Rethinking Microsegmentation in Operational Technology: A Leader's Guide to Securing Flat Networks

Introduction

As operational technology (OT) environments become increasingly interconnected, the traditional flat network architectures that have long served industry are now a liability. With cyber threats targeting critical infrastructure and regulatory frameworks tightening, microsegmentation has emerged as a key strategy to reduce risk. But applying microsegmentation in OT isn’t as straightforward as in enterprise IT. While IT environments rely on layered, routed networks and endpoint agents, OT networks are often flat, agentless, and contain legacy systems that cannot be easily adapted.

This post explores what microsegmentation looks like in OT environments, the practical challenges it presents, and how organisations can rethink their network security strategy in a way that reflects the realities of industrial operations. Whether you’re a Head of OT, CIO, or responsible for security across mixed IT/OT environments, understanding these differences is crucial to making informed decisions.

Understanding the Challenge

OT environments are unique. They are often built on flat Layer 2 networks, optimised for real-time control and uptime rather than modern security. Devices such as PLCs, sensors, HMIs, and SCADA systems may lack authentication mechanisms, support for encryption, or the ability to install agents. Segmentation in these networks has historically been coarse at best, with firewalls or VLANs separating major zones but little control within those zones.

In contrast, IT microsegmentation typically involves deploying agents on endpoints or virtual machines and using software-defined policies based on user identity, application type, or risk level. This model does not translate well into OT, where devices are often fixed-function, unpatchable, and highly sensitive to latency or configuration changes.

How Microsegmentation Works in OT

To apply microsegmentation in OT, leaders must rethink the concept not as endpoint control, but as a network-centric strategy. Instead of installing agents, segmentation is achieved through a combination of:

  • Passive traffic analysis to map normal communication flows between devices
  • Policy enforcement via inline gateways, switches, or firewalls that support industrial protocols
  • Use of software-defined networking or VLANs for logical separation
  • Protocol-specific controls to restrict commands or operations based on role

The aim is to reduce the attack surface by ensuring that each device only communicates with what it needs to, using only the protocols and commands that are appropriate for its function. For example, a temperature sensor might be allowed to send data to a historian, but not receive remote configuration commands.

Implementing segmentation in OT isn’t just a technical challenge—it’s an operational one. Leaders must consider several key constraints:

  • Legacy infrastructure: Many OT devices do not support modern security controls. Segmentation must work without touching the endpoints.
  • Availability and latency: Any added complexity or inspection must not interfere with system performance or uptime.
  • Protocol diversity: OT environments use a wide range of industrial protocols, many of which lack security features and require deep inspection capabilities.
  • Limited visibility: Without passive monitoring, many organisations don’t have a complete view of what devices exist or how they communicate.

A successful strategy begins with visibility—building a baseline of communication patterns—and then moves toward defining and enforcing policies that match those patterns. Enforcement can occur through existing infrastructure, such as industrial switches or firewalls, without introducing new risks.

A Strategic Approach to OT Segmentation

Security leaders should approach OT microsegmentation as a phased transformation:

  1. Discovery and baselining: Deploy passive monitoring to inventory devices, identify communication patterns, and detect protocol usage.
  2. Policy definition: Collaborate with OT and security teams to define what communications should be allowed. This often involves white-listing known-good paths rather than blocking unknowns.
  3. Segmentation enforcement: Use existing network infrastructure or dedicated enforcement points to implement policy. This may include configuring VLANs, setting up access control lists, or applying protocol-level filtering.
  4. Continuous monitoring and adaptation: Once enforced, segmentation policies must be continuously monitored to detect anomalies and adjusted as operations evolve.

This strategy not only improves security but also prepares the organisation for compliance with frameworks such as IEC 62443 and the NIS2 Directive, which demand greater visibility and control over critical systems.

Conclusion: A Call to Rethink Security Foundations

Microsegmentation is no longer a luxury in OT—it’s a necessity. But applying it effectively requires a mindset shift. Leaders must recognise that traditional IT approaches won’t work in industrial environments and that success hinges on collaboration between security, network, and operational teams.

Instead of relying on endpoint-centric models, the future of OT security is rooted in network intelligence, protocol awareness, and control at the infrastructure level. By starting with visibility, enforcing only what’s necessary, and building segmentation into the operational fabric, organisations can significantly reduce their risk without compromising uptime or operational integrity.

As digitalisation continues to blur the boundaries between IT and OT, rethinking foundational strategies like segmentation will be key to securing the future of industrial operations.