Cool Vendors in Cyber-Physical Systems Security 2025

18 September 2025 - ID G00839283 - 13 min read
By Katell Thielemann
The journey from network-centric OT security, based on firewalls, DMZs, and data diodes, to an asset- and context-centric cyber-physical systems security discipline is moving beyond visibility, prevention, and a reactive model. This research highlights five innovative vendors that are leading the way.

Overview

Key Findings

  • The field of CPS security is evolving from a network-centric, reactive model focused on firewalls and prevention to a more mature discipline centered on proactive defense, asset-centric protection, and rapid recovery. This shift acknowledges that breaches are inevitable and prioritizes business continuity and resilience.
  • The increasing interconnectedness of CPS environments has broadened the attack surface beyond internal systems to include third-party vendors and remote operators. Secure remote access, granular access control, and supply chain visibility are critical components of a comprehensive security strategy.
  • A new generation of CPS security solutions is moving beyond visibility to tackle long-standing challenges by offering specialized capabilities such as air-gapped backups for instant recovery, automated endpoint configuration remediation, AI-enabled supply chain risk management, and microsegmentation using existing infrastructure.

Recommendations

  • Emphasize resilience and recovery: Prevention is necessary but no longer sufficient. As the threat landscape continues to move closer into CPS environments, cybersecurity leaders should prioritize investment in capabilities that enable rapid recovery and business continuity to minimize the operational and financial impact of a successful cyberattack.
  • Extend third-party risk management (TPRM) and configuration baselines management to CPS: To understand and reduce the attack surface, cybersecurity leaders should extend their security efforts beyond internal assets to the supply chain. This involves using data-driven platforms to assess vendor risk and leveraging automated tools to continuously monitor and remediate misconfigurations on endpoints, which are a leading cause of vulnerabilities.
  • Architect for CPS security beyond the DMZ: To mitigate risks from remote access and lateral movement, cybersecurity leaders should deploy solutions that enforce granular, least-privilege access policies for all users, workloads, and devices. This includes leveraging technologies for microsegmentation and secure remote access that isolate sessions and control communication pathways.

Analysis

This research does not constitute an exhaustive list of vendors in any given technology area, but rather is designed to highlight interesting, new and innovative vendors, products and services. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

What You Need to Know

The landscape of cyber-physical systems (CPS) security solutions is rapidly evolving, driven by the increasing sophistication of threats and the critical nature of the infrastructure and production environments they protect. This, in turn, has led to an increase in regulatory requirements in a variety of jurisdictions, countries, and verticals. As organizations grapple with securing these increasingly interconnected systems, the discipline of CPS security is moving toward a more mature, proactive, and resilient posture.
Gartner defines CPS as engineered systems that orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans).
CPS are unique in that they are managed digitally but interact with the physical world. They are often interchangeably referred to as Industrial control systems (ICS), supervisory control and data acquisition (SCADA), operational technology (OT), Internet of Things (IoT), Industrial Internet of Things (IIoT), Industrie 4.0, building management systems (BMS), engineering technology (ET), or polyfunctional robots.
The journey of OT security from a nascent concern relying mainly on firewalls, DMZs, and data diodes to CPS security as a mature discipline is characterized by a shifting approach. It has evolved from prevention and reactive firefighting to proactive defense, from isolated silos to aligned security strategies, and from basic network-centric protections to asset-centric advanced resilience (see Figure 1).
Figure 1: The Evolution of OT Security to Cyber-Physical Systems Security
A continuum showing the evolution of what used to be an "air gapped" network security approach to OT security in the past, to an asset and context centric CPS security discipline today and in the future
The vendors in this note collectively support this evolution by tackling longstanding challenges and introducing innovative, sophisticated capabilities beyond those of CPS Protection Platforms.
  • Moving from “knowing” to “doing” with segmentation and configuration management: A mature security program begins with a clear understanding of all assets and the ability to control their interactions. Historically, CPS environments suffered from a critical lack of visibility and cumbersome, static segmentation. Although CPS protection platforms offer increasingly detailed CPS asset pedigree and topology information that open the door to many additional security controls, most do not (yet) offer remediation and resilience capabilities.
  • Implementing robust access control: As CPS environments become more connected, secure access — especially for remote operators and third-party vendors — and granular control of who accesses what becomes critical.
  • Building resilience and focusing on rapid recovery: Despite the best preventative measures, breaches can occur. A mature CPS security discipline prioritizes rapid recovery and business continuity to minimize operational impact.
  • Securing the supply chain and enhancing collaboration: The interconnected nature of CPS means that vulnerabilities can enter through the supply chain. A mature security program extends its reach beyond internal assets to encompass third-party risks.
Enhancing CPS protection platform capabilities via APIs from these cool vendors allows for an integrated approach that elevates CPS security from a collection of disparate tools to a unified, proactive, and resilient discipline. It provided security and risk management leaders with additional tools needed to protect production environments and critical infrastructure in an increasingly complex threat landscape.

Salvador Technologies

Israel (salvador-tech.com/solutions)
Analysis by Katell Thielemann
Why Cool:
By providing air-gapped, immutable backups and specializing in the resolution of ransomware, WIPER attacks, and physical damage, Salvador Tech focuses on helping critical CPS return to operations. The emphasis on instant recovery and independent cyber recovery units addresses a paramount concern: minimizing downtime and financial losses in the face of a successful attack. This shifts the focus from preventing to intelligently recovering, which is vital for critical infrastructure. Capabilities include:
  • A unified control panel for monitoring and managing all sites and stations, simplifying oversight. It is designed for a range of skill levels.
  • Operational continuity views aligned with corporate risk policies and recovery time objective (RTO) requirements, providing transparent backup status.
  • Workstation recovery that supports legacy CPS operating systems and functions independently of the network with immutable, bootable backups.
  • Advanced backup software to create air-gapped system duplicates of the OS, data, drivers, and configurations, making them inaccessible to attackers.
Challenges:
  • Integration Complexity: Although designed for ease of use, integrating with highly complex or legacy OT infrastructure still requires careful planning.
  • Cost Management: As with any specialized security solution, the initial investment and ongoing maintenance costs must be evaluated.
  • Organizational Adoption: Ensuring all personnel are adequately trained and adopting the new system effectively can be a hurdle.
  • Scalability in Large Environments: Scalability considerations are important for extensive and geographically diverse CPS operations.
Who Should Care:
Cybersecurity leaders in charge of:
  • Ensuring business continuity and enhancing operational resilience: Addresses the critical need for minimizing operational downtime and financial impact from cyberattacks by enabling recovery from a wide array of cyber incidents and physical disruptions.
  • Strengthening compliance and risk posture: This supports adherence to several regulatory requirements, such as NIS2, NERC-CIP, and FDA.
  • Providing robust protection against advanced threats: Offers advanced measures like air-gapping and APT malware protection, crucial for defending against sophisticated and targeted attacks.

Dispel

New York, NY, U.S. (dispel.com/products/dispel-zero-trust-engine)
Analysis by Katell Thielemann
Why Cool:
Dispel offers tailored secure remote access and data streaming options, including clientless browser connect for quick access, virtual desktop for high-security needs, and local application for legacy systems and specialized tools. It automates workflows such as just-in-time (JIT) access, multifactor authentication (MFA), identity and access management (IAM), without impacting the Active Directory (AD) infrastructure, password vaulting, and automated patching. It centralizes and secures connections, effectively replacing less secure methods like traditional jump servers. Capabilities include:
  • Extensive protocol compatibility: Supports over 65,000 TCP- or IP-based protocols, including SSH, RDP, VNC, and various proprietary protocols to enable broad compatibility across diverse industrial setups.
  • Built-in compliance support: Out-of-the-box inheritance for major industry standards like NIS2, NIST 800-53, IEC 62443, and NERC CIP, significantly simplifying audit processes.
  • Threat management capabilities through intelligence sharing, monitoring, identification, and remediation.
  • Incorporates advanced security measures such as end-to-end encryption, microsegmented pathways, session isolation, screen recording, password vaulting, and comprehensive audit logging.
  • The ability to deploy a “gold image” in the virtual remote desktop means that organizations can offer a regular “look and feel” to remote employees instead of a specific environment.
Challenges:
  • Integration with highly specialized CPS environments: Integrating with bespoke or unique legacy CPS still requires custom configurations and careful planning.
  • Initial product configuration complexity: Setting up granular access policies, integrating with existing IAM solutions, and configuring specific protocol support across a large and complex enterprise is no easy feat.
  • Performance impact assessment: Ensuring that the security measures and data streaming capabilities do not negatively impact the performance or real-time operations of sensitive CPS processes requires careful validation.
Who Should Care:
Cybersecurity leaders in charge of:
  • Enhancing remote access security posture: Addresses the critical risk of remote access to CPS environments, a primary concern given its growing status as an attack vector.
  • Streamlining compliance and audit preparedness: Integrated support for key industry compliance standards reduces the burden of regulatory adherence and simplifies audit processes.
  • Improving visibility, control, and response: Granular visibility and control over all remote sessions and access activities help with incident response, proactive threat hunting, and overall risk management.

Elisity

San Jose, California, U.S. (elisity.com/platform)
Analysis By Katell Thielemann
Why Cool:
Elisity’s network segmentation policy engine allows security teams to rapidly create, simulate, and apply granular security policies. By transforming existing switching infrastructure into policy enforcement nodes, Elisity enables microsegmentation that automates least-privilege access for users, workloads, and devices, thereby reducing over-privileged accounts and lateral movement risk. This capability helps control communication pathways, contain breaches, and significantly reduce network complexity. Capabilities include:
  • Automated least privilege access enforcement for users, workloads, and devices reduces overprivileged accounts and hinders lateral movement, which are critical for securing CPS.
  • Reduced network complexity: By leveraging existing infrastructure and simplifying policy enforcement, and potentially lowering firewall licensing costs.
  • Agentless and nondisruptive: The Elisity platform requires no agents, new hardware, or re-IPing projects, respecting the sensitive and highly available nature of CPS environments.
  • Integrates with existing security tech stacks via APIs, aggregating data from all available sources to enable more flexible and dynamic security policies.
  • Builds an identity graph from native observations and integrated systems to inform segmentation decisions, so access is determined by who and what a user, workload, or device is, rather than where it sits in the network.
Challenges:
  • Policy management at scale: For very large and diverse CPS environments, managing an extensive number of granular dynamic policies, even with simulation tools, could become complex.
  • Dependency on existing infrastructure: The effectiveness and advanced features of the platform rely on the capabilities and configuration of the existing switching infrastructure.
  • Organizational change and training: Implementing a new approach to network segmentation and policy enforcement requires significant change management and training for security and network operations teams.
  • Potential for misconfiguration: Despite simulation features, complex policy changes in live operational environments always carry a risk of unintended consequences if not meticulously planned and executed in partnership with production engineers.
Who Should Care:
Cybersecurity leaders in charge of:
  • Proactive risk reduction and attack surface minimization: Automating least privilege and preventing lateral movement directly mitigates key attack vectors.
  • Improving compliance and audit Readiness: Enhanced visibility and automated, enforceable policies contribute directly to demonstrating compliance with various industry regulations and simplifying audit processes.
  • Minimizing operational disruption: The agentless and nondisruptive deployment model is paramount for highly sensitive CPS operations where downtime is unacceptable.

Remedio (formerly Gytpol)

Tel Aviv, Israel (remedio.io/product)
Analysis by Katell Thielemann
Why Cool:
Remedio (formerly Gytpol) focuses on automated device configuration security to harden Windows and Linux in CPS environments. Misconfigurations are a leading cause of vulnerabilities in diverse CPS environments, including running unnecessary programs, excessive privileges, or problematic default settings. By detecting and remediating these flaws, Remedio supports security best practices and compliance standards, further reducing the attack surface and reinforcing the segmented environment. This moves CPS security beyond merely identifying assets to ensuring their secure baseline configuration and controlled interaction. Capabilities include:
  • Ability to centrally manage remediations and revert as needed with instant rollback.
  • Centralized control for diverse environments: Provides a unified platform for visibility and control over a wide array of endpoints, including Windows, Linux, Mac workstations, servers, VDIs, Active Directory, and cloud instances.
  • Integration with CPS protection platforms such as Forescout, Claroty, CrowdStrike, and Armis.
Challenges:
  • Initial baseline definition: The initial effort to establish and fine-tune security baselines for a highly specific and complex CPS environment often requires significant upfront work and expertise.
  • Potential for unintended operational Impact: Although designed for zero disruption with rollback features, any automated change in sensitive CPS environments necessitates rigorous testing and validation to prevent unforeseen operational impacts.
  • Depth of coverage for proprietary CPS: While it covers common operating systems, the depth of its configuration security for highly proprietary industrial control systems or specialized CPS protocols might require further investigation.
  • Building trust in AI automation: Organizations, particularly in critical infrastructure, will need complete transparency and explainability before starting to build any confidence in AI autonomous recommendations and automated remediation actions for production environments.
Who Should Care:
Cybersecurity leaders in charge of:
  • Proactively managing misconfigurations.
  • Streamlining compliance with various industry standards and regulations (e.g., NIST, CIS, STIG), as well as user-defined frameworks.
  • Supporting Hybrid IT/CPS Environments: Its compatibility with both modern and legacy operating systems, and integration with common IT management tools, makes it helpful across IT and CPS networks.
  • Patch and vulnerability management.

Fortress Information Security

Orlando, Florida, U.S. (fortressinfosec.com/fortress-platform)
Analysis by Katell Thielemann
Why Cool:
Fortress Information Security’s AI-enabled supply chain defense platform provides vendor and assessment intelligence, for example, through software bills of materials (SBOMs) and hardware bills of materials (HBOMs). It also facilitates enhanced collaboration among industry partners, for example, through the North American Energy Software Assurance Database (NAESAD). Fortress helps to streamline third-party risk management, moving beyond vendor questionnaires to data-driven risk management. Capabilities include:
  • Vendor and assessment intelligence: This leverages data exchanges (like A2V) to provide access to vendor and assessment intelligence, enabling informed decision making regarding supply chain risks.
  • AI-enabled risk mitigation to monitor vendor ecosystems and products, flagging risks and streamlining their remediation for more effective risk management.
Challenges:
  • Data integration complexity: While it features data exchanges, integrating and normalizing SBOMs, HBOMs, and other security data from a potentially vast and diverse supply chain can still be a complex undertaking.
  • Reliance on AI accuracy and tuning: The platform’s effectiveness heavily relies on the accuracy and continuous learning capabilities of its AI models, which may require ongoing validation and fine-tuning to suit specific environments.
  • Adoption of collaboration mechanisms: The full benefits of industry collaboration, such as through NAESAD, are realized only with widespread adoption and active participation from industry partners, which can be challenging to achieve. NAESAD only supports North American energy companies.
  • Vendor onboarding and data ingestion: The initial process of onboarding all relevant vendors and ensuring their security data is accurately ingested and maintained within the platform could be resource-intensive.
  • Customization for unique CPS environments: While comprehensive, highly unique or very specialized CPS environments might require specific customization or fine-tuning to fully use the platform’s capabilities.
Who Should Care:
Cybersecurity leaders in charge of:
  • Addressing critical supply chain risk and moving beyond risk identification to active mitigation.
  • Enhancing third-party visibility and due diligence by tracking intelligence on vendors and their assets
  • Threat management, which can leverage industrywide collaboration and intelligence sharing capabilities.

Where Are They Now?

Network Perception

Chicago, Illinois, U.S. (network-perception.com)
Analysis by Katell Thielemann
Profiled in Cool Vendors in Cool Vendors in CPS Security 2024
Why Cool Then:
Network Perception’s NP-View platform provides network topology/mapping diagrams, firewall ruleset information, network segmentation assessments, network access modeling, device configuration information, and exportable network topology simulation models to support critical path analysis. It provides this in a passive, offline manner, requiring no agents or modification to existing network hardware or configurations. The inference engine shows what traffic is possible based on current configurations, and not just traffic that can be observed. The platform is designed for ease of use to provide value for technical and nontechnical users alike.
Where They Are Now:
Network Perception was acquired by Dragos Inc. on 1 October 2024.
Who Should Care:
Cybersecurity leaders in charge of:
  • Asset discovery and network visibility who need a view of connected assets and to verify the segmentation of their environment without initially having to make large investments in sensor-based solutions.

Evidence

1 Dragos Acquires Network Perception, Delivers the Industry’s Most Comprehensive Visibility of OT Environments, Dragos.