At the SANS Winter Cyber Solutions Fest 2026: Utilities and Critical Infrastructure event, runZero CEO HD Moore’s presentation proposed a simple but uncomfortable premise: the air gap is dead, and the illusion of segmentation is very much alive.
Attackers exploit edge device zero-days, abuse forgotten cellular backup links, and pivot through multi-homed systems that quietly route around every control you've deployed. The tools most teams rely on, including passive monitoring, vulnerability scanners, and OEM software, consistently miss the exposure paths that matter most.
In his presentation, Segmentation Theater, HD breaks down how to address these gaps. Below, we’ve highlighted several key failure modes and what you can do about them.
The thing protecting your OT environment is also the thing attackers walk through first #
Firewalls are the load-bearing wall of OT segmentation. They show up at every Purdue level, and they work…right up until they don't. Mandiant looked back at a full year of OT incident response and found that roughly 30% of those incidents started with initial access through a perimeter security device. Palo Alto, Ivanti, Fortinet, the products we've spent years deploying to protect these environments, were the top three compromised entry points. The attackers aren't looking for some exotic OT-specific exploit. They're using a Fortinet zero-day and walking right in.
The structural problem here is that when you deploy a single firewall vendor from your enterprise zone all the way down to Level 2, you haven't built defense in depth, you've built a single control that spans everything. An authentication bypass at the top collapses the whole stack. Layering vendors helps, but it doesn't solve the underlying issue, which is that firewalls have become both the most critical and the most attacked component in OT networks simultaneously. They need to be treated like assets you actively monitor, not infrastructure you set and forget.
Your devices are routing between zones you're trying to keep separate #
A device that has two network connections, a wired OT segment and guest Wi-Fi for example, can route traffic between them without a single packet ever touching your firewall. No alert. No log entry. Just quiet, invisible bridging.
We did research on how many devices have IP forwarding enabled by default and the honest answer is: most of them, including printers, smart TVs, and ESP32-based IoT hardware. We had a harder time finding devices that didn't have it on than ones that did. The situation gets worse when developers install tools like Docker on workstations that sit on OT-adjacent segments. Docker enables IP forwarding across all interfaces as a side effect of its virtual networking. The developer doesn't know they've just turned their workstation into a multi-interface router. Nobody told them that was a firewall configuration problem they now own.
At scale, these unintended connections compound fast. In a network of 30 devices the path graph is already messy. In an enterprise with thousands of employees and dozens of OT sites, you've effectively got one big hairball where any point can reach any other in a hop or two.
The least-secure thing on your network is often the thing managing everything else #
Serial console servers, KVM-over-IP switches, and IPMI interfaces are everywhere in OT environments. They exist because you need a way to get remote access to hardware that can't otherwise be managed remotely. They're also consistently the worst-secured devices in the building. Across MOXA, Digi, Pi KVM, SuperMicro IPMI, runZero has found unauthenticated session access, insecure proprietary protocols, and hardcoded credentials. These are consumer-grade bugs sitting directly in front of hardened industrial equipment.
SuperMicro IPMI is a good example of how slowly this problem moves. California passed a law requiring device manufacturers to ship with unique passwords instead of hardcoded defaults. SuperMicro now ships with a password derived from your device serial number. Progress. They also still ship with IPMI and RAKP enabled by default, which is enough for an attacker to dump and crack credentials remotely without any exploitation at all. The attacker doesn't need to go after your hardened server. They go after the KVM attached to its serial port, and they're in.
IPv6 is already on your network & you're probably not watching it #
A quick count on a modern laptop turns up 28 active network interfaces, the majority of them IPv6. This is normal. What's not normal is that most teams are only writing firewall rules for IPv4. A device with solid IPv4 filtering and no equivalent IPv6 rules may be exposing databases, fileshares, and credential stores to anyone on the same subnet through its IPv6 address, an address nobody is scanning for, and that doesn't show up in any normal monitoring.
Recently, a customer using runZero was flagged for having a device with a public IP. The customer looked at it and said, that's impossible and that they knew every public IP on this network. It was a packet capture server which was supposed to be completely internal. It had a global IPv6 address assigned by the upstream ISP router that nobody had ever noticed. The device was globally reachable in a way the customer had no visibility into whatsoever. This is not an unusual story. Shodan has indexed over 200 million IPv6 addresses, partly by running NTP servers that quietly log the source address of anything that syncs to them. Your OT devices might already be in there.
So what can you do? It goes beyond monitoring #
Passive monitoring alone won't catch any of this. Span port captures don't see traffic that bypasses your choke points. They don't find multi-homed devices. They don't surface link-local IPv6 paths. Vulnerability scanners will tell you whether your firmware is out of date but they won't tell you whether your network is bridged in ways it shouldn't be.
This is the problem runZero was built to solve. We use safe, active scanning designed specifically for fragile OT environments to query devices and have them report back everything: all interfaces, all IP addresses, IPv4 and IPv6, secondary NICs, VPN adapters, cellular connections. We cross-reference internal fingerprints against our internet-wide scan data so you can find out if something internal is externally reachable without having to start from the internet side. We find the bridges, the unexpected management interfaces, the IPv6 exposure, the out-of-band hardware that's been forgotten in a rack somewhere.
The point isn't that these problems are unfixable. It's that you can't fix what you can't see. The first step is knowing what's actually on your network, not the diagram version, the real one.
Book a demo to see how runZero can help in your environment, or begin your free trial here.
