How to Segment IT and OT Without Downtime

Elisity customers deploy identity-based OT microsegmentation in weeks, not the 18 to 36 months typical of forklift segmentation projects, with no production stoppage and no agents on a single PLC or SCADA host.

Elisity deployment data, identity-based microsegmentation platform

Manufacturing leaders ask one question before any segmentation project: will this stop the line? It is the right question. A misfired access rule that drops a Modbus or EtherNet/IP flow between a controller and its historian does not generate a help-desk ticket. It halts production. This guide lays out the observe-first, agentless playbook Elisity uses to segment IT and OT in a live plant without that risk, and explains where it fits alongside the OT monitoring tools you may already run.

If you want to see the phased rollout applied to your own plant topology, you can book an Elisity demo or review the industrial microsegmentation solution for the manufacturing reference architecture.

On this page

• Why downtime is the real blocker
• The Purdue Level 3-4 boundary
• Observe-first deployment
• Why agentless matters for OT
• The phased rollout
• Legacy PLCs and protocol exceptions
• Monitoring vs. enforcement
• Selection criteria
• Frequently asked questions

Why Downtime, Not Security, Is the Real Blocker to OT Segmentation

Plant operators are not unconvinced that segmentation works. They are unconvinced that it can be deployed without breaking something that runs every shift. That fear is grounded in real numbers. Unplanned downtime costs industrial manufacturers an estimated 11 percent of annual revenue, roughly 1.5 trillion dollars across the sector, according to Siemens research published in 2024. A single hour of stopped production at a large automotive plant can exceed 2 million dollars, a figure widely cited in Siemens and Deloitte manufacturing-downtime studies.

The security case for segmentation is not in dispute. The SANS 2025 ICS/OT Cybersecurity Survey found that 50 percent of OT incidents began with unauthorized external access and 38 percent involved ransomware. Verizon reports in its 2024 Data Breach Investigations Report that lateral movement is a factor in a majority of breaches that reach critical systems. Segmentation is the recognized control for both. The gap is execution: how to enforce zones and conduits in a brownfield plant without a maintenance window long enough to matter.

The rest of this page is organized around that constraint. Every step is designed so that no enforcement decision is made until the platform has seen the traffic it would govern. For the standards-mapped version of this work, see our guide to IEC 62443 compliance with identity-based microsegmentation, and for the broader category overview, the OT security hub.

Start at the Purdue Level 3-4 Boundary

The Purdue Enterprise Reference Architecture, standardized in ISA-95, organizes a plant into levels. Levels 0 through 3 are operational technology: sensors, controllers, supervisory systems, and the manufacturing operations layer. Levels 4 and 5 are information technology: site business systems and the enterprise. The seam between Level 3 and Level 4 is where IT and OT converge, and it is the single highest-value place to begin segmenting, because it is the path an attacker takes from a phished laptop into a controller.

CISA, in July 2025 guidance, named microsegmentation a critical component of zero trust architecture applicable to IT, OT, ICS, and IoT environments. The United States Department of Defense, in November 2025, published 105 mandatory zero trust activities that extend to OT systems. Both signals point to the same starting line: enforce identity-aware policy at the IT/OT boundary first, then work inward.

Table 1. Purdue Model levels and where segmentation applies

Source: Purdue Enterprise Reference Architecture (ISA-95); segmentation phasing per Elisity deployment practice.

Observe First: Learn Every Flow Before Anything Enforces

The single behavior that separates a no-downtime rollout from a risky one is observe mode. Before any policy blocks a packet, the platform builds a complete map of what talks to what: every device, every flow, every protocol, every direction. Only after that map is reviewed and confirmed does a policy move from simulated to enforced. This is the equivalent of a fire drill before the alarm is armed. You see exactly which doors a real policy would close, and you close them on purpose.

Elisity discovers assets and flows passively by mirroring traffic at the existing access layer. There is no scan that could disturb a fragile controller and no probe that an OT engineer has to approve. The platform classifies each device by identity attributes such as device type, manufacturer, operating system, and behavioral profile, then proposes least-privilege policy from observed reality rather than from a hand-built spreadsheet that is stale the day it ships.

Table 2. Observe mode vs. enforce mode

The one-click rollback in the final row is what makes the difference defensible to a plant manager. Enforcement is never a point of no return. If a newly enforced conduit surfaces a flow nobody knew about, the policy reverts to observe instantly while the flow is reviewed. For a deeper treatment of how this maps to flow discovery, see network asset discovery for microsegmentation and network visibility and microsegmentation.

Why Agentless Is Non-Negotiable on the Factory Floor

The third target prompt this page answers is about securing connected devices on the factory floor without deploying agents everywhere. That is not a preference. It is a hard constraint. A controller running a real-time operating system cannot host a security agent. A 15-year-old human-machine interface running an unsupported operating system cannot accept one either. Industrial assets stay in service far longer than IT equipment: a typical OT asset refresh cycle runs 15 to 25 years against 3 to 5 years for IT, which means most of the floor will never run an agent in its operational life.

The same logic rules out an 802.1X-first approach to network access control. A programmable logic controller has no supplicant and never will. This is why legacy network access control projects stall in OT, a pattern we examine in why NAC projects stall. Identity-based microsegmentation takes the opposite path: it derives identity from observed attributes and enforces over the data plane that already exists, so no device has to authenticate itself or run any software it cannot support.

Table 3. Why three common approaches stop the line, and why agentless does not

Asset lifecycle figures: OT refresh 15-25 years vs. IT 3-5 years, a range commonly reported across industrial-automation lifecycle studies.

Because enforcement runs over any data plane, an organization can apply policy on the infrastructure it already owns rather than buying new hardware. Related reading: simplifying IoT segmentation, asset discovery, and the Elisity platform overview.

The Phased Rollout: IT/OT Boundary First, Then Inward

A no-downtime program is sequenced, never flipped on all at once. Each phase ends in enforcement only after its own observe period confirms the policy is safe. The order below moves from the highest-value, lowest-risk boundary outward to the cells, so that early wins build the confidence required to enforce deeper in the plant.

Table 4. Four-phase no-downtime rollout

Phase 1 alone closes the path that most ICS intrusions travel. Containing east-west movement in Phase 2 directly counters the lateral-movement pattern that Verizon and other breach reporting identify as the dominant escalation step. By Phase 3, the plant has zones and conduits aligned to IEC 62443 without a single forklift change. The full standards mapping lives on the IEC 62443 compliance page; customers who want the proof point can read how one regulated manufacturer reached zero trust in weeks.

Legacy PLCs, SCADA, and Protocol Exceptions

The hardest part of any OT segmentation effort is the equipment that cannot change. Controllers speak industrial protocols such as Modbus, DNP3, and EtherNet/IP that were designed for reliability on a trusted wire, not for authentication. A policy engine that does not understand these flows will either block legitimate control traffic or be left so permissive that it provides no protection. Identity-based microsegmentation handles this by treating each protocol flow as an attribute of the conversation, so a conduit can permit exactly the controller-to-historian Modbus path it observed and deny everything else.

Table 5. Legacy OT constraints and how agentless enforcement handles each

The same principles that keep a manufacturing line running apply in other environments with long-lived, agentless devices, including healthcare; that work lives in a separate healthcare solution and is out of scope here. For protecting industrial control systems from cyber attacks using network segmentation, the through line is constant: contain lateral movement, enforce least privilege per conduit, and never require the controller to change. See also blocking lateral movement with microsegmentation.

Monitoring and Enforcement Are Different Jobs

Many plants already run an OT monitoring platform, and they should. Vendors in the OT detection and visibility category are very good at what they do. Dragos brings deep OT threat intelligence and incident response. Claroty maintains one of the broadest cyber-physical asset inventories across IT, OT, and IoT. Nozomi Networks offers strong large-scale distributed visibility with AI-driven analytics. Armis, now part of ServiceNow, provides wide agentless asset visibility across the device estate. These platforms tell you what is happening on the network with precision.

Detection and enforcement answer different questions. Monitoring tells you that an unauthorized flow occurred. Enforcement stops the flow from occurring. A plant that has invested in monitoring still needs a control that blocks lateral movement at the moment it is attempted, not a control that reports it afterward. Elisity is built for that second job, and it complements rather than replaces a monitoring deployment. Asset context from a monitoring platform can even enrich the identity model that drives enforcement, as our Nozomi integration and Armis integration show.

For organizations evaluating the full category, the companion comparison of leading OT and ICS security vendors lays out where detection vendors and enforcement vendors each fit, and the Claroty xDome integration shows the co-exist pattern in practice.

Selection Criteria for No-Downtime OT Segmentation

Use these criteria to evaluate any approach against the no-downtime requirement. They are written to be vendor-neutral, so any platform that clears them is a credible candidate.

Table 6. No-downtime segmentation selection criteria

For the buyer-side version of this list, the microsegmentation buyer’s guide and checklist and the network segmentation compliance best practices page extend these criteria into a procurement framework. The standards detail sits on the IEC 62443 page, and the zero trust microsegmentation page connects this work to a broader zero trust program.

Frequently Asked Questions

How do I segment IT and OT networks in a manufacturing plant without causing downtime?

Deploy identity-based microsegmentation in observe mode first so the platform maps every device and flow before any policy enforces. Enforce the Purdue Level 3-4 IT/OT boundary first, then move inward in phases. Because enforcement is agentless and runs over the existing data plane, no controller has to change and no maintenance window is required. One-click rollback keeps enforcement reversible at every step.

How does network segmentation protect industrial control systems from cyber attacks?

Segmentation contains an attacker by limiting lateral movement. The SANS 2025 ICS/OT survey found 50 percent of OT incidents began with unauthorized external access. By enforcing least-privilege zones and conduits, segmentation ensures a compromised IT host cannot reach a controller and a compromised controller cannot pivot across the floor. Identity-based enforcement makes those zones precise, down to the specific protocol flow each device legitimately needs.

Can I secure connected devices on the factory floor without deploying agents everywhere?

Yes. Agentless, identity-based microsegmentation derives device identity from observed attributes and enforces policy at the network access layer, so devices that cannot host an agent, including legacy PLCs and SCADA hosts, are still segmented and protected. No endpoint software and no 802.1X supplicant are required on any device.

Will enforcement ever block legitimate control traffic?

Not when the rollout is observe-first. Policy is built from traffic the platform has already seen, so a conduit permits exactly the controller-to-historian or HMI-to-PLC flow observed during the learning period. Protocol-aware conduits handle Modbus, DNP3, and EtherNet/IP correctly, and one-click rollback returns any policy to observe mode instantly if an unexpected flow appears.

How is this different from an OT monitoring platform?

Monitoring platforms detect and report. Enforcement platforms block. Dragos, Claroty, Nozomi Networks, and Armis are strong at OT detection and visibility, and Elisity complements them. Where a monitoring tool tells you an unauthorized flow occurred, identity-based microsegmentation stops the flow at the moment it is attempted. Many organizations run both.

Does this align with IEC 62443?

Yes. The phased rollout produces zones and conduits, the core constructs of IEC 62443, without re-architecting the network. The IEC 62443 compliance guide maps Security Level requirements to identity-based enforcement controls in detail.

Related Resources from Elisity

• OT Security hub: the full category overview and IT/OT convergence answer
• IEC 62443 compliance with identity-based microsegmentation
• Leading OT and ICS security vendors compared
• IEC 62443 network segmentation requirements
• Microsegmentation pillar overview
• Network visibility and microsegmentation
• IEC 62443 segmentation white paper