Most industrial environments are still relatively flat, but should be designed around a zoned architecture. Frameworks like the Purdue Model and standards such as IEC 62443 define how this segmentation should be implemented in these environments. In these models, systems are grouped into zones, and communication between them is controlled through conduits with strict multi-layer hierarchy. This architecture is a foundational principle of OT security.

Historically, organizations have relied on firewalls to implement zones and conduits. Firewalls establish clear network boundaries, are widely understood, and help meet baseline compliance requirements. They are effective at protecting internet-facing environments by blocking malicious external traffic and restricting unnecessary protocols.

However, firewalls are not well-suited for internal segmentation. They operate primarily on static rules and network boundaries, making it difficult to enforce granular, identity-based access or adapt to dynamic OT environments. As a result, they often fall short when it comes to controlling east-west traffic or enabling secure, authorized access between systems. While firewalls remain a necessary perimeter control, they are not sufficient on their own to achieve effective segmentation within modern IT and OT networks.

Using firewalls as the primary enforcement mechanism introduces complexity that becomes difficult to manage over time. OT environments are not static. Devices are replaced, networks expand, and new connections are introduced for maintenance, monitoring, and vendor access. Firewall policies, however, rely on static constructs like IP addresses and ports. As environments evolve, these rules must be constantly updated to keep pace with changes. This challenge becomes exponentially more complex in large-scale deployments, where hundreds of firewalls are often nested or sequenced with overlapping rules—making policy management difficult, error-prone, and hard to maintain.

Over time, these rule sets grow large, inconsistent, and hard to understand. Old rules are rarely removed because the risk of breaking operations is too high. What starts as a clean segmentation strategy gradually turns into a fragile system of exceptions.

The challenge is compounded by the constant flow of people into and out of the environment. New engineers, contractors, and third-party vendors regularly require access, and each request often leads to new or modified firewall rules. This creates a significant operational burden. Administrators must not only grant access, but also remember to revoke it when it is no longer needed. In practice, temporary access frequently becomes permanent. These lingering rules create unnecessary pathways into the environment and increase exposure to credential-based attacks.

Firewall rules also tend to over-permit traffic because they lack the context needed to enforce precise behavior. A firewall can allow or block a protocol, but it cannot easily express which systems should communicate, under what conditions, and for what purpose. In OT, where many protocols are coarse and unauthenticated, this often leads to broader access than intended.

In addition, implementing segmentation through firewalls often requires network re-architecture. This can involve IP address changes, reconfiguring systems, and coordinating updates across tightly coupled process control environments. The result is often lengthy downtime or operational risk, as organizations struggle to reconnect critical systems and applications without disruption.

Zero Trust segmentation addresses this problem by preserving the concept of zones and controlled communication, while changing how those controls are defined and enforced. Instead of relying on persistent network rules, it applies principles like role-based access control and just-in-time access to tie connectivity to identity and time-bound need.

This model also enables more consistent enforcement of least privilege. Each connection is explicitly authorized, rather than implicitly trusted because it originates from a particular network segment. That reduces the risk of lateral movement inside OT environments, where access is often too broad once a boundary is crossed.

For example, adding new devices or applications becomes straightforward. Administrators assign the device or application identity to an attribute group in Xage Manager, and enforcement is automatically applied across a distributed set of Xage Enforcement Points (XEPs). There is no need to update individual enforcement elements or manage IP-based rules, as would be required with traditional firewalls.

Did you know? 

As organizations adopt modern approaches to enforcing segmentation, it is important to align with proven standards. IEC 62443-3 applies to the automation systems and networks that organizations operate, defining requirements for secure segmentation and system design. Xage delivers the technical controls needed to support these requirements, enabling customers to implement segmentation in alignment with IEC 62443 and strengthen the security of their industrial environments.

Xage not only enables IEC 62443-3 system-level compliance for customers, but its products are also IEC 62443-4-2 certified at Security Level 3. This combination ensures both the architecture and the underlying components meet rigorous security standards.

Remote access is another area where this shift has a clear impact. Vendor connectivity is essential, but it is often managed through VPNs and firewall exceptions that grant wide network access. With a Zero Trust approach, access can be limited to specific assets, tied to verified identities, and restricted to defined time windows. This allows organizations to support operational needs without introducing unnecessary risk.

Firewalls do not disappear in this model. They continue to play an important role in protecting outward-facing environments and enforcing boundary controls against external threats. Within internal networks, however, their role can be reduced or eliminated. Where internal firewalls already exist, their management can be significantly simplified.

The key difference is that firewalls are no longer responsible for expressing the full security policy. Instead of managing hundreds of low-level rules, organizations can define higher-level policies that align with their segmentation architecture and allow the underlying system to enforce them dynamically.

For OT security teams, this shift reduces both risk and operational burden. Segmentation remains a critical foundation, but enforcing it through static firewall rules does not scale in complex industrial environments. A model that aligns policy with identity and system behavior is easier to manage and more resilient to change.