What is Network Access Control (NAC)?
Network Access Control (NAC) is a security solution that determines which devices are allowed to access the network, based on predefined rules, authentication and device posture. NAC prevents unauthorised or non-compliant systems from connecting to critical OT or IT networks.
In OT environments, NAC is essential for keeping unauthorised laptops, rogue devices or infected equipment out of industrial networks β without endangering availability.
π§ What does NAC do?
- Identifies who or what is attempting to connect
- Verifies that the device complies with policy (e.g. antivirus active, firmware up to date)
- Authorises based on RBAC, MAC address, certificate or device profile
- Assigns access to a specific VLAN or blocks access if non-compliant
- Monitors devices throughout the entire session (post-connection check)
π§ NAC in an OT context
| Function | Application in industrial networks |
|---|---|
| MAC authentication | Only pre-registered OT devices may connect |
| 802.1X integration | Authentication of laptops or mobile engineers via certificates |
| VLAN assignment | Unknown devices placed into an isolated βquarantineβ VLAN |
| Guest access control | Temporary network access for suppliers with logging |
| Profiler functionality | Recognition of PLCs, SCADA, IoT devices via fingerprinting |
π‘οΈ Why NAC matters in OT
| Risk without NAC | Consequence |
|---|---|
| Uncontrolled access | Rogue Devices and laptops with malware can connect freely |
| Shadow IT | Devices are added without official oversight |
| Malware spread | No quarantine measures available for unknown systems |
| Compliance issues | Failure to meet IEC 62443, NIS2 or ISO 27001 requirements |
NAC is a core component of Zero Trust Architecture for OT environments.
π Integration with other systems
| System | Integration example |
|---|---|
| SIEM | Logging of NAC events and access requests |
| Asset Inventory | Automatic registration of new devices via the NAC profiler |
| Firewall | Dynamic rules based on NAC status or access policy |
| Switch / 802.1X | Port-based access control with fallback to MAC authentication |
β Best practices
| Measure | Why it matters |
|---|---|
| Start in a low-impact mode | Observe behaviour first without blocking traffic |
| Use MAC whitelisting in OT | Because not all OT devices support 802.1X |
| Design based on risk profiles | E.g. suppliers, engineering laptops, fixed equipment |
| Combine with physical access control | Prevent unwanted access to switch ports |
| Integrate with anomaly detection | Take automated action on suspicious behaviour |
π In summary
Network Access Control (NAC) is the digital gatekeeper of your industrial network. It provides control over who or what may connect, under which conditions and with which rights β a must for secure and compliant OT networks.