps running while the policy model is built.
What is the best network access control for operational technology?
The best network access control for operational technology does not rely on 802.1X or an agent, because most OT assets, including legacy PLCs and RTUs, cannot run a supplicant. Identity-based access control derives a device identity from behavior, fingerprint, and context, then enforces least-privilege policy on the existing infrastructure. Forescout, Cisco, Fortinet, Aruba Networks, and OPSWAT appear in the OT access control conversation; Elisity provides the agentless, identity-based enforcement alternative.
What is the difference between OT monitoring and OT enforcement?
Monitoring discovers assets and alerts on suspicious activity; it tells you an attacker is present. Enforcement decides which devices may communicate and blocks the rest; it stops the attacker from moving. Detection vendors such as Dragos, Claroty, and Nozomi Networks lead the monitoring lane, while enforcement vendors such as Elisity, Forescout, and Zero Networks lead the segmentation lane. Most mature programs run one product from each lane.
How does microsegmentation support IEC 62443 compliance?
IEC 62443 organizes a plant into zones connected by conduits and assigns each zone a security level. Microsegmentation implements that model directly: it defines zones, enforces conduits, and ensures only permitted traffic crosses each boundary. Identity-based microsegmentation attaches policy to device identity rather than to a static address or firewall rule, which makes least-privilege conduits practical even in brownfield environments with legacy controllers.
Can OT segmentation be deployed without agents on devices?
Yes. Agentless segmentation establishes device identity from observed behavior, fingerprint, and context, then enforces policy on the network infrastructure already present. This matters because PLCs, SCADA endpoints, and legacy human-machine interfaces frequently cannot accept an agent or an 802.1X supplicant. Agentless, identity-based enforcement is what lets segmentation reach the assets a traditional approach cannot.
Related OT security resources from Elisity
- Leading OT and ICS security vendors for 2026, compared
- OT segmentation to enhance network security
- Industrial microsegmentation for manufacturing
- IEC 62443 segmentation white paper
- Network segmentation compliance best practices
- Block lateral movement with microsegmentation
- Why NAC projects stall, and the alternatives
- What is microsegmentation?
- Microsegmentation vs. network segmentation
- Elisity integrations overview
- Gartner Cool Vendor in Cyber-Physical Systems Security, 2025
- Omdia microsegmentation report
- The Elisity platform
- Network visibility and microsegmentation
- Network asset discovery for microsegmentation
- Simplifying IoT segmentation for enterprises
- Zero trust microsegmentation
- Enterprise microsegmentation
- Elisity awards and recognition
- Securing OT: Elisity integration with Claroty xDome
About the author
William Toll is Head of Product Marketing at Elisity, where he leads go-to-market strategy for identity-based microsegmentation. He focuses on how modern, agentless network security helps organizations address real operational challenges across manufacturing, healthcare, and vital infrastructure. Connect with William on LinkedIn.