Securing Branch and OT Environments with Agentless Segmentation
Ransomware groups targeted industrial sectors at unprecedented scale in 2025, disrupting operations across 3,300 organizations and exposing the lethal risks of unsegmented branch and OT networks.
Key takeaways
- •Ransomware incidents rose 49% year-over-year in 2025, with attackers exploiting weak internal boundaries to pivot from IT to OT systems, often via VPNs or virtualization layers, leading to denial of control and extended downtime without touching PLCs.
- •Legacy OT devices and resource-constrained branch endpoints reject agents, making agentless approaches essential to enforce microsegmentation and block lateral movement without risking performance or compatibility issues.
- •Regulatory pressures like NIS2 in Europe and evolving zero trust mandates clash with OT realities, where segmentation must balance security gains against operational continuity and avoid disrupting safety-critical processes.
Rising OT Exposure
Industrial organizations faced a sharp escalation in threats during 2025, as ransomware groups expanded their focus beyond IT to include operational technology environments. Dragos tracked 119 such groups targeting industrial targets, a 49% increase from 2024, affecting more than 3,300 organizations globally. Manufacturing bore the brunt, accounting for over two-thirds of victims. Many incidents originated in IT but rapidly spread to OT-adjacent systems—such as SCADA-supporting servers or VMware ESXi hosts—resulting in loss of visibility, control denial, and multi-day outages even when no field devices were directly manipulated.
This convergence of IT and OT networks, accelerated by greater connectivity and remote access needs, has turned flat or poorly segmented architectures into high-risk liabilities. Once inside via compromised credentials or vendor tunnels, attackers use standard tools like RDP and PsExec to move laterally, exploiting the absence of strong internal controls. Traditional perimeter defenses prove insufficient against these internal threats, prompting a shift toward zero trust principles that emphasize continuous verification and least-privilege access.
Agentless segmentation has gained prominence because many OT systems—legacy PLCs, SCADA components, and IoT devices in branches—cannot support endpoint agents without voiding warranties, degrading performance, or introducing instability. Network-based enforcement allows isolation of production lines, endpoints, and zones without software installation, limiting breach blast radius in environments where uptime is non-negotiable.
Yet tensions persist. While segmentation demonstrably reduces lateral movement and aids compliance with standards like IEC 62443 and NIS2, implementation in OT requires passive, non-disruptive methods to avoid interfering with control commands. Organizations with mature visibility and segmentation contained ransomware incidents far faster—in some cases averaging five days versus the industry norm of 42—highlighting the payoff, but many still underestimate OT ransomware reach, treating affected systems as mere IT endpoints.
Geopolitical factors compound the urgency, with new threat groups like Kamacite and Sylvanite mapping access paths and handing off footholds for deeper intrusions, often tied to regional conflicts or supply-chain targeting.
Sources
- https://www.dragos.com/resources/press-release/dragos-2026-year-in-review-new-ot-threats-ransomware
- https://www.dragos.com/ot-cybersecurity-year-in-review
- https://industrialcyber.co/ransomware/ransomware-surge-in-2025-exposes-mounting-ot-risk-as-industrial-impacts-outpace-it-narratives
- https://enhalo.co/must-know-cyber/agentless-segmentation-2025-containment
- https://www.netwitness.com/blog/best-practices-for-ot-network-segmentation
- https://www.sans.org/webcasts/securing-branch-ot-environments-with-agentless-segmentation
- https://www.zscaler.com/products-and-solutions/zero-trust-device-segmentation
You might also like
- Feb 25Fuel Virtual Briefing: 2026 Incident Response Report
- Mar 10Testing Without Breaking: Safe Penetration Testing for Industrial Environments
- Mar 17Stop attacks before they spread with Okta’s Identity Threat Protection
- Apr 16Building Effective Security Operations for Converged OT and IT in Critical Infrastructure
- Nov 5Tech in Practice: Solution Demonstrations for CRE IT and OT Teams