Can agentless Zero Trust cut OT/ICS downtime and cost without adding operational risk? Yes. Agentless Zero Trust can work when devices block agents, uptime limits exist, or third parties own equipment.
Is agentless viable for your OT/ICS?
Viability rests on observable protocol metadata and on the lack of mandatory host enforcement. A practical threshold is that at least 70% of assets must be observable on the network before relying on agentless controls.
Who benefits from an agentless approach
Sites with large fleets of read‑only or vendor‑managed devices gain immediate value. These include water treatment, substations, and some manufacturing cells. Agentless cuts on‑device change and vendor coordination time.
This applies when master‑client relationships stay stable and session context exists on the wire. Many legacy RTUs and PLCs meet that need for Modbus, DNP3 and OPC UA.
The most common error at this point is assuming agentless equals full host control without testing for proprietary extensions.
A common field case is supplier‑owned PLCs that prohibit agents; this forces passive monitoring only and requires contractual changes to allow control enforcement.
Minimum telemetry thresholds to require
Require at least 70% protocol decode coverage of critical assets before enforcement. If coverage is lower, run policy simulation for 30 days. Measure session context completeness and device identifier accuracy.
If decode coverage reaches 95% for a segment, proceed to limited enforcement. If not, plan host telemetry or vendor integration to close the gap.
Visibility & control matrix by protocol
A protocol matrix listing observable and enforceable capabilities clarifies tradeoffs fast. For each protocol include flow visibility, packet decode, session context, host telemetry, active control, and typical latency impact.
Create the matrix before procurement and require vendors to show measured coverage. The data requirement often separates vendors who decode packets from those who only tag flows.
The error many teams make is buying on promises rather than measured decode coverage.
Suggested matrix columns and semantics
List columns as: Protocol | Network flow | Packet decode | Session context | Host telemetry | Active control | Latency impact | Notes. Populate flags and numeric latency ranges. This makes vendor claims testable.
Example rows for critical protocols
Protocols differ materially. Modbus often exposes function codes but lacks host telemetry. OPC UA often supports session context and mutual TLS.
| Protocol |
Agentless Visibility |
Agentless Control |
Agent‑based Control |
Typical Latency Impact |
| Modbus (TCP/RTU) |
Packet decode yes. Function codes visible. No host metrics. |
Limited. Inline policy enforcement needed for write blocking. |
Full control including remediation and process checks. |
Passive: less than 0.1 ms. Inline policy adds 0.5 to 10 ms median. Deep packet modify can raise median to 5 to 50+ ms. |
| DNP3 |
Good session context for master polls. No host telemetry. |
Partial. Most effective with master whitelists. |
Full enforcement via host or agent‑assisted PDP. |
Passive: less than 0.1 ms. Inline: 1 to 30 ms. |
| OPC UA |
Session decode and TLS context often available. |
Strong when mutual TLS and user identity exist. |
Strong host enforcement and user MFA. |
Passive: less than 0.2 ms. Inline: 0.5 to 10 ms. |
| IEC 61850 / MMS |
High semantic content. Timing is critical. |
Constrained. Avoid inline in critical loops. |
Preferred for safety systems with host agents. |
Passive: less than 0.2 ms. Inline: 5 to 50+ ms. |
A clear, neutral comparison between agentless and agent‑based Zero Trust clarifies tradeoffs. Agentless excels at rapid discovery, network telemetry, protocol decode coverage and non‑intrusive enforcement where session context and function codes exist. Agent‑based approaches give richer host telemetry, endpoint attestations, local remediation and forensic artefacts that agentless cannot reliably provide.
In practice a hybrid posture often appears: agentless for broad visibility and microsegmentation. Agents cover signed attestations, kernel enforcement and direct remediation.
Measured latency and throughput impact
Passive, tap‑based sensors usually add negligible median latency. Inline proxies or packet modify appliances add measurable delay. The difference decides whether a segment is enforcement‑ready.
Measure median, jitter and 99th percentile latency for each control loop. Control loops often fail if latency rises by more than 10% or by more than 5 ms absolute. Define those thresholds with operations before enforcement.
Run tests at expected message rates and sizes and include retransmit effects. The lab number will not match the field. Always validate in the production topology.
Benchmarks to run in your topology
Test PLC to RTU loops, SCADA master polls, and HMI to PLC transactions. Capture baseline median, 95th and 99th percentile latency across duty cycles. Run each test for at least 24 hours to cover scheduled operations.
Rollback thresholds tied to latency
Set rollback triggers such as median latency increase over 10% or 5 ms absolute. Also trigger rollback for packet loss above baseline plus 0.1% or increased retransmits that cause control errors. Automate bypass for inline devices.
Measured latency ranges by deployment mode
Passive (tap)
median less than 0.1 ms
Inline (passive policy)
median 0.5 to 10 ms
Inline (active modify)
median 5 to 50 ms
Measure each bar in your control topology before enforcement.
True TCO and ROI for agentless deployments
Real TCO goes beyond license fees and appliances. Field commissioning, test windows, third‑party coordination, and ongoing SOC/OT staffing usually add 30 to 70 percent to procurement. Measure those costs explicitly.
Typical payback ranges between 12 and 36 months when incident reduction and operational savings are realistic. Savings come from fewer manual audits, faster detection, and reduced incident impact. Use those drivers in financial models and recalculate after a 90‑day pilot.
The legal and procurement effort often surprises engineering teams. Allocate contract amendment effort and vendor negotiation time as discrete line items. Forrester and vendor case studies have shown this trend over time.
TCO line items to include
Include software licenses, per‑site sensors, engineering commissioning hours, scheduled test windows, contractual changes, SOC/OT monitoring FTEs, and rollback contingency funds. Count these in the first procurement cycle.
Drivers include MTTR reduction, fewer compliance fines, and avoided unplanned downtime. Recompute payback after a 90‑day pilot. An explicit worked cost scenario helps turn percentages into budgets. A mid‑sized site with 200 ICS devices, one SCADA master and one control LAN might see first‑year costs like: platform license $50,000; passive sensors $15,000; commissioning 400 hours at $150/hr equals $60,000; SOC/OT 0.5 FTE $40,000; testing and contingency $20,000; subtotal $185,000. A 40 percent field premium raises first‑year TCO to about $259,000.
If annual avoided downtime and incident costs average $150,000 and MTTR improves 40 percent, annual benefit equals about $60,000. Simple payback is about four to five years. If a single avoided outage saves $250,000, payback compresses to one to two years.
Stepwise pilot & rollback playbook
A staged pilot cuts operational risk and shows where agents are required. Follow phases: discovery, simulation, canary enforcement, and scale‑out with clear gates for each phase. Each phase has numeric acceptance criteria.
The most common error is skipping the simulation phase and enabling enforcement too soon. Skipping simulation raises false positives and risks disruptive alarms. Phase gates protect operations and provide measurable decision points.
Define rollback criteria numerically and automate bypass where possible. Typical rollback triggers include latency increases above 10 percent or 5 ms absolute, false positive volumes above thresholds, or process alarms up more than 15 percent. Restore baseline in a defined MTTR window, typically two hours for bypass restoration.
Phase gates and acceptance tests
Phase 1: passive discovery for at least 30 days. Phase 2: policy modeling and simulation for 30 days. Phase 3: canary enforcement on non‑SIS segments for 60 days. Phase 4: scale to critical segments with operations signoff.
Concrete rollback criteria and timelines
Rollback if median latency rises over 10 percent or over 5 ms. Rollback if false positives exceed one per device per day. Rollback if process alarms increase by more than 15 percent.
Protocol segmentation templates
Segmentation policies must be explicit and minimal. Whitelist master addresses, permit specific function codes, and enforce strict rate limits. Concrete templates cut misconfiguration risk and unexpected process impact.
This works well in theory, but in practice teams often under‑test function code restrictions and break vendor diagnostics. Test each policy in simulation mode for at least 30 days to validate behavior.
Policy templates should be integrated into change control and emergency procedures. Keep policies auditable and versioned.
Modbus policy template with function
text
Policy: Modbus_RW_Production
Allow: SCADA_master_IPs -> PLC_IPs
Permit function codes: 3 (Read Holding Registers), 4 (Read Input Registers), 16 (Write Multiple Registers)
Block: diagnostic and device‑config function codes (e.g., 8, 43)
Rate limit: max 10 requests/sec per session
Logging: all write attempts and blocked function codes
OPC UA and DNP3 policy snippets
text
Policy: OPCUA_Control
Require mutual TLS and specific endpoint CN
Whitelist methods: Read, Browse, Subscribe, Write for approved session users
Session timeout: 60s
Rate limit: per‑endpoint limits as tested
Policy: DNP3_Master
Allow only master IPs to poll class 0/1/2 as required
Disallow unsolicited where not used
Enforce master whitelists and message rate ceilings
Compliance mapping: NIST, IEC, CISA, NERC
Agentless capabilities map to many network and segmentation controls in standards. NIST SP 800‑207 (2020) and NIST SP 800‑82 provide architectural and ICS guidance. For certain regulatory controls the network layer often needs complementary identity and host attestations.
Map network enforcement to NIST SP 800‑207 controls for least privilege and microsegmentation. Map asset inventory and zone definitions to ISA/IEC 62443 zones and conduits. CISA published its Zero Trust Maturity Model, and it guides identity, device and network layers.
If rules require endpoint remediation, agentless alone will not suffice. For example, some NERC CIP controls expect host telemetry or remote remediation capabilities. Neglecting this gap creates audit risk and failed compliance checks.
Direct mappings to NIST and IEC
Map segmentation and PDP/PEP behavior to NIST SP 800‑207 controls for least privilege. Map asset inventory and zone definitions to ISA/IEC 62443 requirements for zones and conduits. Use the CISA maturity model as an operational guide.
Gaps that need host or process controls
Agentless lacks reliable endpoint integrity attestations and some forensic artefacts. Where regulation demands host‑level remediation or signed attestations, agents or vendor APIs become mandatory. Neglecting this gap causes audit failures.
Avoid agentless‑first when host‑level controls are mandatory, when endpoint remediation is required, when device owners prohibit agents, or when control loops cannot tolerate added latency. In these cases, combine agentless monitoring with host agents or vendor integrations and document contractual obligations with third parties.
Consider a pilot limited to non‑SIS segments with explicit rollback triggers before any broad enforcement. This balances risk and progress and reduces the chance of operational disruption.
Map agentless capabilities directly to common regulatory expectations to remove ambiguity. CISA’s Zero Trust Maturity Model emphasizes layered identity, device and network controls. Network tools can satisfy the network layer and aid asset inventory, but they rarely provide signed device attestations or full host forensic logs.
NERC audiences should note that network segmentation, flow logging and detection of anomalous SCADA master behavior are supportable agentlessly. Controls that require endpoint remediation evidence, patch proof or signed file records usually demand host agents or vendor attestations.
IEC 62443 focuses on zones and conduits. Agentless microsegmentation maps well to conduit enforcement and monitoring. Achieving higher security levels often requires host integrity measures and local enforcement.
Synthesis and recommended next steps
Agentless Zero Trust is worth it when network telemetry covers most assets and when agent install is impractical. It saves time and reduces vendor coordination. Still, it gives less host control and may leave visibility gaps.
Run a 90‑day pilot with clear gates and a 30‑ to 60‑day simulation phase. Include latency tests, decode coverage metrics, and compliance checks. Require vendors to show measured decode and a simulation mode.
Prefer a hybrid posture: agentless for broad discovery and segmentation, agents where signed attestations or remediation are mandatory. Budget a 30 to 70 percent field premium and set procurement acceptance criteria that include measured decode and rollout rollback plans.
Frequently asked questions
What is agentless Zero Trust for OT/ICS?
Agentless Zero Trust enforces network and protocol controls without installing host software. It uses packet decode, flow logs and protocol context to make access decisions. It trades host telemetry for low deploy cost and low device impact.
How reliable is agentless detection for Modbus and DNP3?
Detection is reliable when packet decode covers session context and function codes. Require at least 70 percent decode coverage for critical assets before enforcement. If coverage is below 70 percent, run a 30‑day simulation.
Can agentless meet NERC or IEC audit requirements?
Agentless can meet many network and segmentation requirements. It cannot supply endpoint remediation proof and signed attestations. Where audits demand those items, agents or vendor attestations become mandatory.
How long should a pilot run?
A recommended pilot runs 90 days with phased gates. Phase 1 is 30 days of passive discovery. Phase 2 is 30 days of simulation. Phase 3 is 60 days of canary enforcement on non‑SIS segments.
What latency tests are required before enforcement?
Measure median, 95th and 99th percentile latency, jitter, and packet loss under real message rates. Run tests at least 24 hours per duty cycle and repeat in production topology.
When should the team choose agents over agentless?
Choose agents when endpoint remediation, kernel enforcement, or signed attestations are required. Also choose agents when control loop latency cannot tolerate inline enforcement delays.
Final checklist and procurement guardrails
Require vendors to demo measured protocol decode and to run a 90‑day simulation mode. Include a protocol matrix, latency benchmarks, pilot gates, and rollback triggers in contracts. Budget field commissioning and vendor change orders as explicit line items.
The NIST SP 800‑207 publication provides architecture guidance and should map to your policy design. See NIST SP 800‑207 (2020) for reference: NIST SP 800-207 (2020).
If readiness and visibility checks pass, start a hybrid pilot focused on non‑SIS segments. Use measured gates and numeric rollback criteria before wide enforcement.