Why ZTNA Fails in OT — and What Actually Enforces Zero Trust Inside Industrial Networks

The Problem: IT ZTNA Doesn’t Work on PLCs and RTUs

IT-centric ZTNA assumes identity hooks, software agents, and always-on cloud connectivity. OT environments offer none of those. The realities that break standard ZTNA in industrial settings:

• No user identity hooks. PLCs, RTUs, and controllers are machines — they don’t authenticate the way users do. ZTNA gateways have nothing to broker.
• No agents possible. You cannot install endpoint software on a PLC running a 15-year-old firmware stack that controls a turbine or water treatment valve.
• Legacy and latency-sensitive protocols. Modbus, DNP3, and similar protocols are unforgiving. Any inline disruption or cloud rerouting can cause safety-critical failures.
• Air-gapped and intermittently connected plants. A cloud-dependent enforcement model stops working the moment connectivity drops — which is exactly when you need enforcement most.
• Scarce change windows. Reliability and safety dominate. Security changes that require downtime or agent installation face months of delay.

The result: most “ZTNA for OT” products remain remote access controls — they govern who gets to the front door, but they do nothing about what happens inside the network once a session is established or a device is compromised.

Key Definitions: What These Terms Actually Mean

The ZTNA and OT security market is full of overlapping terminology. Here are tight, analyst-grade definitions used in this context:

Term	Definition
Segmentation / Microsegmentation	Policy-defined communication boundaries (who and what can talk across zones). Often static; commonly agent-based in IT environments.
Micro-perimeter	A fine-grained perimeter implemented close to assets or workloads (logical or physical) to minimize blast radius in the event of a breach.
ZTNA (IT-centric)	Identity- and context-based user-to-application access brokering through gateways or proxies. Designed around user identity, not device behavior.
Behavioral Enforcement	Inline, autonomous validation of device and network behavior against allowed communication patterns. Deviations are blocked or redirected instantly — no central re-evaluation required.
Active Deception	Exposing realistic deceptive responders that mislead attackers and immediately block the probing source on interaction, while alerting incident response teams.
AMTD (Automated Moving Target Defense)	Scheduled and automated decoy shifts that continuously disrupt attacker reconnaissance and lateral movement planning.

Framing: Segmentation establishes boundaries. Behavioral enforcement continuously validates and defends them.

How PacketViper Enforces Zero Trust Agentlessly

PacketViper deploys as a distributed inline enforcement fabric — ISUs and RSUs (Internal/Remote Security Units) — centrally orchestrated by a CMU (Central Management Unit) and powered by Active Deception and Applied Intelligence (AlertBox).

No software is installed on any endpoint. No agents. No firmware changes. PacketViper sits inline between network segments and enforces policy at the packet level.

Operational Example: What Happens on the Wire

1. A device initiates communication to an OT zone. PacketViper intercepts the session inline and checks against Context Groups (the defined set of trusted device pairs and ports).
2. If the device is unauthenticated or unrecognized, PacketViper can redirect the connection to an IAM portal for validation — or block it immediately.
3. Once IAM validates the identity (via LDAP, RADIUS, or API), PacketViper automatically creates a temporary permit rule allowing the session to proceed.
4. During the active session, Sensors continuously monitor the device’s behavior. If it deviates from its allowed communication profile — scanning ports it shouldn’t, initiating unexpected lateral connections — Sensors instantly block, deceive, or reroute the traffic.
5. AlertBox updates risk scoring and synchronizes new enforcement rules across all CMU and RSU nodes enterprise-wide. Other PacketVipers learn from the detection immediately.
6. If CMU connectivity is lost, RSUs continue enforcing locally. Detections are stored and propagated when connectivity resumes.

This approach combines Zero Trust identity validation with inline behavior-based enforcement and dynamic routing control — ensuring every connection remains continuously verified and governed, not just at initial access.

The Five Steps of OT-Inside Operations

1. Define Normal: Build Network and Port Context Groups per line, cell, or zone. Specify allowed device pairs and ports. Add optional time-frame constraints (e.g., maintenance windows only).
2. Permit Only What’s Needed: Custom Rules allow narrowly defined flows — for example, PLC to Historian on ports 102/502 during a Saturday 02:00-04:00 maintenance window.
3. Redirect Unauthorized: Any connection outside the defined rules gets redirected or blocked. Deceptive responders engage probing sources safely.
4. Invert to Defend: Sensors invert the permitted profile. Any out-of-scope communication triggers instant blocking, optional deception, alert propagation, and enterprise-wide blacklist updates.
5. Measure and Tune: AlertBox telemetry highlights noisy sources, misconfigurations, and risky traffic patterns. Dashboards visualize inbound/outbound flows and detections per zone.

Competitive Landscape: ZTNA for OT Claims vs. Reality

Most vendors claiming “ZTNA for OT” are delivering secure remote access with device awareness — not inline behavioral enforcement inside the plant. Here is a factual breakdown:

Vendor	Claim	Reality	Where It Stops
Cisco — Secure Equipment Access	ZTNA for OT remote equipment access	Identity- and session-proxy gateways with strong OEM hardware embedding and policy granularity for connectivity	Focused on user-to-device entry. Not inline device-to-device or lateral enforcement. Session connectivity dependent.
Netskope — Device Intelligence	Extends ZTNA to unmanaged and IoT/OT devices	Device discovery, classification, and policy application via cloud ZTNA with broad device taxonomy	Primarily contextual policy — not inline behavioral containment. Relies on cloud rerouting.
Cyolo	Agentless ZTNA for OT	Secure remote access and privileged session management with compliance reporting	Access gateway focus. No autonomous inline enforcement across OT East-West flows.
Zscaler (ZPA)	ZTNA for any app or device	Mature cloud proxy with agents and connectors — strong IT ZTNA foundation	Infeasible for air-gapped or low-bandwidth plants. Limited local decisioning when offline.
Xage Security	Zero Trust for OT/ICS	Identity federation and mesh access with strong identity granularity for industrial users	Enrollment-heavy. Not behavior-first. Constrained with unmanaged and legacy devices that cannot enroll.
Akamai Guardicore	Microsegmentation for hybrid environments	Flow and label-based segmentation (often agent-dependent) with strong visibility for IT workloads	Agent dependence limits OT inline applicability significantly.
Illumio	Zero Trust Segmentation	Mature agent-based microsegmentation with static policy controls for IT	No behavioral enforcement. Limited in legacy OT. Requires controller and policy infrastructure.
Cato Networks (SASE)	ZTNA plus IoT/OT support	Cloud SASE edge with policy routing — converged network and security edge	Cloud-dependent. Not designed for autonomous plant enforcement when disconnected.

Bottom line: Most “ZTNA for OT” claims resolve to secure remote access plus device awareness. Very few — if any — deliver agentless, inline, behavioral enforcement inside OT networks with autonomous containment when disconnected from the cloud.

Capability Comparison: Most ZTNA Vendors vs. PacketViper

Category	Most ZTNA Vendors	PacketViper
Enforcement Model	Cloud/gateway proxy; policy brokers at the edge	Inline, distributed, autonomous — no rerouting required
Dependency	IAM, agents, always-on cloud or controller	Agentless; RSUs enforce independently if CMU or cloud is unavailable
Control Focus	User-to-device and session access control	Device-to-device plus full network behavior enforcement
Segmentation	Static microsegments (often agent-dependent)	Segmentation plus self-defending micro-perimeters
Behavioral Validation	Posture and context checks at access time	Continuous inline behavior validation via Sensors throughout the session
Reaction Speed	Seconds to minutes (requires central re-evaluation)	Instant edge block or deception — millisecond response
Deception / AMTD	Rare or unavailable; typically bolt-on	Native Active Deception and AMTD built into the enforcement fabric
OT Protocol / Legacy Fit	Limited support for legacy industrial protocols	Protocol-agnostic; agentless; designed for brownfield OT environments
Cost Impact	Adds log volume and operational overhead	Reduces SIEM, IDS, and IPS load — extends existing stack life

Measured KPIs and Deployment Outcomes

These outcomes reflect measured results across utilities, manufacturing, defense, and energy deployments and controlled penetration tests:

• 75% firewall load reduction within 90 days of deployment — significant cost avoidance and extended hardware life without forklift upgrades.
• 30-70% SIEM and SOC noise reduction through edge containment and intelligent filtering. Analysts see fewer false positives and spend more time on real threats.
• 100% attacker containment in independent penetration tests when PacketViper defenses are active. Zero lateral movement through enforced zones.
• Operational continuity maintained through inline bridge deployment — unauthorized traffic is blocked while normal traffic continues without interruption.
• Autonomous enforcement during CMU and cloud connectivity loss — RSUs continue blocking and detecting locally, with synchronization on reconnect.

Evaluation Checklist: Access Control vs. True Enforcement Fabric

Use these seven questions to separate remote access control products from genuine inline enforcement solutions:

1. Agentless? Does it work with PLCs and legacy devices without software installation, firmware changes, or endpoint modifications?
2. Inline and autonomous? Does it enforce at the boundary and continue operating if central control or cloud connectivity is lost?
3. Behavioral validation? Does it continuously check device and flow behavior throughout the session — not only at initial access or identity check?
4. Instant containment? Does it block or deceive locally in milliseconds, without waiting for central re-evaluation or a policy push?
5. Deception and AMTD? Is deception native to the platform — not a bolt-on integration — and does it actively inform enforcement decisions?
6. Cost avoidance? Does the vendor demonstrate measured reduction of firewall, IDS, and SIEM load — extending existing stack life rather than replacing it?
7. OT fit? Is it protocol-agnostic, latency-respecting, and proven in brownfield environments with legacy and unmanaged devices?

Frequently Asked Questions