Zero Trust OT & IoT Connectivity

One Breach Should Never Reach the Plant Floor.

Contain lateral movement, keep production running, and protect the assets you can’t patch — with outbound-only, identity-first connectivity that puts no agent on legacy controllers and opens no inbound ports. One fabric across IT, OT, IoT, and embedded devices, deployable on-premises or fully air-gapped. Built for IEC 62443 and NIS2.

netfoundry it and ot solution infographic
0 inbound ports opened on OT or plant networks
0 agents required on legacy SCADA, PLC, or HMI assets
99.99% reduction in external attack surface
1B+ sessions/month on global NetFoundry infrastructure
The challenge

The Plant Floor Was Never Built to Survive This Much Connectivity

Cyber-physical systems need more outside connectivity than ever — for analytics, condition monitoring, and convergence with IT. But the assets are brittle, the networks are flat, and the usual ways to add that connectivity open exactly the paths an attacker wants. A single intrusion in IT can cascade straight into an OT shutdown.

Unpatchable assets on flat, converging networks

SCADA controllers, PLCs, and an HMI running an unsupported, out-of-date operating system were never built to defend themselves, and they can’t be patched at will without risking production or safety certification. As IT and OT converge, those assets sit one flat hop from the enterprise — and a foothold in IT can cascade into a plant-floor shutdown.

  • Legacy controllers and HMIs can’t be patched without downtime or recertification — known vulnerabilities stay open for years
  • Flat Layer 2 networks and IT/OT convergence let an IT-borne attack reach the plant floor directly
  • DMZs, jump servers, and persistent VPNs into the plant are standing attack paths
  • OT equipment spans many vendors, each with its own tools — a sprawl of vendor-specific and DIY point solutions
  • Friction with corporate IT pushes OT teams toward shadow workarounds that bypass policy
  • Any added security has to be non-intrusive — no downtime, no interference with real-time control

For the CISO or head of OT security, the plant manager, and the ICS architect, the hardest constraint is that the riskiest assets are the ones they can’t touch — and the fix can’t require an agent on a brittle controller, can’t add downtime, and can’t depend on a cloud link that might drop mid-shift. Uptime, worker safety, and process reliability come first.

“NetFoundry’s technology enables us to apply the strictest deny-by-default security principles to every user, device and application in our customers’ networks.”

Steve Wulchin, CEO — Freewave

Constrained devices, multiplied across sites

IoT multiplies every OT problem: thousands of sensors, meters, gateways, and machines spread across remote and sometimes air-gapped sites, each needing to send data out and receive updates back. Most are too constrained to run a security agent, and network-centric controls don’t scale to populations this large or this diverse.

  • Devices ship with default credentials and open services — easy targets the moment they’re reachable
  • Static IP allowlists and per-device firewall rules are unmanageable at fleet scale
  • Constrained endpoints can’t host a traditional agent or VPN client
  • Flat networks let one compromised sensor become a path onto the plant floor
  • Cellular, edge, and roaming devices break IP-based access assumptions
  • No consistent device identity means no consistent way to authorize or audit

Whatever secures the fleet has to reach the smallest device without an agent, isolate every endpoint so one compromise can’t spread, and keep working at remote sites whether or not the cloud is reachable — the containment problem of the plant floor, at far greater scale.

Third-party access you can’t fully see

Equipment vendors and OEMs need to reach their machines for diagnostics and maintenance. Today that means a VPN or a jump server — broad, standing access into the OT environment that’s hard to scope, hard to audit, and impossible to standardize across every vendor’s preferred method. It’s a necessary capability, but it shouldn’t come at the cost of an always-open door.

  • VPNs grant far more reach than any single vendor task requires
  • Jump servers are operationally complex and become single points of failure inside OT
  • Each OEM brings a different access model — inconsistent governance and audit sprawl
  • Open inbound paths for vendors are exactly the entry points attackers target
  • Provisioning and revoking access means firewall and infrastructure changes every time
  • No per-identity record of which vendor touched which machine, when

The goal is just-in-time access to a single machine — nothing else — with a full audit trail, no truck roll, and no standing door left open into the plant between sessions.

The NetFoundry approach

One Fabric. Every Asset. Invisible by Default.

NetFoundry is the connectivity and segmentation layer that enforces what your discovery and detection tools find. Outbound-only and identity-first, it puts no agent on legacy assets and opens no inbound ports — one fabric spanning IT, OT, IoT, and embedded devices, deployable on-premises or fully air-gapped, without interfering with operations.

Segment IT from OT — and contain what moves inside it

Stop an IT-borne attack before it reaches the plant floor, then shrink the blast radius inside OT itself. Identity-based, application-layer segmentation enforces zone-and-conduit boundaries between IT and OT and between machines — without touching the underlying network. A lightweight tunneler fronts legacy SCADA, PLC, and HMI assets, so even an HMI on an unsupported operating system runs inside a zero-trust bubble with no agent on the device.

  • IT/OT segmentation stops a compromise in IT from cascading into an OT shutdown
  • Machine-to-machine segmentation enforces least-privilege conduits to shrink blast radius
  • Secure m2C and C2m transport for IT/OT convergence — sensor and production data out, configurations back
  • Wrap unpatchable legacy assets in a zero-trust bubble — no agent on the controller, no downtime
  • Outbound-only with no inbound ports — non-intrusive to real-time control and safety systems
  • Deploy on-premises or fully air-gapped on commodity hardware — OT teams manage the overlay without engaging IT

Reach every device — down to the constrained edge

The same fabric extends to the IoT fleet. Front a group of devices with a lightweight tunneler, or embed the SDK to give a single constrained device its own cryptographic identity. Telemetry flows outbound-only, devices stay invisible to inbound scans, every endpoint is isolated by default, and remote sites keep running whether or not the cloud is reachable.

  • Embedded SDK or lightweight tunneler — no traditional agent required on constrained devices
  • Each device authenticates by identity, not IP address or network location
  • Outbound-only telemetry and updates — devices stay invisible to inbound scans
  • Default-deny isolates every endpoint, so one compromised device can’t reach the others
  • Remote lifecycle management for ML models at the edge — machine vision, predictive maintenance, digital twins
  • Works across cellular, edge, air-gapped, and roaming deployments where IP allowlists break down

One identity model and one policy engine span IT, OT, and IoT — from a data-center workload to a controller on the plant floor to a sensor on a cellular link. The fleet is governed the same way regardless of where or how each device connects.

“NetFoundry helped us scale faster, safer, and more cost-effectively — eliminating VPN and NAT dependencies.”

Rodrigo Bernardinelli, CEO — Digibee

Just-in-time access to one machine — not the plant

Replace vendor VPNs and jump servers with identity-based, just-in-time access. Each OEM or integrator identity reaches only the specific equipment it’s authorized to service, every session is recorded, and no standing inbound path is left open between visits — no truck roll required.

  • No VPNs or jump servers to deploy, manage, or troubleshoot for vendor access
  • No open firewall ports or IP allowlists on plant networks
  • Just-in-time, least-privilege access to a single machine — granted, then revoked
  • Full per-identity audit trail of every vendor connection and maintenance session
  • Remote diagnostics and maintenance without a truck roll
  • One consistent governance model across every OEM, regardless of their network

Instead of maintaining per-vendor VPN configurations or firewall exceptions, each OEM identity gets a certificate-based connection to only the equipment it services — time-bound, fully audited, and centrally managed through NetFoundry’s identity-based policy engine.

How it works

First Segment Live in a Day

Identity-first connectivity deploys on a crawl-walk-run path — no network redesign, no agent on a controller, no production interruption. The same model that ships embedded in Siemens SINEC Secure Connect is light enough to stand up yourself, starting with a single line or cell.

1 day to a first segment live in production
Minutes to onboard a new device or asset
Zero maintenance windows required
1. Install the tunnelerDrop it in front of the asset or embed the SDK — nothing on the controller.
2. It dials outThe asset reaches the fabric outbound-only. No inbound ports, no firewall ticket.
3. You set a policyGrant least-privilege access by identity. Done — the segment is live.
1

Deploy in front of assets — no agent, no network changes

Drop a lightweight tunneler in front of legacy SCADA, PLC, or HMI assets, or embed the SDK in a constrained device. Nothing is installed on brittle controllers, and no VLANs, firewall rules, or existing network infrastructure change. Run it on-premises or fully air-gapped on commodity hardware, and start with a single line or cell.

2

Go dark: outbound-only, no inbound ports

Each asset dials out to the fabric. With no listening ports exposed, the plant network becomes invisible to internet scans and there is no VPN endpoint to attack. Connectivity is added without enlarging the attack surface and without interfering with real-time control.

3

Authenticate by identity, then connect

Mutual authentication with X.509 certificates establishes an encrypted conduit only after identity and policy are verified. No network access is granted by default — zero trust from the connection layer up.

4

Enforce least privilege and contain the blast radius

Access is defined by identity, device, and service — not IP address. Identity-based, application-layer conduits enforce zone-and-conduit boundaries between IT and OT and between machines, so a compromise in IT or one device in the fleet has nowhere to spread.

5

Keep running if the cloud link drops

Local enforcement does not depend on a live connection to the cloud. Plant-to-plant and on-site connectivity continues through an outage, so production keeps moving even when the WAN does not — protecting uptime, safety, and process reliability.

6

Govern centrally and prove compliance

Centralized policy management and immutable logs support investigation, change control, and audit across every site, device, and vendor — mapping directly to IEC 62443, NIS2, NERC/CIP, and the EU Cyber Resilience Act in one consistent framework.

No internet? No problem. Deploy fully air-gapped.

The entire fabric runs on-premises or in a completely air-gapped environment, on commodity hardware you already own — no proprietary appliance to procure, no vendor-hosted cloud to get signed off, and no internet dependency to satisfy a security review. OT teams stand it up and manage it themselves, without a corporate IT project in the critical path.

And what you never have to do

  • No firewall change-control board
  • No VLAN or network redesign
  • No agent certified onto a brittle controller
  • No inbound ports opened or NAT rules
  • No maintenance window or production downtime
  • No truck roll to a remote site

Light enough to embed: the same identity-first connectivity ships built into Siemens SINEC Secure Connect — proof the fabric is engineered to deploy inside industrial infrastructure, not bolted on around it.

Reduce exploitation risk

You Can’t Patch the Legacy HMI. You Don’t Have to Expose It Either.

Operational technology can’t be patched at will, and disclosed ICS vulnerabilities keep rising while purpose-built OT malware like INDUSTROYER.V2 and PIPEDREAM targets the plant floor. NetFoundry doesn’t ask you to fix every flaw — it removes the path an attacker would use to reach it.

🚫

Nothing to scan, nothing to hit

Most exploits need a reachable listening port. Outbound-only connectivity means there is no open inbound port to scan, fingerprint, or send a malicious packet to. An attacker can’t exploit a service that isn’t listening — the asset is invisible on the network to every unauthorized identity.

🧰

A compensating control for what you can’t patch

The vulnerability stays present, but it stops being reachable. Wrapping a legacy controller or an HMI on an unsupported operating system in a zero-trust bubble is a recognized compensating control under IEC 62443 — language you can take straight to an auditor for the assets you can’t remediate or take offline.

🛡

Even if one asset falls, it goes nowhere

Assume an asset is exploited anyway. Identity-based, least-privilege segmentation means the attacker can’t pivot — the blast radius is one machine, not the plant. Exploitation becomes worthless when there is no lateral path to anything else of value.

The result is a measurable drop in exploitability without a single patch, a maintenance window, or an agent on a brittle device — reachability removed, lateral movement contained, and the evidence to prove it.

Ecosystem and standards

The Enforcement Layer Beneath Your CPS Security Stack

Cyber-physical systems protection platforms discover, classify, and detect. NetFoundry enforces — delivering the segmentation and secure connectivity those platforms recommend, and integrating with the discovery, detection, and OEM ecosystem you already run.

Embedded with Siemens

Shipping inside Siemens SINEC Secure Connect

NetFoundry’s identity-first connectivity is embedded directly in Siemens network devices as Siemens SINEC Secure Connect — bringing outbound-only, zero-trust connectivity to industrial infrastructure through one of the world’s largest automation OEMs. It is proof that the fabric is built to be embedded and white-labeled by the vendors your plant already trusts.

  • Zero-trust connectivity native to Siemens network hardware
  • Outbound-only, no inbound ports, no separate agent
  • Embeddable and white-labeled through the OpenZiti SDKs

Complements the platforms, integrates with the stack

NetFoundry is not another discovery or detection tool — it is the connectivity and segmentation layer beneath them. It takes the assets your CPS protection platform finds and enforces least-privilege, identity-based access to them, while feeding session and policy data back into the tools your SOC already uses.

  • Enforces the segmentation that discovery and detection platforms recommend
  • Streams visibility and session data to your SIEM or Elastic stack, or via API
  • Partners with OEMs and integrators across the industrial ecosystem

Built for regulated industrial environments

NetFoundry maps directly to the zone-and-conduit, least-privilege, and audit requirements that OT environments are measured against — one model, one set of evidence, across every site.

IEC 62443 NIS2 NERC/CIP EU CRA SOCI NIST 800-171 DORA SOC 2 Type II FIPS FedRAMP
Key benefits

What You Get with Identity-First OT & IoT Connectivity

🛡

Contained blast radius

Identity-based, application-layer segmentation enforces zone-and-conduit boundaries between IT and OT and between machines, so a foothold in IT — or one compromised device — has nowhere to spread onto the plant floor.

🧮

No agent on legacy endpoints

A lightweight tunneler fronts brittle controllers without touching them; an embedded SDK covers constrained devices. Even an HMI on an unsupported operating system runs inside a zero-trust bubble — nothing installed on assets you can’t patch.

🔒

Assets dark to the internet

Outbound-only connectivity means no inbound ports and no VPN endpoint to attack. OT and IoT assets are invisible to internet scans — reachable only by verified identities, without interfering with operations.

🏭

On-prem or fully air-gapped

Run the entire fabric on-premises or in an air-gapped environment on commodity hardware — no proprietary appliances, and no dependency on a vendor-hosted cloud. OT teams manage the overlay without engaging corporate IT.

Keeps running through outages

Local enforcement doesn’t depend on a live cloud link. On-site and plant-to-plant connectivity continues if the WAN drops, protecting uptime, worker safety, and process reliability when it matters most.

🔌

One fabric, no tool sprawl

A single platform spans IT, OT, IoT, and embedded devices — segmentation, convergence, and vendor access in one model. It replaces the patchwork of vendor-specific and DIY point tools with one consistent overlay.

FAQ

OT & IoT Connectivity Questions

What is NetFoundry OT & IoT connectivity?
NetFoundry is an identity-first connectivity and segmentation platform for operational technology (OT) and IoT environments. It connects plants, devices, and vendors through an outbound-only overlay that opens no inbound ports and puts no agent on legacy controllers, so OT and IoT assets stay reachable for authorized identities while remaining invisible to the internet. The same fabric spans IT, OT, IoT, and embedded devices and deploys on-premises or fully air-gapped.
How does NetFoundry protect legacy OT assets that can’t be patched?
NetFoundry protects unpatchable OT assets by removing the path an attacker would use to reach them rather than requiring a patch. A lightweight tunneler sits in front of a legacy controller or an HMI running an unsupported operating system, so the asset connects outbound-only with no inbound ports and no software installed on the device itself. The vulnerability remains present but becomes unreachable to unauthorized identities, which serves as a recognized IEC 62443 compensating control for assets that cannot be patched or taken offline.
Does NetFoundry require opening inbound firewall ports or a VPN into the plant?
NetFoundry requires no inbound firewall ports and no VPN into the plant. Every connection is outbound-only: each asset dials out to the overlay, so there is no listening port to scan and no VPN endpoint to attack. This eliminates the standing entry points that VPNs and jump servers create, and lets new connectivity be added without firewall rule changes, VLAN redesigns, or maintenance windows.
How does NetFoundry help meet IEC 62443 and NIS2 requirements?
NetFoundry maps directly to IEC 62443 and NIS2 by enforcing identity-based, zone-and-conduit segmentation with least-privilege access and immutable audit logs. It supports IEC 62443 requirements for identification and authentication, authorization, boundary protection, and audit, and provides a recognized compensating control for unpatchable assets. Centralized policy and logging produce the evidence auditors expect, and the same model also aligns to NERC/CIP and the EU Cyber Resilience Act.
Can NetFoundry be deployed on-premises or in an air-gapped environment?
NetFoundry runs fully on-premises or in a completely air-gapped environment on commodity hardware you already own. There is no proprietary appliance to procure and no dependency on a vendor-hosted cloud, so it satisfies OT security reviews that prohibit outside connectivity. Local enforcement continues even if the WAN or cloud link drops, so plant-to-plant and on-site connectivity keeps running and production is protected during an outage.
How does NetFoundry stop lateral movement between IT and OT?
NetFoundry stops lateral movement by enforcing default-deny, identity-based segmentation between IT and OT and between individual machines. Access is granted by verified identity to a specific service rather than by IP address or network location, so a compromise in IT or a single infected device has no authorized path to spread onto the plant floor. Even if one asset is exploited, the blast radius is contained to that asset because no lateral path exists to anything else.
How does NetFoundry secure remote vendor and OEM access to equipment?
NetFoundry gives each vendor or OEM identity just-in-time, least-privilege access to only the specific equipment it is authorized to service, with no VPN and no open inbound ports. Every session is authenticated by identity and fully recorded for audit, and access is granted and revoked without firewall or infrastructure changes. This replaces broad VPN tunnels and jump servers with a door to one machine rather than the whole plant, and enables remote diagnostics without a truck roll.
How does NetFoundry connect constrained IoT devices at fleet scale?
NetFoundry connects IoT fleets by giving each device its own cryptographic identity through an embeddable SDK or a lightweight tunneler, with no traditional agent, no public IP, and no per-device firewall rules. Devices communicate outbound-only, so they stay invisible to inbound scans, and each endpoint is isolated by default so one compromised device cannot reach the others. The same identity model works across cellular, edge, air-gapped, and roaming deployments, and NetFoundry’s connectivity ships embedded in Siemens SINEC Secure Connect as proof it is built to scale inside industrial products.
Get started

Keep One Breach From Ever Reaching the Plant Floor

See how NetFoundry contains lateral movement, protects the assets you can’t patch, and keeps production running — with no agent on legacy controllers, no inbound ports, and on-premises or air-gapped deployment aligned to IEC 62443 and NIS2.