Why Patching Alone Won’t Save You: A Guide to 6 Segmentation Challenges in IoT-Heavy Environments (And How to Overcome Them)
"Why Patching Alone Won't Save You: A Guide to 6 Segmentation Challenges in IoT-Heavy Environments" is a 2025 Ordr guide for security teams in healthcare, manufacturing, retail, and similar industries where large numbers of devices simply can't be patched or taken offline. It makes the case that segmentation — not patching — is the realistic first line of defense for IoT/OT environments, then walks through the six specific challenges that cause segmentation projects to stall.
What you'll learn
- Patching can't keep pace with IoT reality. With 40,009 CVEs released in 2024 (a 39% increase), and many devices unable to be patched due to vendor dependencies, operational constraints, or outdated systems, segmentation is the only practical way to reduce exposure on devices you can't fix.
- Visibility is necessary but not sufficient. Knowing what's on your network doesn't reduce risk — you have to connect that discovery to enforcement tools (NAC, firewalls, ACLs) with full device context to actually segment anything safely.
- Unclear ownership kills momentum. IoT devices fall between facilities, biomed, IT, and security teams with different priorities and budgets. Without shared success metrics and cross-functional alignment, segmentation initiatives stall before they start.
- Start small or don't start at all. Analysis paralysis and scope creep are the top reasons projects fail. Isolating one targeted group of high-risk, unpatchable devices — like legacy imaging systems or HVAC controllers — builds confidence, demonstrates value, and creates the organizational momentum to expand.
Access resource
Why Patching Alone Won’t Save You: A Guide to 6 Segmentation Challenges in IoT-Heavy Environments (And How to Overcome Them)
- Why can't we just patch everything and skip segmentation?
- Many IoT, medical, and OT devices require vendor coordination, government re-approval, or can't go offline without disrupting operations — making patching slow or impossible. Segmentation protects those devices in the meantime, and permanently for legacy systems that will never be patchable.
- What does "good" visibility actually look like for IoT devices?
- Beyond an IP or MAC address — you need device type, function, owner, location, and behavioral communication patterns. Without that context, enforcing a segmentation policy risks blocking critical workflows and creates hesitation that keeps teams stuck.
- How do you get clinical or OT teams on board?
- Run a small pilot on a specific, non-critical device group first. Demonstrating that segmentation can reduce risk without disrupting operations turns skeptical operational teams into advocates — as seen at Emplify Health, where early wins made clinical and networking teams "eager to segment more devices."
- Is automation required for segmentation to scale?
- n practice, yes. Manual policy writing for thousands of diverse devices is too slow and error-prone. Policy simulation and automated enforcement — grounded in device profiles and behavioral data — is what makes segmentation feasible at scale without constant disruption risk.
This resource is published by ORDR, the connected asset security company. ORDR delivers AI-powered visibility, risk assessment, and automated protection for IoT, OT, and IoMT devices across healthcare, manufacturing, government, and financial environments. Browse all resources →