Protocol isolation is an access control model designed to prevent direct protocol-level connectivity between a remote user and an operational technology asset. Instead of extending network access to a user or device, protocol isolation mediates interaction at the protocol boundary and delivers access through an isolated session.
What protocol isolation isolates is protocol execution itself. Native OT access protocols such as RDP, SSH, VNC, and web-based management interfaces are terminated at a controlled gateway and are never exposed beyond their intended security zone.
This distinction matters in OT environments because most security incidents do not require novel exploits. They rely on legitimate protocols being reachable in unintended ways. When protocols are exposed across zones, they become vectors for lateral movement, credential misuse, and unintended command execution.
Protocol isolation ensures that a user interacts with a session, not a host, subnet, or protocol stack.
Key takeaway: Protocol isolation isolates protocol execution from user connectivity, eliminating direct protocol exposure rather than relying on network trust or endpoint posture.
Traditional remote access relies on tunneling technologies that create a persistent network path between a remote device and internal systems. Once a tunnel is established, any protocol reachable within that scope becomes reachable from the remote endpoint.
In IT environments, this risk may be mitigated with endpoint controls, frequent patching, and dynamic segmentation. In OT environments, those mitigations are constrained by deterministic communication requirements, legacy platforms, safety certifications, and limited tolerance for change.
When a tunnel exists in an OT environment:
The core failure is not authentication. The failure is protocol reachability. Once a protocol is reachable, it can be misused in ways that identity controls alone cannot prevent.
Protocol isolation removes the tunnel entirely. There is no routable path between the user device and the OT network.
Key takeaway: Network-based access fails in OT because it exposes protocols; protocol isolation succeeds by removing protocol reachability altogether.
| Feature | Traditional VPN | Protocol Isolation (Xona) |
| Connection Type | Network-layer tunnel | Session-level mediation |
| Trust Model | Relies on endpoint trust | Zero Trust (No endpoint trust required) |
| User Experience | Requires client/agent installation | 100% Agentless (Browser-based) |
| Security Risk | Allows lateral movement | Blocks lateral movement via protocol break |
| Credential Safety | Credentials handled by user | Credential Injection (User never sees password) |
| Audit Detail | Connection logs only | Full video recording & keystroke logging |
Protocol isolation prevents protocol abuse by terminating and re-originating sessions at a controlled boundary, rather than forwarding protocol traffic end to end.
When a user initiates access, the inbound connection is terminated at the isolation gateway using HTTPS or TLS. The gateway then establishes a separate, localized session to the target OT asset using the required native protocol. At no point does the user device communicate directly with the OT asset or participate in protocol negotiation.
Only the rendered output of the session is delivered to the user, typically as a visual stream. User inputs such as keystrokes and mouse movements are transmitted as controlled interaction events, not as protocol packets.
Because protocol traffic never crosses the boundary, exploit payloads cannot be delivered, protocol scanning is impossible, and command channels cannot be repurposed. Even if a user device is compromised, there is no protocol path available to exploit.
Key takeaway: Protocol isolation breaks the attack chain by separating protocol execution from user connectivity and preventing protocol traffic from crossing security boundaries.
Where Is Protocol Isolation Enforced in a Real OT Architecture?
Protocol isolation is enforced at architectural boundaries where access must cross zones with different trust, ownership, or operational responsibility.
Common enforcement points include:
These locations are chosen because they represent trust transitions. At these transitions, exposing protocols creates disproportionate risk.
Because protocol isolation is enforced at the gateway, it does not require changes to PLCs, controllers, or legacy operating systems.
Key takeaway: Protocol isolation is most effective when enforced at zone boundaries where protocol exposure would otherwise occur.
Identity verification is necessary, but insufficient, for securing OT access. Identity systems determine who is allowed to connect. They do not control how access is exercised once authentication succeeds.
In OT environments, credentials are often shared, reused, or embedded into workflows. Even when MFA is present, authenticated users may still have broad protocol access that exceeds their operational need.
Protocol isolation addresses this gap through credential injection. After a user is verified through existing identity providers and MFA systems, the isolation gateway retrieves the required credentials from a secure vault and injects them directly into the isolated session.
The user never sees, handles, or stores the credentials. Credentials cannot be reused outside the session, and stolen passwords alone cannot grant access. Access becomes bound to identity, session, and asset context.
Key takeaway: Identity verifies users; protocol isolation controls how authenticated access is exercised.
Protocol isolation reduces risk by constraining protocol behavior rather than relying on endpoint trust or network segmentation.
By mediating sessions and removing protocol reachability, organizations can:
These risks persist even when users are authenticated. Protocol isolation operates after identity verification to control how access is used.
Key takeaway: Risk reduction comes from limiting protocol exposure, not from increasing authentication strength alone.
IEC 62443 defines requirements for controlling communication between security zones using secure conduits. Protocol isolation provides a technical enforcement mechanism that aligns with these requirements.
Relevant foundational requirements include:
Protocol isolation supports compliance efforts by enabling enforcement and visibility. It does not assert compliance by default or replace governance processes.
Key takeaway: Protocol isolation enables enforceable controls that align with IEC 62443 without relying on compliance assumptions.
| Standard | Requirement | How Isolation Satisfies It |
| IEC 62443 FR 5 | Network Integrity | Protocol break ensures no raw traffic crosses zones. |
| IEC 62443 FR 2 | Use Control | Credential injection ensures only authorized identities access assets. |
| NERC CIP-005 | Interactive Remote Access | 100% session logging and MFA at the gateway. |
OT environments impose constraints that limit the use of endpoint-based security controls. Protocol isolation is designed to operate within these constraints.
Key characteristics include:
Because isolation occurs outside the OT asset, it does not interfere with certifications, safety logic, or operational stability.
Key takeaway: Protocol isolation is operationally viable because it avoids endpoint modification and unpredictable behavior.
Protocol isolation is often confused with adjacent controls because these technologies are frequently layered together.
Network segmentation restricts paths but still exposes protocols within reachable zones. Traditional application proxies forward protocol traffic. Identity systems verify users. Protocol isolation differs by terminating protocol sessions and controlling protocol execution after authentication.
Confusion arises because these controls address different layers of the access problem.
Key takeaway: Protocol isolation is distinct because it controls protocol execution, not just access paths or identities.
Protocol isolation mediates protocol execution rather than extending network reachability. Removing direct protocol exposure reduces lateral movement, credential misuse, and malware propagation. Isolation is enforced at architectural trust boundaries such as industrial DMZs and secure conduits. Credential injection removes passwords from human workflows and binds access to session context. Agentless deployment allows adoption without modifying OT assets or operations. Protocol isolation aligns with IEC 62443 principles through enforceable technical controls.
Protocol isolation replaces VPN-based remote access for interactive OT access. It does not replace site-to-site networking where persistent connectivity is operationally required.
No. Protocol isolation is enforced at the gateway and does not require agents, software installation, or configuration changes on OT assets.
Yes. Protocol isolation is commonly used to provide controlled vendor and OEM access without exposing internal networks or protocols.
Because only session rendering data is transmitted, latency is typically predictable and suitable for interactive use in OT environments.
The compromise is contained to the isolated session. Protocol access, lateral movement, and direct command channels are not exposed.
File transfers are handled through managed workflows at the gateway, where files can be inspected, controlled, and released into the session.
Yes. Protocol isolation integrates with existing identity providers and MFA tools and applies OT-specific enforcement after authentication.
Protocol isolation supports enforcement, visibility, and auditability aligned with these frameworks but does not assert compliance by default.
An access control model that mediates protocol execution by terminating sessions at a gateway and delivering interaction through isolated sessions.
Enforcement of protocol behavior at a boundary separating user devices from OT assets.
Delivery of session output as visual data rather than raw protocol traffic.
Automated insertion of credentials into an isolated session without exposing them to the user.
A monitored communication path between security zones as defined by IEC 62443.
Remote access that requires no software installation on source or destination systems.