The defining constraint of operational-technology security is that you usually cannot do the obvious thing. You cannot patch the PLC, because patching means downtime and downtime means lost production or a tripped safety system. You cannot reimage the twelve-year-old HMI, because the vendor that wrote its software no longer exists. Security that ignores this constraint gets switched off the first time it interrupts a line. This article covers the techniques that secure an OT network without stopping it: virtual patching, deep protocol visibility, and segmentation that contains rather than blocks.
The patch you can’t apply
A vulnerability is disclosed in a controller running across your plant. The vendor’s fix requires a firmware update and a restart of the device. On the plant floor that restart is a scheduled-outage event that might be months away. In the meantime the vulnerability is public and the device is exposed. This is the everyday reality of OT, and it is why the central technique of OT security is not patching at all.
Virtual patching: shielding instead of patching
Virtual patching — also called vulnerability shielding — moves the fix from the vulnerable device to the network in front of it. An OT-aware intrusion-prevention system carries signatures for known exploits against industrial devices and protocols. When it sees traffic attempting to exploit the disclosed vulnerability, it blocks that traffic before it reaches the controller. The controller is never touched, never restarted, and never patched, but the exploit cannot reach it.
This buys two things. It closes the exposure window immediately, the same day or quickly a vulnerability is disclosed, rather than at the next maintenance window. And it lets genuinely unpatchable legacy devices keep running safely for years, shielded by the firewall in front of them. The quality of this protection depends on the breadth and freshness of the industrial-protocol signature set, which is why OT-specific threat intelligence — not a generic IT signature feed — is the thing to evaluate.
Caution: Virtual patching should be treated as a compensating control, not as a permanent substitute for vendor-supported patching. Where a safe maintenance window exists, firmware and software updates should still be planned, tested, and applied.
| Why this is the headline feature for OT In IT, patching is the baseline and IPS is defence-in-depth. In OT the priority inverts: virtual patching is often the only practical protection for devices that cannot be taken offline, and it is frequently the single most important reason to put a next-generation firewall on the plant floor in the first place. |
You can’t protect what you can’t see
Industrial protocols are not the HTTP and DNS that IT firewalls grew up inspecting. They are Modbus, DNP3, EtherNet/IP, PROFINET, and dozens more. A firewall that cannot decode these sees only opaque traffic on a port. An OT-aware firewall performs deep packet inspection down to the payload, so it can tell a legitimate read of a register from a command to change a setpoint, and enforce policy at that level — for example, allowing monitoring traffic while blocking write commands from a zone that has no business issuing them. Modern OT security services decode a large library of industrial applications and protocols; the breadth of that library determines how much of your environment you can actually see and govern.
Segmentation: contain the blast radius
Flat OT networks are the reason a single compromised laptop can reach a turbine controller. Segmentation breaks the network into security zones connected by controlled conduits, so that a problem in one zone cannot freely spread to others. Two levels are worth distinguishing:
- Segmentation (north–south) — zones such as enterprise, DMZ, and the process network, with the firewall as the conduit between them inspecting and controlling the traffic that crosses. This limits the impact of an incident to the zone it starts in.
- Microsegmentation (east–west) — finer division within a zone, controlling traffic between devices that sit side by side. This is what stops lateral movement — an attacker who lands on one device cannot pivot freely to its neighbours.
The practical value is containment. You will not prevent every incident, but good segmentation turns what could be a plant-wide event into a single-cell event that is detected, isolated, and remediated without taking down the rest of the site.
Implementing without stopping the line
The fear that segmentation will break production is legitimate and is exactly why it is so often deferred. The way to do it safely is incrementally and in monitor-first mode:
- Start in a visibility/monitor mode that logs traffic without blocking, building an accurate picture of what actually talks to what.
- Use that real traffic map to design zones around genuine communication patterns, not an idealised diagram.
- Enforce conduits one boundary at a time, beginning with the clearest separations (enterprise-to-OT) before the subtle ones (device-to-device).
- Apply virtual patching across the whole environment early — it protects immediately and does not depend on the segmentation project being finished.
- Keep policies in a single management framework so changes are auditable and reversible.
Done this way, OT security is additive rather than disruptive. The line keeps running while visibility, shielding, and containment are layered on around it — which is the only kind of OT security that survives contact with a production schedule.
Vays Infotech helps enterprises evaluate, deploy, and support firewall, network, and cybersecurity infrastructure across IT and industrial environments.