A firewall is a network security device that filters traffic between segments based on a rule set. Rules operate on the 5-tuple: source IP, destination IP, source port, destination port, and protocol. Stateful firewalls track session state; next-generation firewalls add application identification. Both are standard components of IT perimeter defense.
Why firewalls fail in OT
Port-level filtering collapses in industrial environments. Three reasons:
Function-code blindness. A Modbus TCP session on port 502 carries function code 03 (read holding registers) or function code 06 (write single register) in the same packet structure. The firewall cannot distinguish them. An engineer's diagnostic tool and a command that changes a valve setpoint are identical at the port level. Filtering port 502 to an allowlist of IPs does not prevent write operations from authorized sources.
Flat networks inside the zone. A firewall at the IT/OT boundary provides a perimeter. Inside the OT zone, the network is typically flat — every host can reach every other host. A compromised HMI can pivot to any PLC on the segment because there is nothing between them.
Inline operational risk. OT change control rarely permits inline devices that can drop packets, reboot for firmware updates, or fail under load. Most manufacturers prohibit inline deployments during production. A firewall that must sit in the traffic path is a deployment that never gets scheduled.
Identity-free rules. Firewall rules bind to IPs. IPs drift as devices get replaced, DHCP renews, or segments re-IP. A rule set written in 2020 against IPs from 2020 is a rule set that has been wrong for years.
What OT environments need instead
The pattern that replaces port-level firewalls in modern OT security is proxy-based enforcement with three properties:
- Protocol-aware filtering. The enforcement point inspects Modbus, DNP3, EtherNet/IP, and OPC UA at the command level — allowing reads while blocking writes, or restricting writes to specific register ranges.
- Identity-bound rules. Policies bind to authenticated users or device identities, not IP addresses. Rules survive device replacement and re-IP events.
- Non-inline deployment. The enforcement point connects to the network without being in the production traffic path, so powering it off restores prior network behavior.
This is the role of a micro-DMZ, a protocol-filtering proxy, or a zero-trust overlay. The firewall still exists at the enterprise perimeter. The OT enforcement point sits deeper, closer to the asset, and understands the protocol.
Compliance context
NIST SP 800-171 Rev 2 control 3.13.6 requires denying network communications by default. IEC 62443 zones and conduits require explicit flow definitions. CMMC Level 2 inherits the 800-171 requirement. All three can be satisfied by a port-level firewall in IT environments. None of the three are satisfied by a port-level firewall in OT environments where the protocols carry both reads and writes on the same port.
Related terms
Access Gate connection
Access Gate provides the OT enforcement point that replaces the role a firewall cannot fill — protocol-aware, identity-bound, non-inline, deployed as a micro-DMZ around individual assets. See Industrial DMZ Design Patterns.
