Zero-Trust Mesh Networking for OT: Why Perimeter Security Isn’t Enough on the Plant Floor

By : Eric Seme

For decades, industrial cybersecurity has been guided by a straightforward premise: establish a clear boundary, defend that boundary, and trust the systems within it. This approach aligned with the historical design of operational technology (OT) environments, where systems were largely isolated, connectivity was limited, and the concept of an “air gap” served as a foundational control.

That premise is no longer valid.

Modern industrial environments are inherently interconnected. Remote access is now standard practice, industrial IoT devices continuously transmit data to external platforms, and production systems increasingly depend on cloud-based analytics and third-party integrations. As a result, the notion of a fixed and defensible perimeter has eroded. In its place there is a dynamic, highly connected environment in which implicit trust within the network has become a primary source of risk.

Addressing this shift requires more than incremental improvements to perimeter defenses. It demands a fundamental rethinking of trust, specifically, the elimination of implicit trust and the enforcement of security at the level of individual interactions. This is the essence of zero trust, and within OT environments, it is most effectively realized through mesh-based networking architectures.

The Enduring Influence, and Limitations, of the Purdue Model

The Purdue Enterprise Reference Architecture (PERA), introduced by Theodore J. Williams (1992), remains a foundational model for structuring industrial systems. Its layered approach, separating enterprise systems from supervisory and control layers, has provided valuable guidance for segmentation and operational design.

However, PERA was not intended to function as a cybersecurity framework for modern, highly connected environments. Its assumptions of stable boundaries and limited cross-layer interaction no longer reflect operational reality.

Contemporary OT environments routinely operate across these boundaries:

• Enterprise systems exchange data with plant-floor historians in real time

• Vendors access control systems remotely for maintenance and support

• Cloud platforms ingest and analyze production data continuously

• Mobile and temporary endpoints connect directly to operational networks

As discussed in The Purdue Model is Dead, these conditions create what can be described as a “highly flammable core,” where internal network access provides excessive reachability once a breach occurs.

The issue is not the absence of segmentation, but its granularity. Frameworks such as ISA/IEC 62443 introduce zones and conduits, improving upon flat network architectures. However, they still rely on implicit trust within zones, allowing systems to communicate more broadly than operational necessity requires.

The Persistence of the Air Gap Assumption

The concept of the air gap continues to influence how industrial organizations approach cybersecurity. Yet, as Stouffer et al. (NIST SP 800-82, 2015) observe, even early industrial control systems were rarely fully isolated. Connectivity was simply more constrained.

In modern environments, true isolation is uncommon. Remote access mechanisms, data integration pipelines, and supply chain dependencies have effectively eliminated the air gap. What remains is often a perception of isolation rather than its actual presence.

This discrepancy has significant implications. Security strategies that prioritize external defenses may neglect internal controls. When perimeter defenses are bypassed, the internal environment is often overly permissive.

The Stuxnet analysis by Falliere, Murchu, and Chien (2011) demonstrated how attackers could traverse trusted pathways within segmented environments to reach critical assets. Subsequent incidents have reinforced this pattern: initial access is only the first phase; the most consequential activity occurs through internal movement.

Lateral Movement as the Primary Risk

Threat intelligence consistently indicates that the most damaging phase of an attack occurs after initial compromise. According to Robert M. Lee and Dragos (2023), adversaries targeting industrial environments focus on reconnaissance, credential harvesting, and lateral movement to reach high-value systems.

The MITRE ATT&CK for ICS (2021) framework formalizes these behaviors, documenting techniques such as:

• Exploitation of remote services to pivot across systems

• Credential reuse across engineering workstations and control assets

• Movement through trusted communication paths between HMIs, historians, and PLCs

These techniques are effective because they exploit implicit trust relationships embedded within the network. Systems are frequently granted access beyond what is operationally required, based solely on network location or role.

From an operational perspective, this represents a direct business risk. As outlined in The Literal Cost of Seconds, disruptions in industrial environments translate immediately into measurable consequences: production losses, equipment damage, safety incidents, and regulatory exposure. In many sectors, downtime costs escalate rapidly, often reaching thousands or millions of dollars per hour. Perimeter-based defenses do not adequately address this phase of the attack lifecycle. Once internal access is established, the environment often lacks sufficient controls to prevent escalation.

Zero Trust as an Architectural Shift

Zero trust represents a departure from location-based trust models toward identity- and policy-driven access control. First articulated by John Kindervag (2010) and later formalized in NIST SP 800-207 (Rose et al., 2020), zero trust assumes that no user, device, or system should be inherently trusted.

Applying this model to OT environments requires careful consideration. As Benestelli and Kambic (2023) of Carnegie Mellon’s Software Engineering Institute emphasize, industrial systems must balance security with operational continuity and safety requirements.

In practical terms, zero trust in OT involves:

• Establishing verifiable identities for all users and devices

• Enforcing least privilege of access at a granular level

• Defining explicit policies governing all communications

• Continuously validating trust based on context and behavior

This approach shifts the focus from securing network segments to governing interactions between systems.

Mesh Networking as a Practical Enforcement Model

While zero trust defines the architectural principle, its effectiveness depends on enforcement. Mesh networking provides a viable mechanism for implementing zero trust within distributed industrial environments.

In traditional networks, connectivity is implicit, systems can communicate if routing exists between them. Security controls are layered on top, often resulting in complexity and inconsistent enforcement.

In a mesh-based model, connectivity is explicit and policy-driven. Systems establish connections only when authorized, and those connections are:

• Authenticated based on identity

• Authorized according to defined policies

• Encrypted end-to-end

• Scoped to specific operational interactions

This model aligns with the CISA Zero Trust Maturity Model (2021), which emphasizes a transition from network-centric to identity-centric security.

For OT environments, the implications are significant:

• The attack surface is reduced, as systems are not inherently discoverable

• Lateral movement is constrained, limiting the impact of a compromise

• Access aligns with operational requirements rather than network topology

This form of workload-level isolation is essential for preventing localized incidents from escalating into broader disruptions.

From Network Zones to Operational Relationships

A key conceptual shift introduced by zero trust is the transition from zone-based thinking to relationship-based access control.

Traditional models focus on network placement: which segment a system belongs to. Zero trust instead focuses on intent: what interactions are necessary and under what conditions they should occur.

Industrial operations are inherently dynamic. Access requirements are often temporary, contextual, and task-specific:

• Vendors require limited, time-bound access to specific assets

• Maintenance personnel need scoped permissions for defined tasks

• Systems exchange data based on operational workflows

These are not static network relationships but defined interactions. Mesh-based architecture enables organizations to express and enforce these interactions directly, without exposing unnecessary pathways.

Toward Resilient Industrial Operations

The objective of cybersecurity in OT is not solely to prevent intrusion, but to ensure safe, reliable, and resilient operations under adverse conditions.

Perimeter-based models emphasize prevention, if sufficiently strong defenses can eliminate risk. Zero trust adopts a different perspective: breaches may occur, but their impact can be contained.

By eliminating implicit trust, enforcing least privilege of access, and mediating all interactions through policy, zero-trust mesh architectures enable what can be described as containment by design.

This approach aligns security strategy with the realities of modern industrial systems, addressing risk where it manifests, within the network and between systems.

Conclusion

Industrial environments have evolved beyond the assumptions that underpin traditional security models. The perimeter is no longer a reliable control point, and implicit trust within the network represents a significant and often underappreciated risk.

The collective work of Kindervag, NIST, MITRE, Dragos, SEI, and others highlights a clear direction forward: security must shift from defending boundaries to controlling interactions.

Zero-trust mesh networking provides a practical framework for this transition. By redefining trust at the level of individual connections, it enables organizations to reduce risk, contain threats, and align security with operational intent.

In today’s industrial landscape, the critical question is no longer whether the perimeter is sufficient. It is whether the systems within it are trusted beyond what is justified.

About the Author

Eric Seme is an industrial cybersecurity expert and the founder of EmberNet, where he focuses on developing hyper-converged infrastructure and zero-trust architectures for the plant floor. His work centers on helping organizations transition from legacy perimeter models to resilient, identity-driven operational environments.

Bibliography

Benestelli, B., & Kambic, D. J. (2023). IT, OT, and ZT: Implementing Zero Trust in Industrial Control Systems. Carnegie Mellon Software Engineering Institute (SEI).

CISA. (2021). Zero Trust Maturity Model. Cybersecurity and Infrastructure Security Agency.

Department of Defense (DoD) CIO. (2022). Zero Trust Reference Architecture: Operational Technology Activities and Outcomes.

Dragos, Inc. (2023). ICS/OT Cybersecurity Year in Review (Robert M. Lee et al.).

Falliere, N., Murchu, L. O., & Chien, E. (2011). W32.Stuxnet Dossier. Symantec Security Response.

Kindervag, J. (2010). Build Security Into Your Network's DNA: The Zero Trust Network Architecture. Forrester Research.

MITRE ATT&CK. (2021). Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) for ICS.

Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). NIST Special Publication 800, 207: Zero Trust Architecture. National Institute of Standards and Technology.

Seme, E. (2024). The Purdue Model is Dead: EmberNet and the Zero, Trust Imperative for Industrial Operations.

Seme, E. (2024). The Literal Cost of Seconds: Quantifying ROI in the Era of Industry 5.0.

Stouffer, K., et al. (2015). NIST SP 800, 82: Guide to Industrial Control Systems (ICS) Security.

Williams, T. J. (1992). The Purdue Enterprise Reference Architecture (PERA). Purdue Laboratory for Applied Industrial Control.