As operational technology (OT) faces escalating cyberthreats, traditional IT-focused security measures are increasingly inadequate to protect industrial control systems (ICS). Not only has the convergence of IT and OT networks made critical infrastructure a more attractive target for attackers, but the degree of sophistication behind these attacks has also grown, forcing CISOs and security teams to uplevel their defense strategies in response.
While demands for more rigorous security measures for protecting OT environments ramp up, zero trust segmentation has emerged as a key strategy. Zero trust segmentation is a cybersecurity practice that consists of segmenting parts of a network into isolated zones to stop an attacker from moving laterally after a successful breach. It also requires users and devices to authenticate and verify their security posture before accessing resources on the network.
Why Zero Trust Segmentation Isn’t Optional
Historically, most OT networks and devices are designed with physical safety, availability and reliability in mind. Connectivity has introduced a new set of vulnerabilities and exposures, prompting a collision with OT environments’ minimal tolerance for downtime that is required for patching or the implementation of compensating controls. As the lines continue to blur between IT and OT security, however, so has the thinking behind protecting these critical assets.
Recent Team82 research tells a sobering story. In an analysis of almost one million assets, 40% of industrial organizations have assets insecurely connected to the internet either directly or via poorly configured off-the-shelf remote access solutions, exposing flat architectures to remote attacks. What’s more, 12% of organizations were found to have OT assets communicating with malicious domains.
Numbers like these also correlate with the rising number of cyberattacks on critical infrastructure worldwide. A few notable examples include:
American Water
The largest US regulated water utility was hit by a cyberattack on Oct. 3, 2024, causing the company to shut down services. The attack wasn’t reported to have affected the quality or safety of drinking water to its 14 million customers, but was caused by unauthorized entry into its networks and systems.
Pakistan Petroleum
Oil and gas firm Pakistan Petroleum Limited (PPL) reported a ransomware incident in August 2025, but the firm stated it was quickly contained. While business-critical systems were targeted, no compromise of sensitive information was detected.
Barnett’s Couriers
Australian trucking operator Barnett’s Couriers was forced to close all operations after a devastating cyberattack in 2024. The attack crippled the company and it never recovered, leaving its workforce without jobs after an abrupt closure from the effects of the attack.
Lake Risavatnet
The attack on a rural Norwegian dam highlights the dangers of weak passwords and few safeguards to monitor unauthorized network access. In this incident, an attacker was able to bypass authentication protocols and access the dam’s water control panels for an extended period.
These attacks underscore a grim reality for critical infrastructure: Threat actors are getting increasingly sophisticated with their attacks, and the real-world consequences are getting more severe. In this threat landscape that looms over the industrial sector, zero trust segmentation isn’t just an enhancement—it’s an operational necessity.
The Hidden Power of Zero Trust Segmentation
Beyond protection from external threats, the security benefits of zero trust segmentation are a net win on multiple levels for securing OT. Here are some of the potential outcomes that can be perpetuated by implementing zero trust segmentation.
Reduced Attack Surface
When networks are segmented into isolated zones, anomalous network behavior can be controlled and access denied attackers attempt to move laterally. Enforcement of strict access controls via zero trust reduces not only the ability to move laterally but also the available attack surface.
Increased Operational Efficiency
When properly implemented, zero trust segmentation helps to strengthen system reliability by preventing any unintended interactions between siloed network zones. This contains any potential impacts of breaches, and system failures, and helps day-to-day operations function more efficiently.
Supply Chain Risk Mitigation
Enterprise networks are often rife with third-party connections from vendors and contractors who need access to OT environments for routine maintenance and updates. Zero trust segmentation provides granular access controls that ensure only authorized users can access the network, and it creates secure pathways that limit third-party connections to only the systems they require access to.
Accelerated Compliance
Many modern-day regulatory frameworks like NERC-CIP and IEC 62443 emphasize network segmentation as a core tenet. Implementing zero trust segmentation not only satisfies that requirement but also demonstrates compliance with these frameworks by providing extensive documentation and controls.
How to Put Zero Trust Segmentation to Work for OT
Moving beyond a traditional IT-focused model for zero trust segmentation requires a methodology that puts the OT environment first. Here are some steps to follow when implementing zero trust segmentation to secure OT.
Get a Complete Asset Inventory
If you can’t see it, you can’t protect it. Getting a complete inventory of all assets, including legacy and unmanaged devices, is a critical first step. From there, it’s just as important to discover all communication pathways associated with all devices and which processes they’re connected to.
Implement Microsegmentation
A core principle of zero trust segmentation is granular access controls, which grant and monitor user access to an enterprise network. Microsegmentation is a practice that’s in lockstep with this. It creates granular security zones around specific assets (often prioritized by potential business impact if compromised) that limit an attacker’s ability to move laterally through the network once they’ve breached it.
Enforce Access Policies
Zero trust also relies on a principle known as least privilege access, which ensures all users, devices, and applications are only granted the permissions they need for performing their jobs. Ensuring this policy is active within your OT environment is critical for preventing unauthorized access. To further enforce this, adding multi-factor authentication (MFA) and a reliable secure remote access solution is key.
Continuous Monitoring
IT-specific solutions for continuous network monitoring aren’t designed for the specific protocols in an OT environment. Therefore, use a passive monitoring tool that can analyze OT-specific traffic patterns for any anomalous behavior or signs of compromise.
A Holistic Approach to Zero Trust Segmentation for OT
As OT becomes a high-value target for threat actors, zero trust segmentation provides a powerful approach to asset isolation in the event of a breach. The principle of “never trust, always verify” is nothing short of essential when it comes to protecting critical infrastructure, and it’s the core tenet of zero trust architectures that enable segmentation. By implementing policies with zero trust segmentation top of mind, organizations are more able to reduce risk while also maintaining the operational benefits that move beyond cybersecurity.
With industry-leading asset discovery capabilities, robust secure remote access features, and more, the Claroty Platform is purpose-built to protect industrial environments. It also reduces organizational exposures to attacks, achieves faster time-to-value, and lowers the total cost of ownership.
Request a demo and see how Claroty can protect your organization.
