Enterprises in the OT and IIoT sectors are increasingly adopting identity-based, secure private zero trust networking. A foundational element in this journey is the implementation of least privilege access and microsegmentation to achieve granular access control. This requires that all communicating entities—whether users, devices, or applications—be assigned unique identities. However, a significant challenge arises when dealing with machines that are unable to support the installation of software clients or tunneling agents that enforce identity-based access.

As we have engaged closely with our customers, a common need has emerged: a solution to extend zero trust access to non-identity-aware machines. These are typically legacy or specialized OT devices that cannot host identity clients yet still require secure, policy-driven communication. Addressing this need is essential to achieving comprehensive zero trust coverage across heterogeneous environments.

What is it?

Before diving into implementation details, let’s first understand the concept. In industrial environments, edge or industrial compute devices typically serve as network gateways, connecting to machines such as PLCs, sensors, actuators, and other OT assets. These gateways generally run a standard operating system and possess sufficient compute resources to host NetFoundry edge software.

In this architecture, the gateway acts as the identity-bearing entity—running the NetFoundry tunneler/router—while the connected machines communicate with cloud services, applications, and other machines through the identity of the gateway. The core objective is to implement a mechanism that controls and restricts which specific machines behind the gateway can access designated resources, even though they themselves may not have individual identities or tunneling capabilities. This enables enforcement of zero trust principles such as least privilege and segmentation, even for non-identity-aware devices.

Scenario:

The following are the communication objectives we want to achieve:

• At factory site 1,  only specific machines in Subnet A ( a /24 subnet) connected to the upstream IEC device running the NetFoundry tunneler with identity A should connect to cloud
• At factory site 1, only specifc machines in Subnet B ( a /23 subnet) connected to the upstream IEC device running the NetFoundry tunneler with identity B should connect to the DC
• From factory site 2, only spefic machines in subnet G ( a /21 subnet) connected to the upstream IEC device running the NetFoundry tunneler with identity G should connect to machines in subnet C at factory site 1

As part of the NetFoundry “Service Config”, access is restricted to a spefic port(s) and IP(s) / host name(s) and specific identities are allowed to access based on the “Service Policy Config”.  

For example, machines connected to the IEC device that runs Identity A can be allowed to access a SCADA application in the cloud through appropriate service and policy configurations. However, this identity-based model alone does not prevent unauthorized machines within Subnet A from reaching the SCADA service.

Introducing “Allowed Source Address”

To address this requirement, NetFoundry introduces the Allowed Source Address feature within the service configuration. This enhancement enables administrators to enforce access control beyond the identity level, down to the level of specific source IP addresses of individual machines behind the tunneler or a router.

With this feature:

• The NetFoundry platform inspects the originating IP address of traffic from machines behind the IEC gateway.
• Access is granted only if the source IP matches the list defined in the service configuration.
• Machines not listed—even if they route traffic through an authorized IEC device—are denied access.

This capability allows organizations to maintain the IEC gateway model, while still enforcing machine-level access policies, ensuring that only explicitly permitted devices within a subnet can access critical applications or services.

How to use the “Allowed Source Address” feature:

Let’s replicate this scenario in a lab environment. The objective is to restrict access to an “Extended Zero Trust Service”—which hosts a simple “Hello World” application on AWS—to a specific IP address: 10.0.0.5.

Once the configuration is complete, the service should only be accessible from the IP address 10.0.0.5, regardless of whether other identities are permitted by the service policy configuration. Any requests originating from other IP addresses should be denied, even if the identity is authorized by policy.

The service config with allowed source address of 10.0.0.5:

Service Policy Config that allows access to three identities, one that of a router identity and two other identities.

10.0.0.5 is a VM in Azure deployed behind the identity – ” Customer hosted edge router in Azure London”. The service should only be reachable from that VM and not reachable from our identities “………..001” and “…………002” whose IPs are not added to the allowed source address list.

Trying to access the service from the identity “NetFoundry Cloud Identity 002” ( does not match the source IP of 10.0.0.5)

The identity has access to the service as per policy but can’t access since the IP is not added to the list:

Successfull access from 10.0.0.5:

The post Extending microsegmentation to non-identity-aware devices appeared first on NetFoundry.

The announcement at Distributech 2025 meets three customer demands:

1. Simple, software-only, interoperable, vendor-neutral, OT micro-segmentation
2. Secure connectivity for any use case from IT/OT convergence (incl. AI/ML, automation, digital twins, and cloud innovation), Secure Remote Access, Machine to Machine connectivity (without software agents) and more
3. No need to expose the OT network, incur costly network changes or cause unplanned complications/downtime 
4. Reduced costs of firewalls, SIEM, SOAR, analytics, data lakes and storage

“Since NetFoundry secures critical infrastructure on three continents, we listen to many diverse requirements. A commonality is a need for simple, vendor-neutral security, with reduced cost and complexity”, said Galeal Zino, CEO of NetFoundry. “Solutions which stop at the firewall or are vendor-specific create complexity. Exposing the IT firewall to the Internet and the OT firewall to IT creates continually rising expenses in the downstream systems because they are often priced based on data and sessions. Our customers were pleasantly surprised to see that we addressed all four of these problems in this release.”

Implementations with partners such as FreeWave Technologies protect critical infrastructure from evolving cyberthreats, including ruggedized solutions for harsh environments, including providing 5G and satellite connectivity – https://www.freewave.com/freewave_security_triumvirate/. 

Steve Wulchin, CEO of FreeWave, said: “VPN and the other security technologies we relied on the past can no longer cut it in today’s hyperconnected world. NetFoundry’s technology enables us to apply the strictest deny-by-default security principles to every user, device and application in our customers’ networks. We welcome the addition of the on-prem option for customers who need to operate without depending on external connectivity while still being able to securely use external edges and clouds when appropriate. Partnering with NetFoundry enables us to meet emerging requirements for secure-by-design products in connected environments, such as the EU Cyber Resilience Act (CRA).” 

Rik Turner, senior principal analyst, Omdia said: “While zero trust technology has gained popularity to enable secure remote access (SRA) in enterprise IT, it is even more crucial in OT environments, where even access from somewhere on the organization’s premises must be secured. In other words, in such a scenario, SRA is actually a subset of a broader secure access requirement.

“It is logical for NetFoundry to unveil an on-prem option for its platform, given that many OT customers, particularly those in the field of critical national infrastructure, cannot and/or will not countenance any cloud-based security capability for their environment.”

The software-only, vendor-neutral NetFoundry OT Security Platform enables OT and IT to eliminate bespoke solutions and centralize identities, policies, controls and telemetry. OT and IT choose what use cases to start with, without disrupting their existing infrastructure. SecOps gains telemetry and analytics to support threat response and regulatory compliance tracking.

The NetFoundry platform enables OT and IT to solve problems like vendor-neutral, software-only micro-segmentation in critical infrastructure, energy and manufacturing while also enabling their vendors to use the NetFoundry platform to build secure by design products. This new model has three advantages:

1. Makes it far simpler for OT and IT – their OEMs embed secure networking into their products – which enables adoption and scale.
2. The OEMs don’t need to build their own identity, authentication, authorization, mTLS, encryption, microsegmentation and telemetry.
3. The OEMs meet emerging requirements like the EU CRA, which requires connected product providers to provide secure by-design products.

For example, NetFoundry software is built into industrial control system software, manufacturing machines, modems, routers, firewalls, PLCs, edge cells and reverse proxies. Edge servers using NetFoundry include Microsoft, Arrow, Cap Gemini, FreeWave, EdgeX Foundry and Supermicro. When NetFoundry is not already built-in, it can be added as a VM or container and is available for every major OS and is in every major cloud marketplace.

Additions to the NetFoundry OT Security Platform

The latest NetFoundry OT Security Platform updates include:

• Beyond the firewall zero trust. Via lightweight agents on existing hardware such as PLCs, edge cells, and SDKs which enable agentless integration into specific applications and workflows, NetFoundry provides OT microsegmentation beyond the firewall.
• Reduced costs. Firewalls are simplified, made more effective and enabled for higher throughput – the firewalls are no longer filtering the Internet – they are only listening for identified, authenticated, authorized sessions. Likewise, SIEM and SOAR data is reduced, with a much sharper focus, due to the inability of unauthenticated sessions to make it to the firewall. Data costs for data lakes, analytics and storage are massively reduced.
• Extend legacy software and hardware. NetFoundry overlays add functionality such as identity, authentication, MFA, posture, PKI, mutual TLS (mTLS) and encryption without requiring changes to underlying applications or infrastructure. Data exfiltration and lateral movement protection. By extending zero trust beyond the firewall, rejecting all inbound sessions, and only allowing identified, authenticated, authorized, micro-segmented outbound traffic to a private network, it makes it very difficult for even a compromised device or zero day to ‘phone home’ or send data to destinations which are not explicitly listed in the policy and strongly authorized.
• On-demand connectivity. Workflows and trouble ticket systems use NetFoundry APIs to spin up instant, ephemeral connections for specified workloads. For example, while a ticket is open for temporary remote access, the targeted OT or IT system will open an outbound connection to an authorized destination for the specific ports and protocols required. When the ticket is closed, or a timer expires, the connectivity is automatically removed. The connection is specific to the session, e.g. anything out of policy is rejected.

The post NetFoundry unveils OT security platform with embedded zero trust for critical infrastructure appeared first on NetFoundry.

The post Industry 4.0 and IIoT: Bidirectional Zero Trust Networking Replaces VPNs appeared first on NetFoundry.

Securing OT Environments

As organizations increasingly adopt digitization and automation, ensuring robust security for OT (Operational Technology) networks becomes a top priority. OT networks, which are vital to industrial operations, are inherently complex due to their distributed nature, multitude of devices, varied protocols, and reliance on diverse cloud platforms and applications. In this evolving landscape, the NetFoundry IIoT Connectivity Platform simplifies the deployment and operation of IIoT and OT networks by offering a secure, scalable, and agile solution through its software-only, embeddable, and programmable Zero Trust platform. The platform can be deployed in three models: NetFoundry Cloud and NetFoundry Hybrid Cloud (both NaaS solutions), or NetFoundry On-Premise for self-hosted environments.

Addressing the Complexities of OT Networks

Addressing the Complexities of OT Networks

OT networks often involve a complex mix of devices, protocols, and communication methods that can create security challenges. With the rising tide of cyber threats, organizations must secure communication both within and outside the factory or site to protect against unauthorized access and cyber-attacks. This is where the NetFoundry IIoT Connectivity Platform comes into play. By simplifying network security for IIoT and OT environments, NetFoundry helps organizations improve their security posture while maintaining the scalability and agility needed to support modern industrial operations.

Key Use Cases in IIoT and OT Environments

1. Secure Communication Between the Edge and Any  IOT / OT Platform, Enterprise or 3rd Party Cloud
   One of the primary use cases for organizations using the NetFoundry IIoT Platform is securing data as it moves between the factory or site and the cloud. Machines connected via LAN networks to OT/IIoT gateways or edge devices can securely connect to cloud-based applications, storage, and APIs. The NetFoundry edge router or tunneler software initiates Zero Trust connections to these resources, whether hosted in public or private cloud data centers.

   For example, a company may use the NetFoundry platform to securely integrate with Azure Digital Twins or any other PaaS provider, ensuring that all data and communication are protected from unauthorized access.

2. Secure Device Management and Remote Access for Engineers
   OT and IIoT environments often involve hundreds or thousands of devices, sensors, and actuators. Managing these devices securely requires robust solutions that can establish secure connections between device management applications and the devices themselves. The NetFoundry IIoT Platform provides a highly secure Zero Trust network access solution that enables administrators to onboard engineers (both internal and external) and provide them with the least privilege access needed to perform their tasks.

   This feature is particularly useful when engineers need to securely access consoles, local applications, or SSH into devices using the internet as the underlay. The platform’s integration with identity providers like Microsoft Azure allows for seamless onboarding and access management. Temporary or permanent least privilege access can be provided with a combination of up to 5 different types of posture checks.

3. Machine-to-Machine (M2M) Communication within Factories or Sites
   Factory and industrial environments often require secure communication between machines and devices across large areas. Common challenges include securing wireless or wired LAN networks from external threats, dealing with the lack of inherent security in communication protocols, and controlling access to critical information.

   With the NetFoundry IIoT Connectivity Platform, factories can deploy edge routers and tunnellers on OT devices or IIoT endpoints to establish secure, Zero Trust access between machines or applications within the factory. Features like mTLS, end-to-end encryption, and identity certificates ensure that all M2M communication is authenticated and authorized.

NetFoundry Cloud Software for IIoT/OT Systems

Edge Compute Capabilities

Modern edge environments often require localized data processing and real-time decision-making capabilities to reduce dependency on internet connectivity. NetFoundry provides various software options to embed Zero Trust software-defined overlay networks at the OT and IIoT edge. The edge hardware can be any x86, ARM, or MIPS-based hardware running Linux, or it can be virtualized as VMs or containerized via Docker or Kubernetes.

In larger factories running private cloud environments, NetFoundry’s edge routers can be deployed on VMs to handle high-volume data and sessions. Alternatively, NetFoundry tunnellers can be installed on OT/IIoT gateways or any host, VM, or container involved in the solution.

Integrating NetFoundry with OT/IIoT Gateways

OT and IIoT electronics manufacturers or enterprises implementing these solutions can embed NetFoundry’s tunnellers or edge routers onto their hardware, including OT/IIoT gateways, industrial PCs (IPCs), programmable logic controllers (PLCs), and other industrial automation hardware. The choice between a router and a tunneler depends on various factors such as functionality requirements, traffic expectations, and hardware specifications.

One Platform, Multiple Use Cases—All Secure by Design

The use cases discussed above can be deployed within a single network on the NetFoundry Cloud platform. Each network receives its own dedicated controller and global fabric, allowing the same NetFoundry software to be deployed across public and private clouds, edge devices, OT/IIoT gateways, and user devices.

Key security features include:

• No open inbound IPs or ports: The NetFoundry Cloud solution does not require customers to open ports or inbound IPs anywhere, making the private overlay and edge undiscoverable to bad actors on the internet.
• Least privilege access and no default services: After authentication, any identity in the network must be authorized to access a service. Administrators can provision services with just the required access, rather than opening entire subnets or port ranges.
• Micro-segmented networks: Each network can have multiple micro-segmented networks (AppNets) within it, tailored to specific use cases or workloads.
• mTLS-based mutual trust: Mutual TLS-based control and data plane communication establish a foundation of trust between identities.
• End-to-end encrypted sessions: All sessions are encrypted end-to-end using Poly 1305 Cha Cha 20 encryption, ensuring that data remains secure between source and destination.
• Granular visibility: Metrics on utilization, service health, and events provide visibility for administrators and management, aiding in operations, decision-making, and even chargebacks to customers.
• Globally available fabric with smart routing: To mitigate internet peering and performance issues, NetFoundry provides a global fabric that can be extended to any geographic location. Smart routing automatically selects the best-performing path within the fabric, ensuring optimal performance.

Conclusion: A Future-Ready IIoT Platform for Secure OT Networks

The NetFoundry IIoT Connectivity Platform offers a comprehensive, secure, and scalable solution for managing the complex demands of OT and IIoT networks. By embedding Zero Trust principles into every aspect of its architecture, NetFoundry enables organizations to protect their networks from external and internal threats, improve reliability, and enhance business agility. As industries continue to evolve toward more connected and automated operations, NetFoundry’s platform provides the robust foundation needed to secure the future of industrial environments. 

Related Content: Marposs Case Study

The post Simplifying OT Network Security with the NetFoundry IIoT Connectivity Platform appeared first on NetFoundry.