Growing hostile cyber threats and attacks have led to a surge in critical organizations increasingly focusing their resources on protecting operational technology (OT) and industrial control systems (ICS) technology environments, as their convergence with enterprise IT systems poses a risk. Defenses based on a perimeter of protection require additional support. Today, perimeter defense strategies and OT cybersecurity highly rely on network segmentation and multiple, intelligent layer defenses. This combination constitutes effective defense strategies that assist in protecting systems and infrastructure from sophisticated cyber threats endangering industrial systems.
Segmentation reduces the degree of movement permitted within the industrial network, as well as limiting the potential damage an attack can cause. Organizations further visibility, policy enforcement, control, and threat mitigation by isolating critical assets and functions. Perimeter controls such as firewalls, intrusion detection/prevention systems (IDS/IPS), and secure gateways remain critical for managing traffic streams, protocol inspection, and unauthorized access blocking at the borders of a network.
Improvements in zero trust architecture redefine the boundaries of the OT perimeters. The ‘Never trust, always verify’ principle recommends organizations should check and validate the target repeatedly without assuming any privileges will be granted. Zero trust requires real-time threat detection, identity-based access control, and microsegmentation. Applying these principles to OT systems requires careful balancing to preserve the availability and continuity of operations.
Perimeter and segmentation strategies assist with compliance, risk mitigation, and enduring strength concerns from the business point of view. Building more advanced cyber defenses is defended by minimized outages and improved incident containment, apart from lower stakeholder trust and operational continuity. In today’s OT contexts, perimeter security is not a restriction but a facilitator to achieving business goals.
Boosting OT security with segmentation and perimeter controls
Industrial Cyber reached out to industrial cybersecurity experts to explore how implementing perimeter security and network segmentation enhances the cybersecurity posture of OT/ICS environments. They also assessed challenges faced by asset owners during implementation, particularly in addressing common vulnerabilities inherent in ICS assets.
“Working with clients, we’ve seen that implementing robust perimeter security and network segmentation significantly enhances their OT/ICS cybersecurity posture by clearly defining and controlling network boundaries,” Jonathon Gordon, directing analyst at Takepoint Research, told Industrial Cyber. “This approach effectively restricts adversaries’ lateral movement, enabling businesses to isolate breaches quickly, thus reducing potential damage to critical operations. Clients find particular value in aligning their security zones with industry standards like IEC 62443, as it helps them strategically protect their most valuable assets—the ‘crown jewels’—whose compromise could lead to significant operational, safety, or financial impacts.”
Gordon highlighted common challenges clients face, including integrating modern security solutions with legacy ICS systems, which often harbor vulnerabilities such as hardcoded passwords, outdated firmware, and unsupported software. “Additionally, performing comprehensive risk assessments and impact analyses is crucial but challenging, as it demands significant stakeholder collaboration across operational teams, cybersecurity specialists, and executive management. Engaging these stakeholders early ensures that segmentation plans are practically viable and directly aligned with business continuity objectives.”
Andrew McPhee, OT security solutions manager at Cisco, said that implementing perimeter security is crucial for safeguarding industrial operations, as it restricts attackers or malware from gaining initial access to the network. “Segmentation further enhances security by adding an additional layer of defense if an initial breach occurs. By isolating segments of the industrial networks, segmentation makes it exceedingly difficult for an attacker to move laterally and discover what else can be exploited. Segmentation nullifies an attacker’s ability to learn and pivot through the network.”
“When implementing network segmentation, one of the main challenges is to define what policies can be applied without disrupting operations,” McPhee told Industrial Cyber. “Oftentimes, control engineers and network managers believe they know what relationships exist between industrial assets. But an asset discovery project will generally uncover interdependencies that make policy creation difficult.”
Perimeter security measures like firewalls, IDSs, unidirectional gateways and data diodes, can help reduce the attack surface by blocking unauthorized access and preventing threats from reaching critical OT assets, Mark Toussaint, senior product manager at OPSWAT, told Industrial Cyber, adding that network segmentation adds an additional layer of security as it limits lateral movement, meaning that if an attacker does gain access to a part of the network, they cannot easily move across to other critical systems.
“Segmentation can be of three main types – IT/OT separation, which prevents unwanted access to industrial systems; functional segmentation, which divides the OT network into zones based on their function and the relation/communication between assets within these zones; and geographic segmentation, which is simply the physical separation of networks based on geographic networks,” Toussaint said. “Segmentation also helps isolate critical assets, limiting the impact of a breach. Additionally, many ICS assets are legacy devices that lack built-in security capabilities and may not have been patched in ages. Segmenting them from IT networks and external access prevents exploitation.”
He added that organizations also have visibility and monitoring requirements to monitor traffic, detect anomalies, and apply specific security policies for different zones, which again would not be possible without segmentation. All of this collates into compliance requirements for NERC CIP and IEC 62443, which are focused on following segmentation as a best practice for ICS security.
Toussaint noted a key challenge for asset owners when implementing these security measures is that many ICS/OT devices are legacy systems, which were not designed with security in mind and cannot easily support modern-day security controls. “Implementing segmentation also poses significant downtime risks and requires careful planning to avoid disrupting operations, as ICS environments prioritize availability over security. Asset owners also face configuration complexities, such as defining the right security zones, access control policies, and monitoring policies, which can be complex.”
Tom Sego, co-founder and CEO of BlastWave, told Industrial Cyber that strong perimeter security protects OT networks containing unpatchable, vulnerable devices.” If the network perimeter cloaks these devices, hackers cannot discover them and exploit them. Segmentation ensures that the risk is contained within enclaves if the perimeter is compromised. We have heard horror stories from OT network administrators that it took them years to complete a segmentation project with hardware-based firewalls, and the firewalls still didn’t stop breaches.”
He added that a software-defined segmentation solution enables network segmentation based on the risks posed by the unpatchable devices and drastically limits exposure and attack surface.
Strengthening OT perimeters without sacrificing access
The executives outline key best practices for securing the perimeter of OT/ICS networks while also discussing how to balance the need for remote access with the imperative to mitigate associated risks.
Gordon said that key best practices for securing the OT/ICS perimeter include implementing comprehensive physical and virtual perimeter controls aligned with industry best practices such as IEC 62443; conducting rigorous risk assessments to identify critical assets and clearly define the ‘value at risk’ within operational environments; deploying robust firewalls with strict traffic and up-to-date management policies; and using zero trust network access (ZTNA) principles to rigorously verify and authenticate all access, continuously assessing trustworthiness.
“Balancing secure remote access involves clearly defining who requires access and why, adopting stringent authentication methods (such as multi-factor authentication), and strictly limiting remote connectivity to essential services,” Gordon added. “Ensuring ongoing awareness and training for personnel about remote access risks is equally important. Clear processes for regular security reviews and continuous monitoring help mitigate remote access risks effectively.”
McPhee said that perimeter networks should be implemented with a deny-by-default design, only allowing communications that are known and documented from the OT network. “Resources in the OT should only be able to connect to services outside of the OT if they are trusted and limited to the functionality that the connection is intended for. Whether that means restricting network ports or using application-level policies, firewalls rules should not be written to allow flows to deviate from expected behavior.”
“The same applies to remote users. Users should only be given access to the resources they need, during the time window that they need it,” McPhee added. “Remote access is a necessity, but it is critical that those users undergo the necessary verification steps to ensure they are legitimate users, and their access should be time restricted and approved to protect the system from unwanted access attempts.”
Toussaint said that best practices include deploying network monitoring and threat detection systems that detect anomalies in real time and respond to them. Implementing OT-aware firewalls is essential since traditional firewalls may not understand OT protocols, whereas OT firewalls can enforce security policies based on industrial protocol behaviors. Applying network segmentation using zones and conduits, such as VLANs, helps limit communication between different parts of the OT network, thus containing threats.
He also included that strict user access control for internal employees and third-party vendors/contractors is crucial. This includes using role-based access control (RBAC) and multi-factor authentication (MFA). OT assets often have unpatched vulnerabilities due to operational constraints (or they have just been in that one corner, untouched for years). Patching them virtually can mitigate risks.
“OT stakeholders wanting secure remote access will always want solutions that enable operational efficiency while minimizing cyber threats,” according to Toussaint. “As they can never assume implicit trust, it’s vital to authenticate and validate every remote access connection/request using strong identity management solutions/controls (ZTNA).”
Sego said that tying zero trust closely with remote access because passwordless identity verification is key to ensuring that the perimeter is much harder to breach than a firewall-based system with many firewall pinholes that let traffic through. “It is harder to break into a network when access is tied to an identity and not simple credentials, making hackers spend more time trying to get into your network. If asset owners can make hacking their network unprofitable, they will see a dramatic drop in the attempts on their network.”
Deploying firewalls, IDS/IPS, gateways for securing OT perimeters
Drawing from their experience, the experts explain how firewalls, IDS/IPS, and secure gateways play a crucial role in safeguarding OT/ICS perimeters. They also assess the effectiveness of these tools in tackling the distinct challenges encountered in critical industrial settings.
Gordon identified that firewalls, IDS/IPS, and secure gateways form integral components of a layered OT security strategy addressing various cyber threats. Firewalls enforce robust perimeter segmentation, limiting the exposure of critical ICS systems to threats from external and less secure internal networks. IDS/IPS systems provide proactive threat detection, alerting teams to potential breaches or suspicious activity, significantly enhancing the ability to respond swiftly to incidents. Secure gateways, such as data diodes and unidirectional gateways, deliver an exceptionally high level of security for critical networks by enforcing strict one-way data flow, eliminating the risk of external intrusion.
“As always, these technical controls are most effective when accompanied by strong governance processes, clearly defined roles and responsibilities, and regular training for operational teams to interpret alerts correctly and respond promptly,” Gordon explained. “Without adequate processes and well-trained personnel, even advanced security tools may not fully mitigate the specific risks associated with industrial environments.”
McPhee recognizes that firewalls and secure gateways are essential for protecting OT perimeters. “However, a common mistake we see is placing firewalls everywhere. OT traffic often traverses multiple control zones before reaching its destination. Consider a scenario where a workstation in a production cell communicates with a data center application. Do we make a control decision in the plant switches, at the plant firewall, or using our data center segmentation? The answer is a little bit of all of them.”
However, McPhee added that subjecting this traffic to IDS/IPS or SSL decryption at every point can introduce latency and degrade network performance. “While firewalls and gateways are vital, the key to effectively safeguarding critical infrastructure lies in constructing and orchestrating a secure architecture across interconnected control points.”
Toussaint identified that firewalls, IDS/IPSs, security gateways, and data diodes play a crucial role in protecting OT/ICS perimeters by detecting and controlling threats or anomalous activities, controlling access, and securing data flows.
“IDS/IPS solutions monitor network traffic, detect anomalies, and block accidental misconfigurations, malicious misuse, zero-days, etc. However, they must be carefully configured to avoid disrupting real-time operations,” Toussaint said. “Secure gateways like unidirectional security gateways and data diodes ensure safe, one-way transfer between OT and IT environments, preventing cyber threats from IT from infiltrating critical systems, while allowing operational data to flow out of OT environments securely.”
He, however, noted that no single solution is enough. A layered and comprehensive defense strategy combining firewalls, intrusion detection systems, and secure gateways is needed for strengthened OT cybersecurity.
“Firewalls have been present in almost 100% of the compromises that have occurred in the past and have often been the source of the compromise, so we don’t think that they are the right solution,” Sego said. “VPNs can improve, but too many rely on passwords and expect the firewalls to segment the network without tying access to resources to identities. Zero Trust Gateways combine the best of both worlds, enforcing a strong perimeter and creating a software-defined segmentation for the OT network.”
Blending zero trust with OT perimeter defense
The executives examine how zero trust principles enhance traditional perimeter security and segmentation strategies. They also explore the necessary adjustments required to integrate zero trust into existing security frameworks.
“Through ongoing collaboration, we’ve observed that zero trust principles are increasingly complementing traditional perimeter security by continuously verifying user identities, device integrity, and contextual access parameters—eliminating implicit trust and substantially reducing the risk posed by internal threats and lateral movement,” Gordon said. “Integrating zero trust effectively into existing security frameworks requires our clients first to clearly identify and prioritize their critical operational assets.”
He added that adjustments typically involve enhancing existing identity and access management (IAM) systems, adopting adaptive policy controls, and implementing real-time monitoring and analytics. “Importantly, successful zero trust implementation necessitates a cultural shift, fostering closer collaboration between IT, operational technology teams, and executive leadership, to ensure ongoing validation rather than relying solely on static controls.”
Zero trust principles provide excellent design guidance, yet they require slight adaptation for critical infrastructure, McPhee said, while adding that the NIST SP 800-207 suggests organizing groups of resources within distinct network segments, safeguarded by intelligent devices such as switches, routers, or firewalls. “This group-based approach aligns well with the IEC-62443 zones and conduits methodology, where devices within a zone are explicitly trusted, while zero trust principles are applied across zone boundaries to ensure comprehensive security.”
He added that this approach allows to keep the traditional macro boundaries at the IT/OT perimeter, or between the OT data center and the shop floor, while simultaneously creating logical trust zones within the OT.
Toussaint identified that zero trust provides a framework to assess an OT organization’s cybersecurity posture. By assuming that no user, device, network, or actor—inside or outside the network—is trusted by default.
He added components of a zero trust framework include ‘trust no file’ by ensuring that any file transferred into an OT network, whether hand-carried on portable media or transferred across the IT/OT network boundary, is scanned for malicious content and sanitized prior to transfer. ‘Trust no device ’assumes that every device connected to the OT network is a source for compromise. Take measures to discover, inventory, and profile all devices connected to the OT network. Implement a comprehensive patch management program and patch frequently.
Furthermore, ‘Trust no network’assumes that any external connection into the OT network opens a threat vector. Deploy security gateways and data diodes to secure OT network boundaries and critical assets. Restrict remote access and deploy remote access technology designed specifically for OT networks. Lastly, ‘Trust no actor’ by restricting remote access by IT or external vendors. Assume that external actors (vendors, IT staff, etc.) may bypass security policies for expediency. Implement strict security policies and physical processes like multi-scanning, Content Disarm and Reconstruct (CDR) for all actors requiring access to OT networks and assets. Restrict access (RBAC) to only those network segments, files, and devices that an actor requires legitimate access to.
“Zero trust perimeter security starts with the concept that only valid users can elicit a response from the Zero Trust gateway, and only fully authenticated users can see the network behind the gateway,” Sego pointed out. “Even then, those users are only granted the least privilege access to the minimum resources needed and are not allowed to move within the network laterally. These concepts do not complement a strategy; they are the strategy itself.”
He added that the challenge OT networks face is that they are trying to apply IT strategies to OT rather than defining what OT needs and deploying that. “Most existing security frameworks incorporate zero trust, or the principles of zero trust reflect the highest possible level of security.”
Building the business case for OT perimeter security
The executives examine the financial impact of implementing strong perimeter security and network segmentation within their OT/ICS environment. They also explore how practitioners can justify these investments to their board or leadership by highlighting benefits such as compliance, risk reduction, and long-term operational resilience.
Gordon stated that implementing robust perimeter security and network segmentation involves upfront capital expenditure on hardware, software, and configuration, along with ongoing operational costs for maintenance, monitoring, and incident response capabilities. “However, these costs should be viewed in light of the significantly higher potential financial impacts of successful cyber incidents, including operational downtime, safety incidents, regulatory penalties, and reputational harm.”
He also said that practitioners can effectively justify these investments by presenting a thorough ‘value at risk’ analysis to the board or leadership, clearly articulating how enhanced perimeter and compensating controls mitigate critical business risks. “Highlighting the compliance advantages, such as meeting standards like IEC 62443 and regulatory requirements, reinforces justification. Finally, emphasizing the contribution of these measures to long-term operational resilience and business continuity provides a compelling business case, directly aligning cybersecurity investments with strategic business objectives.”
“Risk reduction is a key argument for investing in robust perimeter security and segmentation. Cyber incidents to industrial networks can cost millions, both for recovery expenses and revenue loss caused by production downtime,” McPhee said. “Enhanced security measures decrease the likelihood of cyberattacks, avoiding costly disruptions. Because the potential savings from preventing incidents may not always motivate investments, regulators around the globe are imposing substantial financial penalties to enforce cybersecurity measures.”
He added that implementing robust security in industrial networks can also be achieved as part of a global production modernization project. “Instead of deploying appliances that provide security as the only function, invest in solutions that provide security alongside the functions that the initial investment was for. For example, managed switches offer far more security than unmanaged switches. Remote access solutions must provide robust security features, not just connectivity. Gateways deployed to connect IT and OT domains must offer advanced security capabilities, and not only meets connectivity and routing needs.”
“Historically, industrial organizations have relied on point product solutions to meet individual cybersecurity needs, leading to a perception that security implementation is complex and costly,” McPhee noted. “While security requires investment, adopting a secure-by-design approach can enhance security posture and reduce expenses. By leveraging the security capabilities of existing investments, organizations can streamline processes and maximize resource efficiency, making security more accessible and effective.”
“The consequences of an OT network attack—financial loss, safety hazards, and negative publicity—far outweigh the costs of implementing robust perimeter security and network segmentation,” Toussaint said. “Justifying investments to leadership should focus on compliance, safety, risk reduction, long-term operational resilience, and the financial consequences of an attack. Justifications should rely on evidence-based security audits that expose vulnerabilities, with a focus on prioritizing the most critical vulnerabilities.”
Sego said that if the statistics on successfully reported attacks are examined, the two most significant initial attack vectors are phishing and the exploitation of publicly accessible systems. “If those two vectors are blocked, over 90% of successful attacks will be stopped before they start. So if we measure risk reduction, would a 90% reduction in risk be worth it to, say, a manufacturing business where downtime costs $260,000 an hour? What if the solution to protect that factory was less than one hour of downtime? That is a significant return on investment, risk reduction, and improved operational resilience,” he concluded.
