For years, critical infrastructure operators have been forced to choose between uptime and robust cybersecurity protection. Traditional controls, such as firewalls, either slow systems down or cannot be deployed at all in fragile OT environments. By integrating Akamai Guardicore Segmentation with NVIDIA BlueField DPUs, Zero Trust enforcement moves directly into the infrastructure itself, delivering hardware-isolated, hardware-accelerated, line-rate protection for un-agentable and mission-critical systems without sacrificing performance.
The systems that cannot fail
It is 2:17 AM in a regional power operations center. An engineer notices abnormal traffic between two supervisory systems that rarely communicate. Within seconds, a controller responsible for load balancing begins issuing unexpected commands.
Nothing crashes. Nothing explodes. But something is wrong.
In many OT environments, that moment determines whether the incident remains contained or cascades across substations, production lines, or water treatment processes.
This isn’t theoretical. Check Point Research reported that U.S. utilities experienced nearly a 70% increase in cyberthreats in 2024 compared with the previous year. KnowBe4 observed a 30% rise in threats on critical national infrastructure during the same period. The U.S. Department of Homeland Security has warned that threats to energy, transportation, and other essential sectors are expected to intensify into 2025.
Leaders are not facing a distant possibility. They’re facing a sustained campaign.
And yet, many of the systems that matter most still rely on trust assumptions that were designed decades ago.
Why traditional OT security models struggle
Operational technology environments were engineered for reliability and deterministic behavior, not for adaptive cyber defense. Many run legacy operating systems. Some cannot be patched without recertification. Others cannot tolerate even small changes in latency.
Security teams know that lateral movement is how real damage occurs. Once an adversary gains initial access, the ability to pivot between systems determines the scope of impact.
In enterprise IT, agent-based microsegmentation has become a powerful way to enforce least-privilege access and contain that spread. When deployed correctly, it delivers granular visibility and high performance.
But OT introduces a different constraint. In some cases, installing an agent is not safe. In others, it is not allowed. In still others, it’s simply not possible.
That creates a dangerous gap. The systems that control physical processes are often protected at the perimeter while remaining broadly permissive internally.
Executives should pause here and ask themselves a simple question:
If an adversary gained a foothold inside your OT network tonight, how far could they move before something stopped them?
If the honest answer is “farther than I am comfortable with,” then the architecture needs to change.
The regulatory and insurance pressure is real
Security in critical infrastructure is no longer just a technical discussion. It is a board-level and regulatory issue.
In the United States, utilities and other critical operators face increasing mandates around segmentation, monitoring, and incident response. Federal guidance and sector-specific regulations are tightening expectations around resilience, not just detection.
Cyber insurers are also recalibrating their models. Underwriters are scrutinizing segmentation practices, access controls, and containment capabilities before issuing or renewing policies. Premiums reflect not just whether an organization can detect an incident, but whether it can limit blast radius.
Executives should be asking:
Can we demonstrate that a compromised controller cannot laterally access high-value systems?
Can we prove that east-west traffic is governed by least privilege?
Can we show that enforcement survives even if a host is compromised?
If the answer to any of those is uncertain, it is not just a technical risk. It is a financial and regulatory exposure.
Moving enforcement into the infrastructure
The integration of Akamai Guardicore Segmentation with NVIDIA BlueField DPUs reflects a different architectural mindset.
Instead of depending solely on host-based enforcement, segmentation policy can offload compute to a hardware-isolated Data Processing Unit (DPU) embedded in the data path. BlueField operates independently of the host operating system and CPU. Policies translated into hardware flow rules are enforced at line rate in silicon.
In this model, NVIDIA BlueField provides the real-time telemetry and enforcement point at the infrastructure layer, while Akamai Guardicore Segmentation provides the centralized visibility, policy modeling, and policy management that governs how segmentation is defined and applied across the environment.
Telemetry is collected directly by BlueField without requiring any host-based software, ensuring that visibility is achieved with zero impact on fragile OT systems. That telemetry is then surfaced through Akamai Guardicore Segmentation’s platform, where security teams can map application dependencies, define least-privilege policies, and manage segmentation consistently across both IT and OT domains.
If a server is compromised, the enforcement logic running on the DPU remains intact. From the host perspective, no additional software is required.
Enforcement itself is executed directly by BlueField at the infrastructure level, based on the policies defined and orchestrated through Akamai Guardicore Segmentation. This separation of control plane and enforcement point ensures that even if a workload is breached, policy cannot be altered by an adversary operating on the host.
This matters deeply in OT environments. For systems that cannot tolerate agents or performance overhead, protection becomes infrastructure-embedded rather than workload-installed.
It is important to be clear. Agent-based microsegmentation remains a high-performance and proven model across IT, modern cloud environments, and the data center. The BlueField integration does not replace that strength. It extends segmentation into the domains where agents cannot safely operate.
The integration brings together BlueField’s hardware-isolated telemetry and enforcement with Akamai Guardicore Segmentation’s policy intelligence and centralized control plane.
The result is consistent, scalable visibility, policy, and containment across both IT and OT, without forcing fragile systems to carry the burden.
Containment at machine speed
Modern adversaries automate reconnaissance and lateral movement. They do not wait for change windows. They do not respect operational sensitivities.
When segmentation enforcement happens in the data path, traffic is evaluated as it enters and exits each node. Unauthorized connections are blocked before they propagate. Compromised systems can be isolated in real time, limiting blast radius.
In architectures aligned with the Purdue Model, trust boundaries between enterprise systems, DMZ layers, supervisory controls, and process-level devices can be reinforced without modifying the equipment itself.
This shifts the conversation from threat detection after the fact to containment by design.
Leaders should be asking:
Are we architected to detect compromise, or are we architected to survive it?
Those are not the same thing.
The next generation of critical infrastructure security
The long-standing belief that stronger security inevitably slows critical systems has shaped decisions for decades. That belief no longer holds.
Security does not need to compete with uptime. It can be embedded into the infrastructure itself.
As OT and IT converge and AI-driven solutions accelerate both innovation and AI workloads, Zero Trust security must evolve beyond software overlays. It must be hardware-aware, resilient to host compromise, and capable of enforcing least privilege at network speed.
The organizations that lead in the next decade, including those building AI infrastructure and AI Factories, will not be those that simply deploy more monitoring tools. They will be those that redesign their architecture to contain failure by default.
The real question for executive leaders is not whether threats will continue to escalate. They will.
The real question is this:
When the inevitable breach occurs inside your OT environment, will your architecture absorb the impact, or will it amplify it?
The answer will not be found in policy documents. It will be found in the infrastructure decisions you make today.
Tags
