Deny-by-default is the network enforcement posture in which all traffic is blocked unless a specific rule allows it. It is the inverse of the allow-by-default posture that characterizes most greenfield OT networks — where any host on the segment can reach any other host unless something has been explicitly blocked.
Why deny-by-default matters in OT
OT networks are historically flat. A PLC on the shop floor accepts connections from any host on the segment. Measurement stations, conveyor controllers, and test rigs have no firewall, no allowlist, and no connection filter. When the integrator wired the plant, the default posture was "make it work" — and the network inherited an implicit allow-everything rule.
This posture fails every modern compliance framework. NIST SP 800-171 Rev 2 control 3.13.6 requires denying network communications by default and allowing by exception. IEC 62443 zones and conduits require explicit flow definitions between zones. CMMC Level 2 inherits the 800-171 requirement. None of these can be satisfied by a network that lets anything talk to anything.
What deny-by-default looks like in practice
Three properties:
- Every flow has an explicit rule. If no rule matches, traffic drops. The flow table is finite and auditable.
- Rules bind to identity, not IP. A rule says "engineering workstation accounts can reach PLC-01 on Modbus function code 03," not "192.168.10.5 can reach 192.168.20.12 on port 502." IP-based rules age into misconfiguration; identity-based rules age into policy.
- Denials are logged. Dropped traffic produces an audit event. This gives the SOC a signal when something attempts a flow that shouldn't exist.
The operational cost
Deny-by-default is harder to deploy than allow-by-default because it forces the network owner to enumerate every legitimate flow. In a 15-year-old brownfield facility, nobody remembers all the flows. This is where passive asset discovery becomes a prerequisite: build a baseline of actual communication patterns, convert the observed patterns to explicit rules, then flip the posture.
Deploying deny-by-default without a baseline is how production incidents happen. Deploying it with a baseline produces a clean policy that reflects what the plant actually does.
Related terms
- Zero Trust Architecture
- Zero Trust in OT
- Network Segmentation
- Passive Asset Discovery (OT)
- Micro-DMZ
Access Gate connection
Access Gate enforces deny-by-default at the identity layer — every flow is explicitly allowed by policy, every denial is logged, and the baseline rule set is derived from passive discovery of the production network before enforcement begins. See Zero Trust Access Control for OT.
