One Breach Should Never Reach the Plant Floor.
Contain lateral movement, keep production running, and protect the assets you can’t patch — with outbound-only, identity-first connectivity that puts no agent on legacy controllers and opens no inbound ports. One fabric across IT, OT, IoT, and embedded devices, deployable on-premises or fully air-gapped. Built for IEC 62443 and NIS2.
The Plant Floor Was Never Built to Survive This Much Connectivity
Cyber-physical systems need more outside connectivity than ever — for analytics, condition monitoring, and convergence with IT. But the assets are brittle, the networks are flat, and the usual ways to add that connectivity open exactly the paths an attacker wants. A single intrusion in IT can cascade straight into an OT shutdown.
Unpatchable assets on flat, converging networks
SCADA controllers, PLCs, and an HMI running an unsupported, out-of-date operating system were never built to defend themselves, and they can’t be patched at will without risking production or safety certification. As IT and OT converge, those assets sit one flat hop from the enterprise — and a foothold in IT can cascade into a plant-floor shutdown.
- Legacy controllers and HMIs can’t be patched without downtime or recertification — known vulnerabilities stay open for years
- Flat Layer 2 networks and IT/OT convergence let an IT-borne attack reach the plant floor directly
- DMZs, jump servers, and persistent VPNs into the plant are standing attack paths
- OT equipment spans many vendors, each with its own tools — a sprawl of vendor-specific and DIY point solutions
- Friction with corporate IT pushes OT teams toward shadow workarounds that bypass policy
- Any added security has to be non-intrusive — no downtime, no interference with real-time control
For the CISO or head of OT security, the plant manager, and the ICS architect, the hardest constraint is that the riskiest assets are the ones they can’t touch — and the fix can’t require an agent on a brittle controller, can’t add downtime, and can’t depend on a cloud link that might drop mid-shift. Uptime, worker safety, and process reliability come first.
“NetFoundry’s technology enables us to apply the strictest deny-by-default security principles to every user, device and application in our customers’ networks.”
Steve Wulchin, CEO — Freewave
Constrained devices, multiplied across sites
IoT multiplies every OT problem: thousands of sensors, meters, gateways, and machines spread across remote and sometimes air-gapped sites, each needing to send data out and receive updates back. Most are too constrained to run a security agent, and network-centric controls don’t scale to populations this large or this diverse.
- Devices ship with default credentials and open services — easy targets the moment they’re reachable
- Static IP allowlists and per-device firewall rules are unmanageable at fleet scale
- Constrained endpoints can’t host a traditional agent or VPN client
- Flat networks let one compromised sensor become a path onto the plant floor
- Cellular, edge, and roaming devices break IP-based access assumptions
- No consistent device identity means no consistent way to authorize or audit
Whatever secures the fleet has to reach the smallest device without an agent, isolate every endpoint so one compromise can’t spread, and keep working at remote sites whether or not the cloud is reachable — the containment problem of the plant floor, at far greater scale.
Third-party access you can’t fully see
Equipment vendors and OEMs need to reach their machines for diagnostics and maintenance. Today that means a VPN or a jump server — broad, standing access into the OT environment that’s hard to scope, hard to audit, and impossible to standardize across every vendor’s preferred method. It’s a necessary capability, but it shouldn’t come at the cost of an always-open door.
- VPNs grant far more reach than any single vendor task requires
- Jump servers are operationally complex and become single points of failure inside OT
- Each OEM brings a different access model — inconsistent governance and audit sprawl
- Open inbound paths for vendors are exactly the entry points attackers target
- Provisioning and revoking access means firewall and infrastructure changes every time
- No per-identity record of which vendor touched which machine, when
The goal is just-in-time access to a single machine — nothing else — with a full audit trail, no truck roll, and no standing door left open into the plant between sessions.
One Fabric. Every Asset. Invisible by Default.
NetFoundry is the connectivity and segmentation layer that enforces what your discovery and detection tools find. Outbound-only and identity-first, it puts no agent on legacy assets and opens no inbound ports — one fabric spanning IT, OT, IoT, and embedded devices, deployable on-premises or fully air-gapped, without interfering with operations.
Segment IT from OT — and contain what moves inside it
Stop an IT-borne attack before it reaches the plant floor, then shrink the blast radius inside OT itself. Identity-based, application-layer segmentation enforces zone-and-conduit boundaries between IT and OT and between machines — without touching the underlying network. A lightweight tunneler fronts legacy SCADA, PLC, and HMI assets, so even an HMI on an unsupported operating system runs inside a zero-trust bubble with no agent on the device.
- IT/OT segmentation stops a compromise in IT from cascading into an OT shutdown
- Machine-to-machine segmentation enforces least-privilege conduits to shrink blast radius
- Secure m2C and C2m transport for IT/OT convergence — sensor and production data out, configurations back
- Wrap unpatchable legacy assets in a zero-trust bubble — no agent on the controller, no downtime
- Outbound-only with no inbound ports — non-intrusive to real-time control and safety systems
- Deploy on-premises or fully air-gapped on commodity hardware — OT teams manage the overlay without engaging IT
Reach every device — down to the constrained edge
The same fabric extends to the IoT fleet. Front a group of devices with a lightweight tunneler, or embed the SDK to give a single constrained device its own cryptographic identity. Telemetry flows outbound-only, devices stay invisible to inbound scans, every endpoint is isolated by default, and remote sites keep running whether or not the cloud is reachable.
- Embedded SDK or lightweight tunneler — no traditional agent required on constrained devices
- Each device authenticates by identity, not IP address or network location
- Outbound-only telemetry and updates — devices stay invisible to inbound scans
- Default-deny isolates every endpoint, so one compromised device can’t reach the others
- Remote lifecycle management for ML models at the edge — machine vision, predictive maintenance, digital twins
- Works across cellular, edge, air-gapped, and roaming deployments where IP allowlists break down
One identity model and one policy engine span IT, OT, and IoT — from a data-center workload to a controller on the plant floor to a sensor on a cellular link. The fleet is governed the same way regardless of where or how each device connects.
“NetFoundry helped us scale faster, safer, and more cost-effectively — eliminating VPN and NAT dependencies.”
Rodrigo Bernardinelli, CEO — Digibee
Just-in-time access to one machine — not the plant
Replace vendor VPNs and jump servers with identity-based, just-in-time access. Each OEM or integrator identity reaches only the specific equipment it’s authorized to service, every session is recorded, and no standing inbound path is left open between visits — no truck roll required.
- No VPNs or jump servers to deploy, manage, or troubleshoot for vendor access
- No open firewall ports or IP allowlists on plant networks
- Just-in-time, least-privilege access to a single machine — granted, then revoked
- Full per-identity audit trail of every vendor connection and maintenance session
- Remote diagnostics and maintenance without a truck roll
- One consistent governance model across every OEM, regardless of their network
Instead of maintaining per-vendor VPN configurations or firewall exceptions, each OEM identity gets a certificate-based connection to only the equipment it services — time-bound, fully audited, and centrally managed through NetFoundry’s identity-based policy engine.
First Segment Live in a Day
Identity-first connectivity deploys on a crawl-walk-run path — no network redesign, no agent on a controller, no production interruption. The same model that ships embedded in Siemens SINEC Secure Connect is light enough to stand up yourself, starting with a single line or cell.
Deploy in front of assets — no agent, no network changes
Drop a lightweight tunneler in front of legacy SCADA, PLC, or HMI assets, or embed the SDK in a constrained device. Nothing is installed on brittle controllers, and no VLANs, firewall rules, or existing network infrastructure change. Run it on-premises or fully air-gapped on commodity hardware, and start with a single line or cell.
Go dark: outbound-only, no inbound ports
Each asset dials out to the fabric. With no listening ports exposed, the plant network becomes invisible to internet scans and there is no VPN endpoint to attack. Connectivity is added without enlarging the attack surface and without interfering with real-time control.
Authenticate by identity, then connect
Mutual authentication with X.509 certificates establishes an encrypted conduit only after identity and policy are verified. No network access is granted by default — zero trust from the connection layer up.
Enforce least privilege and contain the blast radius
Access is defined by identity, device, and service — not IP address. Identity-based, application-layer conduits enforce zone-and-conduit boundaries between IT and OT and between machines, so a compromise in IT or one device in the fleet has nowhere to spread.
Keep running if the cloud link drops
Local enforcement does not depend on a live connection to the cloud. Plant-to-plant and on-site connectivity continues through an outage, so production keeps moving even when the WAN does not — protecting uptime, safety, and process reliability.
Govern centrally and prove compliance
Centralized policy management and immutable logs support investigation, change control, and audit across every site, device, and vendor — mapping directly to IEC 62443, NIS2, NERC/CIP, and the EU Cyber Resilience Act in one consistent framework.
No internet? No problem. Deploy fully air-gapped.
The entire fabric runs on-premises or in a completely air-gapped environment, on commodity hardware you already own — no proprietary appliance to procure, no vendor-hosted cloud to get signed off, and no internet dependency to satisfy a security review. OT teams stand it up and manage it themselves, without a corporate IT project in the critical path.
And what you never have to do
- No firewall change-control board
- No VLAN or network redesign
- No agent certified onto a brittle controller
- No inbound ports opened or NAT rules
- No maintenance window or production downtime
- No truck roll to a remote site
Light enough to embed: the same identity-first connectivity ships built into Siemens SINEC Secure Connect — proof the fabric is engineered to deploy inside industrial infrastructure, not bolted on around it.
You Can’t Patch the Legacy HMI. You Don’t Have to Expose It Either.
Operational technology can’t be patched at will, and disclosed ICS vulnerabilities keep rising while purpose-built OT malware like INDUSTROYER.V2 and PIPEDREAM targets the plant floor. NetFoundry doesn’t ask you to fix every flaw — it removes the path an attacker would use to reach it.
Nothing to scan, nothing to hit
Most exploits need a reachable listening port. Outbound-only connectivity means there is no open inbound port to scan, fingerprint, or send a malicious packet to. An attacker can’t exploit a service that isn’t listening — the asset is invisible on the network to every unauthorized identity.
A compensating control for what you can’t patch
The vulnerability stays present, but it stops being reachable. Wrapping a legacy controller or an HMI on an unsupported operating system in a zero-trust bubble is a recognized compensating control under IEC 62443 — language you can take straight to an auditor for the assets you can’t remediate or take offline.
Even if one asset falls, it goes nowhere
Assume an asset is exploited anyway. Identity-based, least-privilege segmentation means the attacker can’t pivot — the blast radius is one machine, not the plant. Exploitation becomes worthless when there is no lateral path to anything else of value.
The result is a measurable drop in exploitability without a single patch, a maintenance window, or an agent on a brittle device — reachability removed, lateral movement contained, and the evidence to prove it.
The Enforcement Layer Beneath Your CPS Security Stack
Cyber-physical systems protection platforms discover, classify, and detect. NetFoundry enforces — delivering the segmentation and secure connectivity those platforms recommend, and integrating with the discovery, detection, and OEM ecosystem you already run.
Shipping inside Siemens SINEC Secure Connect
NetFoundry’s identity-first connectivity is embedded directly in Siemens network devices as Siemens SINEC Secure Connect — bringing outbound-only, zero-trust connectivity to industrial infrastructure through one of the world’s largest automation OEMs. It is proof that the fabric is built to be embedded and white-labeled by the vendors your plant already trusts.
- Zero-trust connectivity native to Siemens network hardware
- Outbound-only, no inbound ports, no separate agent
- Embeddable and white-labeled through the OpenZiti SDKs
Complements the platforms, integrates with the stack
NetFoundry is not another discovery or detection tool — it is the connectivity and segmentation layer beneath them. It takes the assets your CPS protection platform finds and enforces least-privilege, identity-based access to them, while feeding session and policy data back into the tools your SOC already uses.
- Enforces the segmentation that discovery and detection platforms recommend
- Streams visibility and session data to your SIEM or Elastic stack, or via API
- Partners with OEMs and integrators across the industrial ecosystem
Built for regulated industrial environments
NetFoundry maps directly to the zone-and-conduit, least-privilege, and audit requirements that OT environments are measured against — one model, one set of evidence, across every site.
What You Get with Identity-First OT & IoT Connectivity
Contained blast radius
Identity-based, application-layer segmentation enforces zone-and-conduit boundaries between IT and OT and between machines, so a foothold in IT — or one compromised device — has nowhere to spread onto the plant floor.
No agent on legacy endpoints
A lightweight tunneler fronts brittle controllers without touching them; an embedded SDK covers constrained devices. Even an HMI on an unsupported operating system runs inside a zero-trust bubble — nothing installed on assets you can’t patch.
Assets dark to the internet
Outbound-only connectivity means no inbound ports and no VPN endpoint to attack. OT and IoT assets are invisible to internet scans — reachable only by verified identities, without interfering with operations.
On-prem or fully air-gapped
Run the entire fabric on-premises or in an air-gapped environment on commodity hardware — no proprietary appliances, and no dependency on a vendor-hosted cloud. OT teams manage the overlay without engaging corporate IT.
Keeps running through outages
Local enforcement doesn’t depend on a live cloud link. On-site and plant-to-plant connectivity continues if the WAN drops, protecting uptime, worker safety, and process reliability when it matters most.
One fabric, no tool sprawl
A single platform spans IT, OT, IoT, and embedded devices — segmentation, convergence, and vendor access in one model. It replaces the patchwork of vendor-specific and DIY point tools with one consistent overlay.
OT & IoT Connectivity Questions
What is NetFoundry OT & IoT connectivity?
How does NetFoundry protect legacy OT assets that can’t be patched?
Does NetFoundry require opening inbound firewall ports or a VPN into the plant?
How does NetFoundry help meet IEC 62443 and NIS2 requirements?
Can NetFoundry be deployed on-premises or in an air-gapped environment?
How does NetFoundry stop lateral movement between IT and OT?
How does NetFoundry secure remote vendor and OEM access to equipment?
How does NetFoundry connect constrained IoT devices at fleet scale?
Keep One Breach From Ever Reaching the Plant Floor
See how NetFoundry contains lateral movement, protects the assets you can’t patch, and keeps production running — with no agent on legacy controllers, no inbound ports, and on-premises or air-gapped deployment aligned to IEC 62443 and NIS2.