Here's the uncomfortable truth about OT segmentation: it works until it doesn't, and most operators don't see the failure coming because they're looking at the wrong thing.
Network segmentation is still the single most recommended control for securing operational technology environments. CISA called it "one of the most foundational and effective security controls in OT" back in April when they dropped their joint advisory on adapting zero-trust principles to industrial systems. But foundational doesn't mean foolproof. And effective doesn't mean automatic.
The real bottleneck isn't the firewall rules. It's operator awareness — or the lack of it. As HD Moore, founder and CEO of runZero, put it bluntly to Dark Reading: segmentation only works when operators know what threats and risks to look for. In most environments, they don't. And that gap between what you think is segmented and what's actually segmented is where breaches live.
I've sat in too many plant-floor security reviews where someone proudly points to a network diagram and says, "We're fully segmented." The diagram was drawn two years ago. The network has changed every week since. James Winebrenner, CEO of Elisity, nailed this: a segmentation diagram is a snapshot. Attackers don't operate against snapshots. They operate against the network you actually have today.
So let's talk about why segmentation keeps failing in OT, what operators consistently miss, and how to build a practice that actually holds up when something goes sideways.
The Two Flavors of OT Segmentation — And Why Both Break
Before we get into the failure modes, it helps to understand that OT segmentation really comes in two flavors: traditional and micro.
Traditional segmentation puts physical devices behind firewalls. You draw zones. You enforce ACLs. You tell yourself you're safe because traffic between zones has to pass through a controlled chokepoint. The problem? Moore warns that devices behind the firewall can still communicate outside the security perimeter in ways you never planned for. A technician walks onto the factory floor with a Wi-Fi-enabled laptop and plugs it directly into an unmanaged switch. Suddenly your perimeter is porous, and you didn't even know the laptop existed.
Microsegmentation sounds better on paper — install an agent on every machine, give each device its own miniature firewall that only talks to approved systems. But here's where OT gets awkward: you can't just install agents on factory machines and critical control equipment. Downtime isn't an option. You can't risk a patch cycle that takes a turbine offline for six hours.
"Factory machines and OT equipment are effectively not able to be microsegmented, so you're back to using one big firewall to separate, hoping no one goes around it," Moore said.
That's the trap. Microsegmentation is the gold standard in IT, but OT runs on different physics — legacy hardware, real-time constraints, and vendor lock-in that makes agent deployment a non-starter. So most OT environments end up with traditional segmentation, which is fine until someone finds a way around the firewall. And they always do.
Convenience Is Actively Destroying Your Segmentation
This is the part that makes me angry every time I hear it, because it's entirely preventable.
Operators want things to work. They want the HMI to load fast, the remote diagnostic tool to connect without a five-step approval chain, the vendor update to push without calling three different teams. And vendors know this. Firewall vendors sell you a box and promise protection — but they also make the restrictions annoying enough that users find "squirrely ways" to bypass them, as Moore described it.
The result? People go around the firewall. They open temporary VLANs for convenience. They plug in unmanaged switches because "it's just for the weekend." They disable alerts because they're "too noisy." And then they act surprised when a breach happens.
"They're like, 'Well, this firewall is still here,' not realizing the firewall no longer matters when you're going around it," Moore said. That line should be framed in every OT security team's war room.
And it gets worse. Moore pointed out that the firewalls most commonly used for segmentation have also been the ones most commonly exploited in the last three years — Palo Alto, Fortinet, and others show up in the news repeatedly. A recent sweeping credential harvesting campaign compromised roughly 30,000 Fortinet devices across nearly 200 countries (Sweeping Credential Harvesting Heist Compromises 30K Fortinet Devices), illustrating exactly why relying on a single firewall brand as your OT perimeter defense is a fragile strategy. Firewalls are the first step into the organization, and it's not good when that first step fails. You can have perfect segmentation architecture on paper, but if the actual firewall appliances are getting compromised, your whole model collapses at ground zero.
Convenience isn't a side issue. It's the primary attack vector in most OT environments, and it's self-inflicted.
The Blind Spots Operators Miss Again and Again
Even when segmentation is properly designed and maintained, there are threat vectors that operators consistently overlook. Moore's work at runZero has exposed some of these repeatedly:
Multihomed devices. Every device you bring onto the network might be multihomed — connected to multiple networks simultaneously, possibly including the Internet. OT field gear often has devices that allow remote access through cellular connections. Operators don't always know these exist. "It may be totally segmented, but it's also completely open and on the Internet, and it's really hard to find those without looking for it," Moore said.
Compromised shared access paths. Segmentation doesn't protect you from a compromised customer using the same VPN as your organization. If a vendor, contractor, or partner gets hit and their credentials land in attacker hands, your segmentation boundaries mean nothing because the attacker is already inside the shared access layer.
Over-segmentation paradox. Moore also flagged a less obvious failure mode: putting too much on the same segmented network. "Folks tend to overuse it," he said. "You have a bunch of equipment that you don't want attackers to get to, you put it into a segmented network, but you put it all on the same segmented network. Then all it takes is one of those systems getting hacked."
That's counterintuitive for most operators. They think more segmentation equals more security. But if you segment everything into one giant zone, you've just created a single point of lateral movement. The trick is granular segmentation with verified boundaries — not fewer, bigger zones.
Legacy equipment debt. A lot of OT environments run on hardware that can't receive patches or vendor updates. Moore noted that with so much legacy equipment on factory floors and power plants, it's unclear what those devices are even allowed to filter or segment off. You can't install an agent. You can't enforce MFA. You can't even reliably inventory what protocols they speak. That equipment becomes a permanent blind spot in your segmentation model.
What CISA Actually Says About OT Segmentation
The April joint advisory from CISA — "Adapting Zero Trust Principles to Operational Technology" — deserves more attention than it's getting.
The advisory emphasizes that network segmentation is foundational to OT security, but it also delivers a critical caveat: you can't just lift IT zero-trust practices into OT and expect them to work. Legacy machines. Downtime constraints. Software restrictions that make IT best practices inapplicable.
Winebrenner echoes this guidance, noting that CISA stressed how "segmentation alone isn't foolproof." His recommendation is practical: treat segmentation as something you operate, not something you install. The security that works on a plant floor is one that rechecks policy — continuously, not once during a project kickoff.
CISA's guide advises an enforceable policy over a "one-time architectural decision." That distinction matters. Most OT security programs treat segmentation as an architecture project with a start date and an end date. CISA is saying it's an operational discipline. There's a world of difference between the two.
The advisory also implicitly validates what Moore and Winebrenner have been saying independently: segmentation is necessary but insufficient. You need it. But you also need continuous verification, operator awareness, and the willingness to admit when your model doesn't match reality.
Building Segmentation That Actually Holds Up
So what does operational segmentation look like in practice? Not the diagram. The actual day-to-day.
Inventory everything, constantly. Moore's recommendation is to scan endpoint detection and response logs, find points that have an unrecognizable IP address, and determine why they're connected. This isn't a quarterly exercise. It's continuous. If you don't know what's on your network, segmentation is theater.
Test the boundaries weekly. Pick one segmentation boundary and simulate an attack path. Can someone from Zone A reach a Zone B device using credentials from a compromised support tool? Does an unsegmented maintenance VLAN actually exist as a gap? Document what blocked the attempt and what slipped through. Track it over time.
Enforce protocol-level inspection. Don't just allow Modbus/TCP on port 502 and call it done. Parse the PDU. Flag invalid function codes, excessive register access, or out-of-sequence commands. Even basic deep packet inspection on OT protocols catches the majority of attempted exploits.
Treat the diagram as a living document. Winebrenner's point about snapshots is critical. Your segmentation architecture needs version control, change tracking, and regular reconciliation against the actual network state. If your diagram doesn't match reality within a week of being saved, it's already wrong.
Close the awareness loop across teams. Share test results and gap analyses with engineering, operations, and security — not as blame assignments but as learning opportunities. When a PLC vendor's remote update tool bypasses your firewall, that isn't a security failure. It's a design constraint you need to acknowledge and compensate for.
Accept the economics. Moore is honest about this: organizations can't afford to pay for each factory equipment or ventilation system to have its own network switchboard. It's unfeasible, and many devices still need to communicate with each other. Work within those constraints instead of against them.
The lessons from recent high-profile breaches reinforce this. The Ivanti Sentry vulnerability (CVE-2026-10520) showed how quickly a single compromised edge device can collapse an organization's perimeter — see Weaponized Urgency: The Critical Lessons Behind the Ivanti Sentry Breach for a deep dive on why defense-in-depth and segmentation matter even more when edge devices are in play.
The Bottom Line: Awareness Is the Real Control
Segmentation isn't a checkbox. It's not even really an architecture problem — it's an awareness problem.
You can draw the tightest zones, enforce the strictest ACLs, and deploy the most expensive firewall appliances on the market. But if your operators don't know what threats to look for, if they're bypassing controls for convenience, if your inventory is stale and your diagrams are outdated, then you've built a castle with the drawbridge up and the gates left open.
Moore's warning about creative, hard-to-detect attacks is especially relevant. As attack techniques evolve and become more sophisticated, the human element becomes the weakest link — not because operators are incompetent, but because they're trained to prioritize availability over security verification. That's baked into OT culture. And it's not going away.
The operators who succeed aren't the ones with the fanciest tools. They're the ones who look at their segmentation model every week, question every assumption, and treat every alert as potentially real until proven otherwise. They understand that segmentation is a delaying mechanism — it buys you time to detect and respond, not time to relax.
If your OT segmentation strategy doesn't include daily awareness checks, weekly gap tests, and quarterly threat-model reviews against actual network state, it's decoration. And in OT, decoration doesn't stop a breach. Awareness does.