It’s 2025. You can’t swing a stick in the security world without hitting someone screaming, "Zero Trust! Segment your networks!"
In the IT world, we get it. We utilize VLANs, microsegmentation, and zero-trust policies to prevent a breach in HR from immediately escalating into a breach in Finance.
But, then there’s OT (Operational Technology). The environment that controls the things that physically make and move the world: power grids, factories, water treatment plants, and oil pipelines.
When I look at most industrial networks, the security architecture often looks like it was designed in the 1990s and then sealed with concrete. The security playbook calls for segmentation, microsegmentation, and a "defense in depth" layered approach. So, here’s the million-dollar question: If segmentation is Cybersecurity 101, why are so many critical OT networks still flat?
Let’s skip the typical excuses (the ones everyone nods along to in webinars) and talk about the uncomfortable truths. Ok, actually, let’s go over them for completeness' sake, since they are valid reasons if the wrong solution is chosen for OT security.
The Comfortable Excuses (We've Heard Them Before)
I’ll quickly get the non-controversial stuff out of the way. We all know the textbook challenges:
- Legacy Gear is Scary: You can’t just reboot a 20-year-old Siemens PLC for a maintenance window without risking a costly failure. The documentation is likely nonexistent.
- Fear of Downtime: The primary mandate of OT is availability. Any change, such as adding an access control list or a firewall, introduces the risk of halting production, which can incur significant costs immediately.
- The Air-Gap Myth Persists: Some still believe they are "air-gapped" because they don't have a direct cable to the internet. But every contractor's laptop, every USB stick, and every remote access gateway is a gap. A flat network means when a breach crosses that gap, it’s game over.
Those are valid operational constraints. But they aren’t the real reason. The real reasons are organizational, financial, and psychological in nature.
The Controversial Reasons for OT Inertia
Here are the reasons security leaders whisper to each other at conferences, but rarely put into an investment thesis:
1. The "If It Ain't Broke, Don't Fix It" Complacency
This is the most powerful force in industrial control systems. OT culture is about reliability, predictability, and stability. Security, conversely, is about preparing for an unpredictable, chaotic event (a breach).
The underlying, controversial thought process goes like this: "We’ve been running this plant for 30 years without a dedicated OT security budget, and nothing bad has shut us down yet. Segmentation introduces complexity, increased cost, and a higher risk of failure. Therefore, the risk of downtime from segmentation is higher than the risk of a breach."
It's a form of loss aversion. They’d rather risk the unknown future cost of a breach than accept the known, immediate cost (and potential embarrassment) of an operational error caused by a security project.
2. Organizational Turf Wars and the Budget Blame Game
Who owns segmentation? IT or OT?
In many organizations, the OT team views their network architecture as sacred (and often, rightly so, as they built and maintain it). They see IT security (and their expensive firewalls) as an intrusive, performance-killing layer of complexity designed by people who don't understand latency requirements.
Segmentation is hard because it means the IT team has to fundamentally tell the OT team they were wrong about architecture for the last two decades. The resulting turf war means the project gets shelved, trapped between two vice presidents who refuse to fund the other’s team to do the work. The project never starts because no one wants to cede control.
3. The "Shiny Box" Security Fallacy
CISOs love dashboards. They love metrics. They love talking about "advanced threat detection."
The unpopular truth is that buying a complex, expensive appliance (like a top-tier Industrial IDS/IPS) feels like progress. It generates alerts, features graphs, and is a tangible thing you can point to and say, "We bought security." However, it can’t stop a single attack until it has started, and even then, other solutions are needed to stop the attack in progress.
Segmentation? It's architectural. It's invisible. It's boring. You don't get a flashy dashboard for "successfully preventing lateral movement," you just get... quiet. Many security leaders would rather spend $500k on a new appliance that promises to "detect the undetectable" than spend $500k on architectural changes and professional services that fundamentally prevent the need for detection in the first place.
It's Time to Stop Making Excuses
I get it. Segmentation is hard, and traditional solutions often mean ripping out and replacing equipment you can’t afford to touch.
But the industry has moved on. If you want true segmentation without the complexity of managing thousands of firewall rules or risking downtime, consider Zero Trust Microsegmentation.
Instead of trying to draw static lines with firewalls around a massive, flat network, you simply define which two endpoints are allowed to talk—and only those two. No configuration changes to the underlying network. No rebooting legacy gear. It’s a policy overlay, not an architectural overhaul.
If you’re still struggling with the segmentation challenge, let’s discuss a straightforward security architecture that bypasses the politics, budgets, and inertia.
Come join our webinar where we talk about how we implement segmentation: https://www.blastwave.com/webinar/microsegmentation-simplified
— Cam Cullen, CMO, Blastwave
.jpg)
Experience the simplicity of BlastShield to secure your OT network and legacy infrastructure.
.svg)