NetFoundry CEO Galeal Zino was recently interviewed by Larry O’Brien, VP of Research at ARC Advisory Group, where they discussed the realities of OT’s “broken” networking paradigm.

The old strategy for Operational Technology (OT) security was simple: build a fortress. You air-gapped the systems, set up a flat network, and focused on keeping everyone out. But in the era of Industry 5.0, that model is officially broken.

With the rise of predictive maintenance, digital twins, and edge-to-cloud connectivity, today’s OT networks are inherently porous. Traditional networking models (relying on IP addresses, VLANs, and firewalls) were not built for the modern era of digital transformation, AI, and Industry 5.0. Bolting security solutions onto these outdated networks stifles business agility, decreases velocity, and creates complexity—which ultimately leads to insecurity.

Galeal summed up this reality perfectly:

“When we look at digital transformation, Industry 4.0, Industry 5.0, AI… they’re all great. However, in many ways what they left behind in the dust was the cyber security model, and the networking model. Our mission at NetFoundry is essentially to catch up and rebuild the secure networking model to fit this kind of digital transformation age.”

The Complexity Trap

Attempting to force legacy networking to support modern digital transformation creates friction that kills business velocity. Even worse, it creates vulnerabilities. As Galeal noted, “Actually, the complexity itself becomes insecurity. Nothing that’s complex is ever very secure.”

The Shift to Identity-First Security

Instead of relying on network perimeters, NetFoundry advocates for true Zero Trust based on cryptographically verifiable identities. This “assume breach” mentality allows organizations to solve three massive challenges without risking uptime or human safety:

• Secure Inbound Access: Safely authenticating vendors and remote employees.
• Secure Outbound Data: Routing crucial OT data to the cloud (like AWS) for analytics without opening dangerous inbound firewall ports.
• Internal Segmentation: Isolating threats before they can spread and cause millions in unplanned downtime.

The transition doesn’t require a “big bang” overhaul. By leveraging an open-source ecosystem (e.g., NetFoundry’s OpenZiti) and pre-installed integrations with major vendors like Siemens, organizations can start with a single, high-value use case—and finally leave traditional networking in the dust.

Interested in learning more about how we’re revolutionizing industrial cybersecurity? View the complete interview here:

The post Rethinking Industrial Cybersecurity appeared first on NetFoundry.

The post NetFoundry and Siemens partner to simplify zero trust for industrial networking appeared first on NetFoundry.

Enterprises in the OT and IIoT sectors are increasingly adopting identity-based, secure private zero trust networking. A foundational element in this journey is the implementation of least privilege access and microsegmentation to achieve granular access control. This requires that all communicating entities—whether users, devices, or applications—be assigned unique identities. However, a significant challenge arises when dealing with machines that are unable to support the installation of software clients or tunneling agents that enforce identity-based access.

As we have engaged closely with our customers, a common need has emerged: a solution to extend zero trust access to non-identity-aware machines. These are typically legacy or specialized OT devices that cannot host identity clients yet still require secure, policy-driven communication. Addressing this need is essential to achieving comprehensive zero trust coverage across heterogeneous environments.

What is it?

Before diving into implementation details, let’s first understand the concept. In industrial environments, edge or industrial compute devices typically serve as network gateways, connecting to machines such as PLCs, sensors, actuators, and other OT assets. These gateways generally run a standard operating system and possess sufficient compute resources to host NetFoundry edge software.

In this architecture, the gateway acts as the identity-bearing entity—running the NetFoundry tunneler/router—while the connected machines communicate with cloud services, applications, and other machines through the identity of the gateway. The core objective is to implement a mechanism that controls and restricts which specific machines behind the gateway can access designated resources, even though they themselves may not have individual identities or tunneling capabilities. This enables enforcement of zero trust principles such as least privilege and segmentation, even for non-identity-aware devices.

Scenario:

The following are the communication objectives we want to achieve:

• At factory site 1,  only specific machines in Subnet A ( a /24 subnet) connected to the upstream IEC device running the NetFoundry tunneler with identity A should connect to cloud
• At factory site 1, only specifc machines in Subnet B ( a /23 subnet) connected to the upstream IEC device running the NetFoundry tunneler with identity B should connect to the DC
• From factory site 2, only spefic machines in subnet G ( a /21 subnet) connected to the upstream IEC device running the NetFoundry tunneler with identity G should connect to machines in subnet C at factory site 1

As part of the NetFoundry “Service Config”, access is restricted to a spefic port(s) and IP(s) / host name(s) and specific identities are allowed to access based on the “Service Policy Config”.  

For example, machines connected to the IEC device that runs Identity A can be allowed to access a SCADA application in the cloud through appropriate service and policy configurations. However, this identity-based model alone does not prevent unauthorized machines within Subnet A from reaching the SCADA service.

Introducing “Allowed Source Address”

To address this requirement, NetFoundry introduces the Allowed Source Address feature within the service configuration. This enhancement enables administrators to enforce access control beyond the identity level, down to the level of specific source IP addresses of individual machines behind the tunneler or a router.

With this feature:

• The NetFoundry platform inspects the originating IP address of traffic from machines behind the IEC gateway.
• Access is granted only if the source IP matches the list defined in the service configuration.
• Machines not listed—even if they route traffic through an authorized IEC device—are denied access.

This capability allows organizations to maintain the IEC gateway model, while still enforcing machine-level access policies, ensuring that only explicitly permitted devices within a subnet can access critical applications or services.

How to use the “Allowed Source Address” feature:

Let’s replicate this scenario in a lab environment. The objective is to restrict access to an “Extended Zero Trust Service”—which hosts a simple “Hello World” application on AWS—to a specific IP address: 10.0.0.5.

Once the configuration is complete, the service should only be accessible from the IP address 10.0.0.5, regardless of whether other identities are permitted by the service policy configuration. Any requests originating from other IP addresses should be denied, even if the identity is authorized by policy.

The service config with allowed source address of 10.0.0.5:

Service Policy Config that allows access to three identities, one that of a router identity and two other identities.

10.0.0.5 is a VM in Azure deployed behind the identity – ” Customer hosted edge router in Azure London”. The service should only be reachable from that VM and not reachable from our identities “………..001” and “…………002” whose IPs are not added to the allowed source address list.

Trying to access the service from the identity “NetFoundry Cloud Identity 002” ( does not match the source IP of 10.0.0.5)

The identity has access to the service as per policy but can’t access since the IP is not added to the list:

Successfull access from 10.0.0.5:

The post Extending microsegmentation to non-identity-aware devices appeared first on NetFoundry.

The post Industry 4.0 and IIoT: Bidirectional Zero Trust Networking Replaces VPNs appeared first on NetFoundry.

As industries around the world continue to integrate advanced technologies, the convergence of Operational Technology (OT) with Information Technology (IT) has become increasingly prevalent. This convergence is a key aspect of Industry 4.0, the Fourth Industrial Revolution, which is reshaping the landscape of manufacturing, logistics, and other industrial sectors. Central to this transformation are concepts like Digital Twins which are not only enhancing operational efficiency but also presenting new challenges and opportunities in OT Security.

In this article, we explore how Digital Twins and Industry 4.0 are driving the need for advanced security measures in OT environments, and how solutions like NetFoundry’s zero trust platform and Ziti architecture are playing a critical role in securing these next-generation industrial systems.

Understanding Industry 4.0 and Its Impact on OT Security

Industry 4.0 represents the integration of digital technologies such as IoT, AI, big data, and robotics into industrial processes. This integration allows for the creation of smart factories where machines, devices, and systems communicate and collaborate in real-time, leading to unprecedented levels of automation and efficiency.

However, the same technologies that drive Industry 4.0 also increase the complexity of OT systems, making them more vulnerable to cyber threats. The traditional separation between IT and OT networks is eroding, creating a larger attack surface for potential adversaries.

For instance, IIoT devices connected to industrial control systems (ICS) can be exploited by hackers to gain access to critical infrastructure. Additionally, the reliance on cloud computing for storing and processing large amounts of data introduces new risks, such as data breaches and unauthorized access.

These challenges necessitate a robust approach to OT security, one that not only addresses the immediate threats but also anticipates the evolving risks associated with the continued adoption of Industry 4.0 technologies.

What are Digital Twins?

A Digital Twin is a virtual replica of a physical asset, system, or process that is used to simulate, monitor, and optimize its real-world counterpart. Digital Twins are a cornerstone of Industry 4.0, enabling businesses to gain real-time insights into their operations, predict potential issues, and make data-driven decisions.

For example, in a manufacturing plant, a Digital Twin of a production line can be used to simulate different scenarios, such as changes in production volume or the introduction of new materials. This allows for proactive maintenance and optimization, reducing downtime and increasing efficiency.

However, the deployment of Digital Twins also introduces new security challenges. The constant exchange of data between the physical and virtual worlds can be intercepted or tampered with by malicious actors. Additionally, the Digital Twin itself can become a target for cyber-attacks, potentially compromising the integrity of the physical asset it represents.

The Role of Digital Twins in OT Security

Digital Twins play a dual role in OT security. On one hand, they can enhance security by providing real-time monitoring and predictive analytics that can identify potential threats before they materialize. For example, a Digital Twin can detect anomalies in the behavior of an industrial system, such as unusual temperature fluctuations or unexpected changes in power consumption, which could indicate a security breach.

On the other hand, Digital Twins also require robust security measures to protect the data they generate and process. This is where NetFoundry’s zero trust architecture, Ziti, comes into play. By embedding security directly into the network infrastructure, NetFoundry ensures that Digital Twins and the data they handle are protected from unauthorized access and tampering. This article Implementing-Digital-Twins-On-NetFoundry-Cloud gives a specific solution approach to establish military grade secure networks to Azure Digital Twins that use the power of software defined networking and the zero trust framework.

Industry 4.0 and the Evolution of OT Security

As Industry 4.0 continues to evolve, the security of OT systems must keep pace. Traditional security measures, such as firewalls and intrusion detection systems, are no longer sufficient to protect against the sophisticated threats that target modern industrial environments.

One of the key principles of Industry 4.0 is the decentralization of decision-making, which requires that devices and systems at the edge of the network have the capability to process data and make decisions independently. This shift towards edge computing introduces new security challenges, as devices at the edge are often more vulnerable to attacks due to their limited processing power and memory.

To address these challenges, security solutions must be designed to protect the entire network, from the core to the edge. This is where Zero Trust comes in. By adopting a zero trust approach, organizations can ensure that every device, user, and application is continuously verified before being granted access to critical resources. This reduces the risk of unauthorized access and lateral movement within the network.

NetFoundry’s Role in Securing Industry 4.0 Environments

NetFoundry provides a zero trust networking and connectivity platform that is ideally suited for securing Industry 4.0 environments. By eliminating the need for traditional hardware-based security solutions, NetFoundry offers a more flexible and scalable approach to securing OT systems.

With NetFoundry’s platform, organizations can create private, application-specific networks (AppNets) that are inherently secure and resilient. This is particularly important in Industry 4.0 environments, where the interconnectivity of devices and systems creates a larger attack surface.

NetFoundry’s platform also supports air-gapped deployments, ensuring that critical assets are completely isolated from the public internet. This is essential for industries with stringent security requirements, such as energy, manufacturing, and transportation.

What is an IIoT Connectivity Platform?

An Industrial Internet of Things (IIoT) Connectivity platform is a framework that enables the connection, management, and analysis of industrial devices and systems. IIoT Connectivity Platforms provide the infrastructure needed to collect and process data from a wide range of sources, such as sensors, machines, and production lines.

IIoT Connectivity Platforms are essential for implementing Industry 4.0 initiatives, as they provide the connectivity and analytics needed to transform raw data into actionable insights. However, the deployment of IIoT Connectivity Platforms also introduces new security risks, as the data they handle is often sensitive and critical to the operation of industrial systems.

NetFoundry can be used as an IIoT Connectivity Platform, providing secure and scalable connectivity for IIoT devices and systems. By embedding security directly into the network infrastructure, NetFoundry ensures that IIoT Connectivity Platforms are protected from cyber threats, allowing organizations to focus on optimizing their operations without worrying about the security of their data.

Digital Twins in OT

The integration of Digital Twins and Industry 4.0 technologies into OT environments is driving the need for advanced security measures. As industrial systems become more interconnected and reliant on digital technologies, the potential attack surface for cyber threats continues to expand.

NetFoundry’s zero trust architecture, Ziti, offers a robust solution for securing Industry 4.0 environments, providing the flexibility, scalability, and security needed to protect critical assets and data. Whether deploying Digital Twins, IIoT Connectivity Platforms, or other Industry 4.0 technologies, NetFoundry ensures that organizations can operate with confidence in the face of evolving cybersecurity threats.

As the Fourth Industrial Revolution continues to unfold, the role of OT security will only become more critical. By adopting a zero trust approach and leveraging the power of Digital Twins and Industry 4.0 technologies, organizations can stay ahead of the curve and secure their industrial environments for the future.

The post The Role of Digital Twins and Industry 4.0 in OT Security appeared first on NetFoundry.

Industrial environments face evolving cybersecurity threats, especially with the growing convergence of IT and OT systems. As legacy OT devices connect to the internet, they become increasingly vulnerable to modern attacks. Recognizing this risk, international standards like IEC 62443 have emerged to guide industrial security practices. In this article, we explore how NetFoundry’s Ziti technology aligns with the foundational requirements of IEC 62443, offering a robust solution to secure industrial control systems.

The Threat Landscape

Industrial control systems face a myriad of threats. Due to the life cycles of equipment, they are often using older technology, that does not have the capability to react to new and novel threats as quickly as IT assets, and they are also under attack by highly skilled, highly funded, and protected nation state and nation state sponsored attackers, particularly in the critical infrastructure space, such a power generation and transmission, water systems, oil and gas production, and others. Even more common problems that IT deals with on a regular basis can find very fertile ground in the OT space, if they are allowed to connect with it, due to the nature of the OT computing and information assets.

NetFoundry’a Ziti architecture and technology has an important advantage over the most common Zero Trust networking solutions, the ability to offer multiple solutions across user and machine to service access.

Note: NetFoundry’s secure networking and connectivity platform is based on NetFoundry’s zero trust architecture called Ziti. The open source version of the platform is part of the OpenZiti project. 

Most Zero Trust offerings come from the IT space, and they are focused on the user to application interface. Ziti operates at the network level, and provides ZTNA for workloads as easily as for users. Providing machine to machine (M2M) security is critical in the ICS/IIoT spaces, as this is the majority of the traffic in automation and control systems. Using strong identity and fine grained access policy allows even highly dynamic systems to communicate securely while preventing unauthorized access by malicious actors whether they are human or software agents.

Governments are Mandating Change

While we have seen big headlines in the last several years, the attack on a water system in Florida, the Colonial Pipeline breach and others, this has been noted for over a decade by the US Government and others. February 12, 2013, an Executive Order was released, along with a Presidential Policy Directive spelling out the policy and direction of the US government for the protection of critical infrastructure. In April 2024, the US National Security Council published the National Security Memorandum on Critical Infrastructure and Resilience; the problems have certainly not gone away.

International organizations outside of governments have been working on these issues for many years as well, seeing the problems in terms of business and safety risks. The most widely adopted standard for ICS cybersecurity and risk management is IEC 62443. The standard covers multiple roles, vendors, integrators, and users, and a wide range of principles, laying the foundation on which to build an ICS cybersecurity program. NetFoundry believes that the Ziti technology we sponsor and use for our business is particularly well suited to the ICS space, offering very advanced processes while operating a network level, capable of delivering Zero Trust connectivity even to devices that have very limited capabilities to protect themselves.

IEC 62443 Basic Requirements

There are 7 Foundational Requirements in IEC 62443, giving the high level goals of the standard and programs built on it. 

● FR1 – Identification, Authentication Control and Access Control (AC) – Identifies and authenticates all users (human, process, and equipment) before allowing access to the IACS.

● FR2 – User Control (UC): Ensures that all identified users (human, process, and device) have privileges to perform the required actions on the system and monitors the use of those privileges.

● FR3 – Data Integrity (DI): Ensures the integrity of equipment and information (protection against unauthorized changes) in communication channels and storage directories.

● FR4 – Data Confidentiality (DC): Ensures that information flowing through communication channels and storage directories is not distributed.

● FR5 – Restrict Data Flow (RDF) – Segments the system into zones and conduits to avoid unnecessary data propagation.

● FR6 – Timely Response to Events (TRE): Responds to security breaches with timely reporting and timely decision making.

● FR7 – Resource Availability (RA) – Ensures system and asset availability during denial of service attacks.

How Ziti Addresses the Foundational Requirements of IEC 62443

Identity

Ziti has strong identity at its heart. Using cryptographically secured X.509 certificates to validate that a system is what it says it is, whether that system is hosting a service, or connecting to a service. As it is the first foundational requirement of IEC 62443, it is the first requirement of Ziti networks. Every node, every link with the Ziti software is positively identified 100% of the time. There are many options to further harden these certificates and their storage, as well as add verifications of the device’s security posture, regardless of its identity, before allowing access to information services. As with most things in Ziti, various deployment options can coexist in the same system, so that the default security posture may be used for some assets, and higher security requirement assets can leverage trusted processing modules, removable hardware keys, and other processes to prevent even compromised devices from being allowed to connect to the network. All of this is done by policy configuration, from a single point of administration.

User Control

Control is managed on a per identity per service basis in Ziti networks. A service can be a subnet, and IP or FQDN, a single port, or even a single process when embedding the software into your own application via the available SDKs. This allows the network owner to separate roles using common attributes, or individual users or workloads, only allowing those that need to connect to services to do so. By controlling the basic connectivity, Ziti enhances the security of any system. Regardless of the attack surface of an organization or solution, if attackers can’t reach it, they can’t attack it. ICS systems are hardly going to be open to the internet at large, but as we have seen multiple times, breached remote access systems, internal malicious actors, and even attacks into otherwise closed systems delivered via USB or other media often penetrate these networks and may wreak havoc. By controlling visa policy, using APIs to do so programmatically in many cases, even highly dynamic systems can be secured at this very fundamental level, slowing or stopping an infection from spreading.

Data Integrity

Data Integrity is critical to all information systems. It is one side of the cybersecurity CIA triad. Ziti systems start with the strong identity and controls above. These systems protect data from manipulation in transit and positively identify the source, protecting the integrity of the system as a whole. The encryption protocols used at each level, and often layered, provide protection of the actual data in motion as well, protecting from any injection or changes even by extremely sophisticated attackers.

Data Confidentiality

Another side of the CIA triad, Data Confidentiality is critical. All the controls that protect integrity protect confidentiality. If every system is guaranteed to be who they claim to be, that is a big step. Once Ziti is providing connectivity for data in motion, simple and common technical controls, like host based firewalls, simple ACLs on network equipment, etc can be used to prevent any communication not via the Ziti network. This allows even an infected system, say from a USB drive, containing valuable information to be blocked from exfiltrating that data over the network. If the only way out of the system is via the Ziti network, and only services configured in policy are allowed to be reached, an intruder has no place to send the information they have gained access to.

Restriction of Data Flow

Policies are configured in Ziti microsegmented networks (AppNets) that allow identities to host or connect to services. These policies can be as granular as a single identity accessing a single service, from anywhere in the world, or a very open resource, like an internal web page that is accessible to all human users. These policies exist in the overlay network and are evaluated at each connection, host or access, and can be modified in real time. Five servers sitting on the same VLAN could be unable to connect to each other, and have five different groups that are allowed to access them, or any combination. The policy expressions allow for dynamic environments like container systems to be deployed rapidly, with the identities sharing attributes and therefore capabilities, while retaining the ability to individually identity the entire lifecycle of the process.

Timely Response

Flexibility and agility are deeply rooted capabilities of Ziti. As noted previously, the policies that control authorization can be modified in real time with immediate effect. Outside of cybersecurity incidents entirely, the mesh of connectivity in a network instance can be modified dynamically as well. New nodes, such as edge routers, can be added to the mesh to increase capacity or to move away from a connectivity problem. These changes can be accomplished to full effect in a few minutes, and could be done automatically, leveraging the available APIs and integrating with other infrastructure orchestration systems. Also available is a stream of highly detailed events and metrics, exposing the operational state of the network and its usage. These streams can be used for both operational and security responses, monitoring the IP locations of all nodes, noting high error rates or latency, or any of dozens of other indicators across the network, regardless of location, network underlay components, or other infrastructure variables. 

Availability 

Lastly, we come to resource availability. Ziti is built to be highly dynamic. Each service access is routed according to the best route available in terms of latency and other cost attributes. Issues in connectivity are addressed immediately in the creation of new circuits, and failures are rerouted by the network whenever possible to maintain connections even in the case of a node loss. Soon, this will also apply to Network Controllers, with a distributed system providing the ability to add, delete, or migrate controllers while maintaining the full system state. Highly available architectures for services are easily deployed, depending on exact needs. NetFoundry has invested in eBPF technology as well, giving us some very advanced capabilities in terms of availability and resistance to DoS attacks.

NetFoundry Zero Trust: Ideal For IEC 62443 Compliance

NetFoundry, the Ziti platform and OpenZiti open source project are extremely well aligned to the needs of ICS cybersecurity. While we have discussed the foundational principles here, we have looked deeply into the standards within our own teams and with customers and partners providing experts in the space. There are very few specific requirements of IEC 62443 that we cannot assist in meeting; anything to do with data at rest, or those requirements specifically calling out application processes (of the control system) are outside the scope of the solution. Ziti, as part of an integrated system, can assist in meeting the compliance requirements of a wide range of industrial systems. Our team can help in determining specific use cases’ needs and putting together designs to meet those needs. Not only can we meet these kinds of needs today, but building a solution or an entire network infrastructure with Ziti means that you have the ability to move quickly to make changes, adopt new strategies, and be ready for the evolution of systems that is sure to come.

The post NetFoundry Supports IEC 62443 appeared first on NetFoundry.

These organizations design and deploy connected products in operational technology (OT) environments, allowing for remote access, real-time data collection, predictive analytics, automation, and performance optimization. However, the convergence of OT with IT, driven by Industry 4.0 and IIoT, brings significant cybersecurity risks. The traditional security models for OT systems, which rely heavily on perimeter security, are no longer sufficient, leaving connected products exposed to internet-based threats.

Why Are Industrial Products So Vulnerable in OT Environments?

As industrial products become more connected in OT environments, they are increasingly exposed to cyber threats that were once confined to traditional IT systems. There are several business drivers for the increases in security vulnerabilities:

Convergence of IT and OT: As OT systems have become more interconnected with IT systems and the internet, they face similar cyber threats to traditional IT environments. This convergence creates new vulnerabilities, especially when older OT devices—initially designed for isolated, controlled networks—are connected to the internet without adequate security updates.

Legacy Systems and Outdated Protocols: Many OT environments continue to rely on legacy systems and outdated communication protocols that lack built-in security measures. These protocols, like Modbus or DNP3, were never designed for the complex, interconnected landscape we see today. When exposed to the internet, these systems can be easily exploited by attackers.

Wide Attack Surface: Industrial equipment connected to the internet significantly broadens the attack surface for malicious actors. Since many connected devices operate with minimal security configurations, unauthorized access can lead to devastating outcomes, including operational disruptions, data breaches, and safety hazards.

Inadequate Perimeter-Based Security: Traditional security models in OT environments depend heavily on perimeter defenses such as firewalls and VPNs. However, once an attacker penetrates these barriers, they have access to the entire network. This lack of granular control within the OT environment increases the risk of lateral movement and internal breaches.

How Zero Trust Connectivity Solves These OT Vulnerabilities

Zero Trust connectivity shifts away from perimeter-based security models to an approach where every user, device, and system must be continuously authenticated and authorized, regardless of their location. Embedding Zero Trust connectivity into industrial products provides a new layer of defense that addresses many of the vulnerabilities discussed above.

1. Eliminates Implicit Trust: Traditional networking assumes that devices within a network are trustworthy. Zero Trust connectivity removes this assumption. Every connection is considered untrusted until it is verified, reducing the risk of unauthorized access.
2. Microsegmentation and Least Privilege Access: Zero Trust networking segments network access down to the application and service level, ensuring that users and devices only have access to the specific resources they need. This limits lateral movement within OT environments, significantly reducing the risk of widespread damage in case of a breach.
3. End-to-End Encryption: With Zero Trust, data transmission is encrypted from end to end, ensuring that sensitive data cannot be intercepted or manipulated. This is especially critical in industrial settings where data integrity is essential for safe operations.
4. Built-in Security for Industrial Products: Embedding Zero Trust directly into industrial products ensures that security is “baked in” from the start. This approach allows connected devices to securely interact with each other and the cloud, without relying on external IT or OT security infrastructure.

Why an Embedded Approach Is Superior

When Zero Trust is embedded into industrial products, it provides manufacturers with several key advantages:

1. Independence from IT and OT Cybersecurity Infrastructure: Traditionally, industrial systems have depended on external IT and OT infrastructure for security measures like firewalls, VPNs, and intrusion detection systems. However, these measures are not foolproof and often lag behind the innovation cycle. Embedding Zero Trust within industrial products ensures that each device maintains its own security, independent of external controls.
2. Simplified Security Management: By embedding Zero Trust into products, industrial manufacturers can reduce the complexity of managing security across multiple environments. This also eliminates the need for separate cybersecurity teams to handle device-level security, freeing up resources for innovation and product development.
3. Protection Beyond the Perimeter: In traditional security models, once the network perimeter is breached, all devices are exposed. Embedded Zero Trust ensures that even if one device or system is compromised, attackers cannot move laterally across the network. Every connection requires authentication, authorization, and encryption, making it nearly impossible for attackers to exploit vulnerabilities across systems.
4. Reduced Dependency on Perimeter Security: Embedded Zero Trust diminishes the reliance on perimeter-based security measures, which are often costly and ineffective against sophisticated cyber threats. With Zero Trust, the focus is on securing individual devices and their interactions, providing a more resilient and scalable approach to securing OT environments.

How NetFoundry Protects Industrial Providers with Built-In Security

NetFoundry helps Industrial Solution and Equipment Providers by offering embedded Zero Trust connectivity to secure their products in OT environments. This ensures that their connected devices, such as industrial equipment and smart factory systems, are protected against cyber threats without relying on traditional perimeter security measures. NetFoundry’s solutions provide secure, scalable, and software-defined networking, allowing providers to remotely manage devices, securely collect data for predictive maintenance, and enable secure machine-to-machine (M2M) communication. This approach reduces the need for external cybersecurity infrastructure and ensures that security is built directly into the product.

Here is a summary of the key use cases for NetFoundry’s zero trust connectivity platform in OT environments, focusing on solving customer problems and enabling business models:

1. Secure Remote Management of OT Hardware/Software

• Problem: Solution providers need to manage, troubleshoot, or update OT devices remotely.
• Solution: NetFoundry’s zero trust platform enables secure remote access to OT devices without exposing the network, ensuring continuous operations and compliance in highly regulated industries.

2. Data Collection for Cloud-Based Analytics (OT-to-Cloud)

• Problem: Customers require secure data transfer from OT environments to cloud platforms for predictive maintenance, AI, digital twins, and data analysis.
• Solution: NetFoundry securely connects OT devices to cloud environments, allowing data from smart connected products to be sent to the cloud for analysis without compromising security. This enables solution providers to offer value-added SaaS services to customers based on collected data.

3. Enabling Secure M2M Communication within OT Environments

• Problem: Machines and devices within the OT environment need to communicate securely with each other to coordinate industrial operations.
• Solution: With NetFoundry, machine-to-machine (M2M) communication is secured using microsegmentation and zero trust principles. The platform ensures secure, authenticated, and authorized communication between OT devices, reducing the risk of lateral attacks.

4. Secure Network Access for Third-Party Vendors or Service Providers

• Problem: Vendors and service providers need temporary, secure access to OT environments for configuration, maintenance, or troubleshooting.
• Solution: NetFoundry offers secure, role-based access to OT networks with least privilege and temporary permissions, ensuring that third-party engineers can only access the specific systems or data they need, without exposing the broader network.

5. Secure Multi-Tenant Management Services (SaaS) for OT Environments

• Problem: Solution providers managing multiple customers’ OT environments struggle with secure, scalable multi-tenant management.
• Solution: NetFoundry’s platform allows solution providers to create and manage secure, multi-tenant environments with a programmable, zero trust architecture, facilitating seamless, secure connectivity between the OT systems and the cloud.

6. OT to Cloud Connectivity

• Problem: Secure connectivity is required between OT devices (e.g., PLCs, SCADA, DCS) and the cloud for operations like data storage, processing, and advanced analytics.
• Solution: NetFoundry’s zero trust overlay securely connects OT devices to any public or private cloud, enabling seamless data transfer and integration with cloud applications like ERP and AI platforms, even in remote or distributed environments.

7. Regulatory Compliance and Data Privacy

• Problem: Industries with strict regulations (energy, utilities, manufacturing) need to maintain compliance with data privacy and security laws while operating in OT environments.
• Solution: NetFoundry’s zero trust architecture ensures data integrity and privacy by default, meeting the stringent regulatory requirements of industries such as energy, healthcare, and manufacturing.

8. VPN Replacement for Secure Remote Access

• Problem: Traditional VPN solutions are complex and offer limited scalability, posing a security risk in large OT networks.
• Solution: NetFoundry provides a VPN alternative with zero trust network access (ZTNA), eliminating the need for centralized VPNs and reducing exposure to lateral movement and unauthorized access.

9. Integration with Existing OT Infrastructure

• Problem: Businesses need to secure legacy OT systems (e.g., PLCs, SCADA) without a complete overhaul.
• Solution: NetFoundry’s solution can be embedded into existing OT and IIoT infrastructures, allowing organizations to implement zero trust security without replacing or significantly modifying their legacy systems.

10. Simplified and Centralized Network Management

• Problem: Managing multiple OT networks across distributed environments can be complex and prone to errors.
• Solution: NetFoundry simplifies OT network management with a centralized, cloud-native management console, providing visibility, control, and orchestration of secure connectivity across multiple OT environments.

These use cases show how NetFoundry’s zero trust connectivity platform can solve pressing problems in OT environments, such as securing M2M communications, enabling OT-to-cloud integration, and providing secure remote access for service providers. By embedding NetFoundry’s solution into smart connected products, manufacturers and industrial solution providers can ensure scalable, secure, and efficient operations across their OT networks.

NetFoundry’s Unique Capabilities for OT Environments

NetFoundry offers distinct advantages for industrial solution and equipment providers, particularly in OT environments where safety, availability, and compliance are paramount. Unlike traditional security approaches, NetFoundry’s Zero Trust connectivity is designed to meet the rigorous demands of OT environments in a way that others cannot. Here’s what sets NetFoundry apart:

1. Compliance with 62443 and Safety-First Requirements
   NetFoundry ensures that its solutions comply with the stringent IEC 62443 standard, focusing on safety, availability, integrity, and confidentiality (SAIC). Unlike traditional IT security models that prioritize confidentiality (CIA), NetFoundry puts safety first, followed by availability, integrity, and then confidentiality. This order of priorities aligns with the unique requirements of OT environments where operational uptime and safety are critical.
2. High Availability in All Components
   To meet the availability requirements of industrial environments, NetFoundry’s infrastructure is designed for high availability across all components. This ensures there are no single points of failure, supporting continuous operations even in the most demanding OT environments where downtime is not an option.
3. Real-Time Communication with Industrial Protocols
   NetFoundry’s Zero Trust solution supports real-time communication for OT systems by enabling secure connectivity for Layer 2 traffic and industrial protocols. This is crucial for operations that require precise, timely data transmission and control in environments such as manufacturing and energy.
4. Support for Air-Gapped Environments
   Unlike many cloud-dependent solutions, NetFoundry is capable of operating in air-gapped environments, ensuring that critical OT systems can function securely without relying on the internet or cloud services. This is especially important for industries like energy and defense, where isolation from external networks is essential for maintaining operational security and compliance.

By integrating these unique features, NetFoundry delivers a secure, scalable, and reliable connectivity solution tailored specifically for OT environments, ensuring that industrial solution providers can achieve their security, compliance, and operational goals without compromising on performance or safety.

Zero Trust in OT

The shift to digitalization in industrial environments has brought immense benefits but also introduced unprecedented risks. Industrial solution providers must recognize the importance of improving their approach to secure networking and connectivity. As their products increasingly interact with the internet, the vulnerabilities exposed by traditional security models become more apparent.

By embedding Zero Trust connectivity into their products, industrial manufacturers can ensure that their devices are secure by design, independent of IT and OT cybersecurity infrastructure. This approach not only strengthens security but also simplifies management, reduces costs, and protects critical infrastructure from both external and internal threats.

As the industrial landscape continues to evolve, Zero Trust connectivity will play a pivotal role in securing the future of OT environments and ensuring the safety, resilience, and performance of connected products.

The post Zero Trust in OT: Why Industrial Solution Providers Must Evolve Their Approach to Connectivity appeared first on NetFoundry.