Can Zero Trust cut OT downtime without disrupting production SLAs? Industrial sites run fragile stacks: Modbus, BACnet, OPC-UA, Profinet. They also include headless and air-gapped devices, strict compliance, and tight budgets.
For IoT/OT Zero Trust, agent-based solutions install endpoint software to collect deep telemetry and enforce policies. Network-based solutions infer device behavior from traffic and gateways. Agent-based suits granular control and full protocol support; network-based fits headless or legacy devices.
The comparison below covers latency, CPU/RAM, bandwidth, protocol parsing limits, TCO, migration runbooks, and SIEM/SOAR patterns. Expect mapped recommendations for procurement, pilots, and migration runbooks.
Comparative quick
The following table compares measurable criteria across enforcement models so decision makers can choose by clear metrics.
| Criterion |
Agent-based |
Network DPI/Gateway |
Hybrid (Sidecar + DPI) |
| Protocol parsing (score 0-5) |
4–5 (full function codes) |
2–4 (drops with TLS or tunneling) |
4 (sidecars cover gaps) |
| Enforcement granularity |
Process/file/command level |
Flow/port/session level |
Command level at gateways |
| Device install rate required |
>95% device agentable for full coverage |
0% install required |
Sidecars on 60–90% of non-agentable devices |
| Avg CPU delta on constrained devices |
1–7% CPU; 5–50 MB RAM |
N/A on device; gateway uses 10–40% CPU |
Sidecar adds 2–5% CPU; gateway 5–10% CPU |
| Added latency (per hop) |
0.2–6 ms at host agent |
1–10 ms for DPI/gateway |
0.5–6 ms combined |
| Feasible for headless devices |
No, unless vendor agent exists |
Yes, via passive taps or gateways |
Yes, preferred for mixed fleets |
| 3-yr TCO estimate (relative) |
High initial, medium OPEX |
Medium initial, lower OPEX |
Medium initial, medium OPEX |
Decision flow
Step 1: Measure agentability and device types.
Step 2: Run a 4–8 week pilot for parsing and latency.
Step 3: Pick agent, network, or hybrid based on thresholds.
Key numbers
95% agentable
7% CPU limit
This section gives concrete pilots and procurement gates.
Agent-based enforcement
Agent-based enforcement installs software on each device to collect telemetry. Agents enforce policies locally and offer device attestation. They work when network visibility is incomplete.
When to choose agents
Agents fit when devices can host software and when controls must act on commands. Choose agents if more than 95% of devices are agentable. Also choose agents when latency budgets tolerate per-host processing.
Real advantages and measurable gains
Agents supply the richest telemetry for forensics and SIEM correlation. Agents cut mean time to detect when paired with device identities. Expect agent CPU impact between 1% and 7% on constrained hosts.
This step validates agent overhead under load.
Limitations and common mistakes
Assuming agents cause zero operational risk is a frequent error. Deploying agents without stress testing caused CPU spikes and PLC timeouts in two industrial sites.
Agents cannot cover headless PLCs, serial-only devices, or vendor-locked appliances. Where devices cannot run an agent, use external collectors and protocol translation.
Passive fingerprinting (MAC/OUI, TCP/IP heuristics, timing patterns) with periodic active polling from a hardened gateway gives attribution and endpoint telemetry without installing software. Serial-to-Ethernet bridges and protocol gateways can mirror or proxy control traffic into a DPI or sidecar. Sidecars near PLC clusters or at I/O concentrators offer attestation and command inspection without touching devices.
For immutable devices use read-only mirroring plus out-of-band write-controls in gateways with human approvals.
Operational constraints like latency sensitivity on cyclic I/O, retransmission on serial links, and vendor safety certifications must be validated in lab tests that emulate jitter and packet loss. Proxies and gateways can change timing and error behavior more than lightweight host agents.
Network-based enforcement
Network-based enforcement inspects traffic with DPI, passive taps, or gateways to infer device behavior. This model requires no device software and suits headless or legacy equipment. Parsing fidelity varies widely across vendors.
When network enforcement works well
Use network enforcement where device modification is impossible or not allowed. Network tools work for broad segmentation and flow policy enforcement. They scale without device changes and reduce initial installation windows.
Parsing limits for OT protocols
Network DPI often decodes OPC-UA and Profinet when cleartext is present. Decoding drops for Modbus and BACnet when TLS or tunneling exists. Expect parsing to vary between 40% and 90% depending on tooling and encryption.
Operational blind spots and errors
Believing agentless equals full visibility is a common mistake. Passive monitoring misses encapsulated or out-of-band management traffic. Network enforcement cannot block command semantics inside encrypted sessions without termination or sidecar translation.
Deep protocol-specific analysis matters because each industrial protocol has unique parsing challenges. For example, Modbus TCP exposes function codes and register addresses that DPI can decode when traffic is cleartext. Modbus RTU over serial or vendor tunnels becomes invisible to network DPI without a protocol proxy.
BACnet/IP uses broadcast discovery and fragmentation that can inflate false positives unless DPI reassembles NPDU packets and understands object types. OPC-UA runs on TCP/4840 or HTTPS/TLS; native cleartext allows semantic inspection, while secure channels need gateway termination or sidecar translation.
Profinet mixes real-time I/O frames with RTP messages. Effective parsing requires link-layer awareness and often vendor certification for inline insertion. Including per-protocol notes reduces ambiguity for procurement and pilot design and sets measurable parsing targets per protocol.
Hybrid: sidecars, gateways and fallbacks
Hybrid architectures combine host agents, sidecars, and network gateways to cover parsing and enforcement gaps. Hybrids aim to reach protocol-aware control for most assets. They preserve non-intrusive coverage for legacy devices.
Sidecar and gateway patterns
Place sidecars near PLC clusters to perform attestation and command inspection. Use in-line gateways for protocol translation and enforcement when host agents are not feasible. One-way diodes enable telemetry export from air-gapped segments without control risk.
When hybrid is decisive
Hybrid is decisive when more than 10% of devices are headless or vendor-locked. Hybrids reduce blind spots and provide fallback enforcement. An anonymous midwestern power plant used sidecars and covered 87% of legacy endpoints with under 3 ms added latency.
Hybrid constraints and cost drivers
Gateways add hardware and integration tasks and require vendor certification for inline insertion. Plan maintenance windows and rollback paths, since physical insertion can affect cycle timing. Expect gateway hardware costs to dominate initial capital expenses.
Air-gapped reference architectures must balance strict one-way data flow with the need to inspect telemetry in a SOC.
- A common pattern is a local OT collection zone where agents, sidecars, and DPI gateways capture telemetry and store short-term packet buffers.
- A data diode or one-way transfer appliance moves sanitized indicators to a DMZ collector that feeds SIEM via batched, signed transfers.
- For command-level enforcement inside the cell, place inline protocol proxies or certified gateways that implement read/write gating with human escalation.
- For SIEM integration, use a pull model on the DMZ or a hardened jump server that exports compressed, time-bounded logs. This avoids persistent inbound channels into the cell.
Sizing examples: full packet capture of a 1 Gbps OT trunk (about 10 TB per month) can be reduced by local DPI retention policies and event extraction. Plan local buffer retention that covers the maximum vendor safety review window, commonly two to six weeks. Ensure offline attestation workflows (signed firmware hashes, periodic operator checkpoints) are documented to preserve safety and forensic value.
This guidance supports procurement and pilot RFPs.
How to choose by situation
Choose architecture by five measurable inputs: percent agentable devices, allowed latency, protocol mix, maintenance windows, and compliance requirements. Map each input to quantitative thresholds for trial acceptance. This method creates a defensible procurement requirement set.
Record percent agentable devices, percent encrypted east-west traffic, allowed added latency in ms, maintenance window hours per month, and regulatory constraints. Use these inputs to score agent, network, and hybrid suitability.
Thresholds and go/no-go rules
If agents can be installed on more than 95% of devices and agent CPU stays below 7%, prefer agents for command enforcement. If headless devices exceed 10% or air gaps exist, prefer hybrid or gateway-first approaches. If 99th-percentile latency increases beyond the site’s control-loop SLA, pause enforcement changes and investigate.
Specify control-loop latency per device class in procurement so vendor latency claims are judged against the actual SLA. Vendor claims for DPI or gateways often show 1–10 ms under load; judge those claims against the real SLA.
The evidence points to a short pilot for nearly every site: a 4–8 week scoped assessment validates coverage and performance before production enforcement.
What no one tells you about OT ZT
Network tools frequently miss critical command semantics when OT protocols run over TLS or vendor tunnels. Gateways and sidecars are often required to reconstruct function codes. This reality changes expected coverage statistics from vendor claims.
Hidden integration work
Mapping device identity to operational roles demands inventory enrichment and manual validation. Automatic discovery alone misses serial-connected assets and custom vendor stacks. Expect two to six weeks of manual asset reconciliation for medium-sized plants.
Vendor and safety cycles
Vendors often require certifications for inline changes to controllers and HMIs. Safety review cycles can add four to twelve weeks to projects. Attempting real-time enforcement without vendor signoff has caused outages in documented cases.
A practical benchmark: full packet capture of a 1 Gbps OT segment consumes roughly 10 TB per month, and a DPI gateway under peak load can add 1–10 ms of latency per hop. Use these numbers to size storage and latency SLAs in pilot RFPs.
Measure agent overhead and DPI impact before wide rollout. Capture CPU, RAM, added latency, capture bandwidth, and false positive rates over a minimum 30-day baseline. These measurements determine safe enforcement thresholds and rollback triggers.
Benchmarks to collect
Collect agent idle and operational CPU and memory usage and periodic telemetry spikes over 30 days. Measure 99th-percentile latency for control loops before and after gateway insertion. Track false positives and tune thresholds to keep FP under 5%.
SIEM and SOAR integration
Ingest agent telemetry, DPI session metadata, and asset attributes into the SIEM normalized schema. Create SOAR playbooks that isolate devices via NAC, segmentation gateway, or API-driven firewall rules. Require vendors to demonstrate similar reductions during the pilot.
In one documented integration, automated triage workflows reduced manual alert handling by about 60%. Reduction rates vary by environment, rule quality, and SIEM tuning. Include this as an illustrative result and require vendors to show comparable results during the pilot.
This section lists measurable metrics for vendor claims.
Migration runbook: week‑by‑week
A controlled migration follows four stages: asset inventory, pilot in monitor mode, progressive enforcement, and full production. Each stage has measurable gates and rollback criteria. Following this runbook aims to minimize unplanned downtime.
Week 0–2: inventory and classification
Perform inventory with protocol mapping and agentability tags. Classify devices by timing SLA, protocol, and vendor safety constraints. Define pilot cell and concrete KPIs for latency and false positives.
Week 3–8: pilot and tuning
Deploy sidecars or agents in monitor mode on pilot assets and gateways on selected segments. Tune detection rules until false positives drop below 5% and latency stays within SLA. Validate operator acceptance across two maintenance windows.
Week 9–16: staged enforcement
Enable graduated enforcement policies and maintain immediate rollback images. Use human approvals for any policy that blocks control commands. Escalate only after two weeks of stable telemetry and operator sign-off.
Rollback and maintenance
Define rollback triggers: 99th-percentile latency increase greater than 2 ms, control I/O errors above 0.1%, or operator-reported failures within 24 hours. Maintain vendor-approved rollback images and rehearsed restore steps during planned downtime.
Synthesis and recommended architecture
For most industrial sites, a hybrid architecture provides the best balance of visibility, enforcement, and operational risk. Hybrids allow function-level enforcement where agents are possible and protocol-aware gateways where agents are not. Map pilot metrics to procurement requirements and require vendors to validate latency and parsing claims under expected load.
Short checklist for procurement
Require vendors to disclose per-protocol parsing success rates, agent CPU and RAM footprints, and expected added latency. Include mandatory 4–8 week pilots with production traffic and operator acceptance gates. Require integration points for SIEM ingestion and SOAR actioning.
The legal and standards landscape supports Zero Trust adoption in OT. NIST SP 800-207 (2020) defines the Zero Trust model. Executive Order 14028 (2021) and the CISA Zero Trust Maturity Model (2021) provide federal guidance for phased adoption. See NIST guidance for architecture references NIST SP 800-207.
Teams preparing an RFP or pilot should request a scoped pilot assessment of four to eight weeks to validate coverage, latency, and protocol parsing under production conditions.
Frequently asked questions
Is agent-based zero trust viable for constrained devices?
Agent-based is viable when agents consume under 7% CPU and under 50 MB RAM on constrained devices. If those limits are exceeded, use sidecars or gateways for control-plane enforcement.
Can network DPI parse Modbus, BACnet, OPC-UA and other OT protocols?
Parsing success varies widely by protocol and encryption status, from about 40% to 90% in field tests. Encrypted sessions and proprietary encapsulation reduce parsing fidelity.
Agents provide rich event detail and file and command context, while network tools supply session metadata and flow records. Combine both feeds into the SIEM and normalize to a shared schema for effective automated playbooks.
What is the typical pilot duration to validate an OT Zero Trust deployment?
A scoped pilot should run between four and eight weeks with production traffic. The pilot must validate protocol parsing, false positive rate, latency, and operator approval across at least two maintenance windows.
When should a pure network approach be avoided?
Avoid pure network enforcement when more than 10% of assets are headless and when command-level enforcement is required for safety. If command semantics must be blocked, agents or sidecars are necessary.
How should compliance influence the choice?
Choose the model that most directly demonstrates required controls and auditability for your regulatory framework; require vendors to map their features to specific compliance requirements and to validate compliance evidence during the pilot.