Market Guide for CPS Secure Remote Access

3 February 2026 - ID G00840975 - 26 min read

By Katell Thielemann, Wam Voster, and 1 more

As remote operations become the norm, organizations are pivoting from “secure connectivity” to “secure operations” with fit for purpose cyber-physical systems secure remote access products. This note provides an overview of trends and representative vendors in this fast-growing market.

Overview

Key Findings

Cybersecurity leaders are discovering that “shadow access” is a critical blind spot: undocumented remote connections that bypass corporate firewalls permeate CPS environments, and remote access has become a new operational reality.
Attackers are increasingly attacking weak or vulnerable legacy remote access such as VPN and jump boxes to gain access to CPS environments, requiring organizations to adopt purpose-built CPS remote access to mitigate risks.
Deploying multiple remote access products from different vendors for accessing cyber-physical system (CPS) assets introduces significant complexity in the management and integration of these products. This is due to diverse configurations, varying encryption protocols and inconsistent session-log schemas, thereby increasing security risks.
Organizations are pivoting from “secure connectivity” to “secure operations.”This shift is driven by the operational necessity of managing complex, distributed environments, products innovators are bringing to market steeped in CPS environment knowledge, and the reality that traditional IT-centric tools lack the contextual granularity required for mission-critical safety.

Recommendations

Audit for “shadow access” immediately; do not assume your current inventory of remote connections is complete. Actively deploy tools such as CPS protection platforms that are capable of discovering unmanaged OEM, contractors and employee connections and integrate them into a centralized governance framework (with policies for OEMs, contractors and employees alike) to close backdoors.
Replace general-purpose VPNs and avoid extending IT-centric PAM tools into CPS environments without validation. Instead, prioritize platforms that offer deep protocol inspection to block unauthorized changes at the packet level and align with the safety-critical nature of CPS operations.
Standardize all CPS remote access through a single, centrally managed hardware/software gateway in the DMZ or lower levels. Implement protocol and session termination at this gateway to prevent direct communication with protected CPS assets. This could include programmable logic controllers (PLCs), human-machine interfaces (HMIs), and supervisory control and data acquisition (SCADA) systems.
Choose products that enhance secure and safe operations, and understand the production engineers’ need over products that solely focus on cybersecurity-related access management: mandate agentless architectures for legacy assets; enable “over-the-shoulder” supervision by engineers to allow local operators to supervise third-party vendors in real-time and retain a “kill switch” to terminate connections instantly if safety is compromised; eliminate standing privileges by adopting just-in-time (JIT) access. Avoid products that require inbound connections to be enabled.

Strategic Planning Assumption

By 2029, the percentage of attacks on CPS using remote access vectors will grow from negligible numbers to over 20%.

Market Definition

Gartner defines the cyber-physical systems (CPS) secure remote access products market as products that enable employees, contractors or original equipment manufacturers (OEMs) to safely and securely operate, maintain or update CPS remotely. These products provide a robust mechanism to verify remote users’ authenticity and authorization, enforce granular access policies for both users and systems, ensure secure communications, and track the integrity of user actions. Organizations can deploy these products in cloud, on-premises or in a hybrid environment.

Gartner defines the cyber-physical systems (CPS) secure remote access solutions market as products that enable employees, contractors or original equipment manufacturers (OEMs) to safely and securely operate, maintain or update CPS remotely. These solutions provide a robust mechanism to verify remote users’ authenticity and authorization, enforce granular access policies for both users and systems, ensure secure communications, and track the integrity of user actions. Organizations can deploy these solutions in the cloud, on-premises or in a hybrid environment.

Traditional remote access methods, such as VPNs, jump boxes or IT remote privileged access management (RPAM) solutions, lack the granularity and contextual knowledge needed for production or mission-critical environments. CPS secure remote access solutions address these limitations by offering specialized features, including: agentless access, reliable operation in high-latency or intermittently connected environments, and granular access to specific devices, often using proprietary networking protocols instead of broad network access.

The core use case for deploying CPS Secure Remote Access solutions is to enable secure and safe operations. This use case is also referred to as CPS secure remote operations.

Inappropriate or malicious access to CPS can result in severe real-world consequences, including safety hazards, environmental damage and operational failure. CPS secure remote access products reduce these risks by preventing the abuse of remote connections, preserving the integrity, safety and security of the systems, and restricting even verified users to only the specific device or application needed for their tasks.

The CPS secure remote access solutions market exists because of:

Safety considerations: Some operate in harsh environments or handle hazardous materials, making remote management preferable to physical presence for protecting human health and the environment.
Contractual obligations: OEMs often mandate remote access in sales contracts to support service-level agreements (SLAs), as maintaining on-site support teams around the clock at every location is impractical. These OEMs must also ensure that their employees have access only to authorized systems.
Geographically dispersed setups: In verticals such as utilities, substations may be located across the country, making hands-on maintenance impossible.
Cost/productivity pressures: Organizations seek to optimize labor resources and minimize travel expenses by supporting multiple operational environments remotely, which is essential for cost control and productivity.
Competitive pressures: The drive to automate and enhance output quality and quantity makes remote asset management a key differentiator in the market.
Production uptime and equipment maintenance/upgrades: The ability to keep production and mission-critical environments up and running without disruption is a key factor in remaining competitive.
Skilled labor pressures: The global scarcity and high cost of production engineers and industrial maintenance professionals often necessitate remote operations.
Training of new engineers and maintainers: To counter the lack of skilled labor, organizations increasingly rely on virtual training for new engineers and maintainers, using CPS secure remote access solutions to support these efforts.

Mandatory Features

Mandatory features for CPS secure remote access solutions include:

Authentication and validation: Authenticate and validate every user, device, asset and connection before granting access.
Approval workflow: Allow remote access only after prior approval from appropriate stakeholders through a specific workflow.
Password vaulting: Enable access to locked devices without directly sharing passwords.
Granular access controls based on least privilege: Define precise access policies that specify what users can access (e.g., specific devices, applications and data), when they can access it (time-based access) and under what conditions.
Support for third-party access: Facilitate secure access for external vendors, contractors and employees.
Time-sensitive features: Permit connections only during predefined times, for specific durations, and/or automatically time out/suspend sessions that remain idle for too long.
Comprehensive monitoring, logging and auditing: Track, log, and record sessions in real time; audit user activities and connections to provide visibility, accountability and a complete audit trail for compliance and security management. Enable production engineers to monitor and terminate sessions as needed.
Regulatory compliance support: Help organizations meet various industry standards and regulatory mandates or frameworks, such as IEC 62443, NIST SP 800-82 Rev3, NIS2, NERC-CIP, NIST CSF or ISO 27001.
Identity and access management (IAM) integration: Manage user identities and access by including or integrating with existing identity providers (e.g., Microsoft Azure Active Directory, Okta and Ping Identity) to strengthen security and centralize control.
Multifactor authentication (MFA): Require more than one authentication method to verify user identity.
Agentless access: Provide access without installing software on CPS assets or remote endpoints, simplifying deployment and minimizing disruption.
Gateway termination and inspection: Terminate all CPS protocol sessions, for example, Modbus, DNP3 and Open Platform Communications Unified Architecture (OPC UA), at a secure gateway to enable deep packet inspection and enforce security policies.
Compatibility with diverse environments: Connect to any CPS (such as PLCs, HMIs, SCADA or DCS) and support native protocols for existing industrial machines.
Flexible deployment models: Offer on-premises, cloud or a hybrid model to meet operational needs.

Common Features

Common features include:

Secure file transfer with malware scanning
Enhanced MFA features, such as biometric validation, dynamic context-based or continuous adaptive MFA and single sign-on (SSO) proxy functionality that supports Department of Defense (DOD) Common Access Cards (CACs).
Tamper-proof audit logs stored in write-once, append-only repositories (WORM) or hardware-security-module-backed systems, with log integrity checks to ensure authenticity.
OEM and vendor account isolation through separate vaults and policies for third-party or service-provider accounts, with limited scope and time-bound access.

Market Description

Traditional remote access methods, such as VPNs, jump boxes or emerging approaches such as IT remote privileged access management (RPAM) products, lack the granularity and contextual knowledge needed for production or mission-critical environments. CPS secure remote access products address these limitations by offering specialized features, including: agentless access, reliable operation in high-latency or intermittently connected environments, and granular access to specific devices, often using proprietary networking protocols instead of broad network access.

Use cases are evolving, as the market matures to solve specific operational pain points rather than just “remote access”:

Third-party/OEM support (the “vendor” problem): This is the primary use case. Organizations must provide OEMs (like Siemens or Honeywell) access to support SLAs without granting them full network access. Solutions must enforce just-in-time (JIT) provisioning, where access is granted only for a specific maintenance window and revoked immediately after. Organizations also want to corral the multitude of products each OEM wants to push upon them.
The “remote operator” and workforce flexibility: Driven by the global shortage of skilled industrial labor, organizations are using these tools to allow senior engineers to manage multiple physical sites remotely. This requires high-fidelity, low-latency connections that support complex engineering software.
Safety supervision and training: Unlike IT remote access, CPS remote access often requires a “digital twin” of the session. A local operator watches the remote vendor’s actions in real-time (session shadowing) and retains a “kill switch” to terminate the session instantly if safety is compromised. This is also used to train new staff virtually.
Secure file transfer: Moving firmware updates or patch files into an isolated OT zone without introducing malware. Solutions are increasingly embedding malware scanning into the file transfer workflow as a core capability.

Market Direction

The market for CPS secure remote access is poised to undergo a pivotal shift from ad hoc connectivity — often reliant on risky VPNs, unmanaged jump servers, or simple remote control products like TeamViewer — toward customized, protocol-aware platforms. Cybersecurity leaders must expect accelerated adoption driven not just by security mandates, but by the operational necessity of managing complex, distributed industrial environments.

Adoption will accelerate as organizations recognize that traditional IT-centric remote access tools lack the context required for mission-critical operations. The market is moving beyond “secure connectivity” toward “secure operations.” This growth is catalyzed by the reality that legacy VPNs provide broad network access that is increasingly exploited, and the business needs for more remote operations.

The capabilities gaining the most traction are those designed around CPS operational realities:

Protocol-level granularity: Solutions that go beyond network segmentation to parse native industrial protocols (e.g., Modbus, Profinet, CIP) are winning. Buyers prefer tools that can distinguish between a “read-only” diagnostic command and a “write” command to a PLC, blocking unauthorized changes at the packet level.
Session management and shadowing: Technologies offering real-time supervision — where a production engineer can “shadow” a session and terminate it instantly if safety is compromised — are becoming standard requirements. This “over-the-shoulder” capability is critical for maintaining safety in production environments.
Agentless architecture: Because installing software agents on legacy PLCs or RTUs is often impossible or operationally risky, agentless products that function via gateways or proxies are seeing the highest adoption rates. Likewise the use of agents on the remote operators endpoint is both a security as well as an administrative burden that needs to be avoided.
Just-in-time (JIT) provisioning: There is a strong move toward ephemeral access, where privileges are granted only for a specific maintenance window and revoked immediately after, eliminating the risk of standing privileges.

Market trends:

Competition: The market is both bifurcating and consolidating. We expect intensified competition between pure-play CPS security vendors (e.g., Claroty, Xage, Cyolo, Dispel) and traditional IT PAM vendors (e.g., BeyondTrust, Wallix) attempting to pivot into CPS security. M&A activity is likely to increase as vendors seek to consolidate remote access with broader asset discovery and threat detection platforms.
Buyers’ needs and behaviors: Buying centers are shifting and often unclear. While IT security often holds the budget, operations and engineering teams are increasingly acting as the “veto vote.” Buyers are demanding products that support hybrid deployments (on-premises for data residency/uptime and cloud for scalability) and tools that can operate in disrupted or low-bandwidth (DDIL) environments. A major behavioral change is the focus on “shadow access” discovery — identifying and securing undocumented connections that currently bypass corporate firewalls.
External forces: Regulatory pressure is a primary external driver. Compliance with standards such as NERC CIP, IEC 62443, and the NIS2 directive is forcing organizations to implement strict audit trails and session recording, capabilities that legacy VPNs cannot provide efficiently. Furthermore, the operational need to leverage scarce talent across multiple physical sites is forcing organizations to normalize remote access as a standard operating procedure rather than an emergency exception.

Market Analysis

The CPS secure remote access products market exists because of:

Safety considerations: Some CPS operate in harsh environments or handle hazardous materials, making remote management preferable to physical presence for protecting human health and the environment.
Contractual obligations: OEMs often mandate remote access in sales contracts to support service-level agreements (SLAs), as maintaining on-site support teams around the clock at every location is impractical. These OEMs must also ensure that their employees have access only to authorized systems.
Geographically dispersed setups: In verticals such as utilities, substations may be located across the country, making hands-on maintenance impossible.
Cost/productivity pressures: Organizations seek to optimize labor resources and minimize travel expenses by supporting multiple operational environments remotely, which is essential for cost control and productivity.
Competitive pressures: The drive to automate and enhance output quality and quantity makes remote asset management a key differentiator in the market.
Production uptime and equipment maintenance/upgrades: The ability to keep production and mission-critical environments up and running without disruption is a key factor in remaining competitive.
Skilled labor pressures: The global scarcity and high cost of production engineers and industrial maintenance professionals often necessitate remote operations.
Training of new engineers and maintainers: To counter the lack of skilled labor, organizations increasingly rely on virtual training for new engineers and maintainers, using CPS secure remote access products to support these efforts.

The market is in a state of rapid evolution and fragmentation as IT-centric privileged access management (PAM) vendors, zero trust network access (ZTNA) providers, and pure-play CPS security startups all jockey for position.

The market is moving away from broad, network-level connectivity with VPNs toward granular, identity-centric, and protocol-aware access device-level connectivity. It is evolving across the following macro-trends:

Moving away from “jump server” architecture: Historical reliance on VPNs and jump servers is proving increasingly unsecure and operationally complex. A key trend is the move toward agentless, reverse-proxy architectures that do not require installing software on fragile legacy CPS assets (like PLCs or RTUs) or rearchitecting firewalls.
Discovery of “shadow access”: A major emerging segment involves “access discovery.” Organizations are realizing that undocumented remote connections (often installed by OEMs or employees in the absence of policies and governance) permeate their field sites. Vendors are increasingly bundling access capabilities with asset discovery to inventory these “shadow” connections before securing them.
Protocol-level granularity: The market is bifurcating between products that offer generic network tunneling (IT-centric PAM) and those that offer deep packet inspection (DPI) of industrial protocols. Leading products can now parse commands (e.g., Modbus “write” vs. “read”) to enforce safety, preventing remote users from issuing dangerous instructions.
Strategic consolidation: We observe a trend of partnerships and M&A capabilities. CPS protection platforms (like Claroty and Armis) are integrating secure access to offer a unified “assess and protect” dashboard, while traditional IT vendors (like BeyondTrust and Zscaler) are adapting their platforms to support industrial protocols and “just-in-time” access models.

Representative Vendors

The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.

Vendor Selection

The CPS secure remote access market is supported by a great variety of vendors with distinct technological lineages, providing buyers with options based on platform breadth, physical safety, and innovation.

IT-heritage SASE vendors leverage cloud-native architectures, extending their enterprise-grade zero trust network access strategies (ZTNA) onto the plant floor.
IT-heritage PAM vendors approach the market by adapting mature credential vaulting and session recording engines to meet industrial compliance needs.
CPS-native and asset-centric vendors build access upon asset visibility capabilities in their CPS protection platforms, linking connectivity policies to the risk posture of CPS assets.
Connectivity and hardware specialists, born from the machine-builder (OEM) requirement for simplicity, offer “plug-and-play” hardware and software ecosystems designed for non-IT personnel, or come from a “physics-based” niche, utilizing hardware-enforced unidirectional gateways to air-gap critical assets from external threats.
Innovators and architectural disruptors are redefining the perimeter itself by utilizing moving target defense (MTD) to continuously cycle infrastructure, employ “network cloaking” to render assets invisible, rely on decentralized mesh architectures for resilience in disrupted environments, emphasize a “trustless” architecture that keeps identities on-premises, or focus on eliminating static keys entirely.

Representative Vendors in the CPS Secure Remote Access Solutions Market

Company Name	Year Founded	HQ Location	Product Name
Armis	2016	San Francisco, CA, USA	Armis Centrix™ Secure Remote Access (SRA)
BeyondTrust	2003	Atlanta, GA, USA	Privileged Remote Access
BlastWave	2017	Palo Alto, CA, USA	BlastShield
Claroty	2015	New York, NY, USA	Claroty xDome Secure Access
Cyolo Security	2019	Tel Aviv, Israel	Cyolo PRO
Dispel	2015	New York, NY, USA	Dispel Zero Trust Engine
Palo Alto Networks	2005	Santa Clara, CA, USA	Palo Alto Networks OT Security
Secomea A/S	2008	Copenhagen, Denmark	Secomea Prime
SSH Communications Security	1995	Helsinki, Finland	PrivX OT
Tosi	2011	Oulu, Finland	Tosi Platform
WALLIX	2003	Paris, France	WALLIX Secure Remote Access
Waterfall Security Solutions	2007	Rosh Ha’ayin, Israel	HERA - Hardware-Enforced Remote Access
Xage Security	2017	Palo Alto, CA, USA	Xage Fabric Platform - Secure Remote Access Product
Xona Systems Inc.	2017	Hanover, MD	Xona Centralizer (XCM) & Xona Gateway (CSG)
Zscaler, Inc.	2007	San Jose, CA, USA	Zscaler IoT and OT Security

Source: Gartner (February 2026)

Vendor Profiles

Armis

Armis Centrix™ Secure Remote Access (SRA) is an agentless product integrated into the company’s broader Cyber Exposure Management platform. The product became part of the Armis portfolio with its acquisition of OTORIO, and leverages Armis asset inventory to inform access policies based on device risk and behavior. The architecture creates encrypted tunnels for specific industrial protocols without requiring VPN clients, jump servers, or firewall rule changes. Operational features include “over-the-shoulder” full session monitoring, which allows internal staff to supervise active sessions and terminate them if necessary. The product supports just-in-time (JIT) access, approval workflows, and granular access controls to enforce least privilege. Deployment models include cloud-managed, on-premises, and hybrid configurations. In December 2025, ServiceNow announced its intention to acquire Armis. Any impact on their position in this market is unknown at this stage.

BeyondTrust

BeyondTrust supports CPS Secure Remote Access through its Privileged Remote Access (PRA) and Password Safe products. The platform manages privileged identities and eliminates standing access rights via a just-in-time (JIT) model. Technical capabilities include credential injection (a form of vaulting allowing users to log in without seeing passwords), automated credential rotation, and session management/recording. The architecture supports agentless access to sensitive assets and facilitates network segmentation strategy without requiring traditional VPNs. While its heritage is in IT, the platform integrates with the Purdue Model to maintain network separation and supports various deployment models, including cloud, on-premises, and hybrid. Recent updates include Per-Session Multi-Factor Authentication (MFA) and enhanced protocol tunneling capabilities.

BlastWave

BlastWave’s flagship product, BlastShield, utilizes a “Network Cloaking” architecture designed to make CPS assets invisible to external scans and unauthorized users. The product replaces traditional VPNs and firewalls with a software-defined perimeter (SDP) that enforces microsegmentation. A primary technical differentiator is its authentication mechanism: BlastShield requires phishing-resistant, biometric multifactor authentication (MFA) and does not rely on passwords but uses a mobile phone’s facial or fingerprint biometric identification. The platform creates a “black hole” defense (peer to peer SDP overlay) where devices do not respond to pings until the user is authenticated. BlastShield supports cloud, on-premises, and hybrid deployments. BlastAccess, a new offering, provides secure remote desktop access with session recording.

Claroty

Claroty xDome Secure Access is a CPS-specific product designed to operate in latency-conscious and low-bandwidth environments common in industrial settings. The product facilitates access for third-party vendors, partners and internal employees without requiring agents on the endpoint assets. Technical features include granular role-based access control (RBAC), “over-the-shoulder” session monitoring, and the ability to kill sessions instantly. The product integrates with Claroty’s xDome platform to utilize asset inventory data for policy enforcement. It supports on-premises and SaaS deployment models. The platform is built to support compliance with standards such as IEC 62443 and NERC-CIP through automated logging and audit trails.

Cyolo Security

Cyolo PRO (Privileged Remote Operations) operates on a “trustless” architecture where Cyolo Security does not store customer data, encryption keys, or passwords; these remain within the customer’s environment. The platform is designed for mass onboarding of third-party users and supports legacy applications (e.g., unpatched HMIs) without requiring infrastructure upgrades. Technical capabilities include real-time session recording, supervision, and identity verification that integrates with existing IdPs like Azure AD or Okta. Cyolo supports “agentless” connectivity for the end-user, facilitating access via a browser or lightweight client. The company offers flexible deployment options, including on-premises, private cloud, and air-gapped configurations.

Dispel

Dispel’s Zero Trust Engine utilizes a Moving Target Defense (MTD) approach that continuously rotates infrastructure components, such as IP addresses, to reduce the attack surface. The product provides a Tiered Connection Suite that includes Browser Connect, local application access, and disposable, non-persistent virtual desktops for vendor access, these environments are created on demand and destroyed after each session, preventing malware persistence. Dispel’s Wicket industrial gateways are deployed at the edge to manage connections from the DMZ without altering underlying CPS network configurations. The platform supports several compliance frameworks, including IEC 62443 and NIST 800-53. Dispel sells its product both directly and via channel partners and is also white labeled by OEMs such as ABB and Mitsubishi Electric. Dispel offers cloud, on-premises, and hybrid deployment models.

Palo Alto Networks

Palo Alto Networks’ CPS secure remote access product is offered through its Prisma Access and Next-Generation Firewall (NGFW) platforms. It supports VPN and browser-based access (Prisma Browser), least-privilege policy, just-in-time access and session recording, The product uses “App-ID” technology to inspect traffic at Layer 7 rather than tunneling packets, which allows the system to validate applications and commands used. The platform integrates threat prevention capabilities such as sandboxing, intrusion prevention, URL filtering and DNS security to detect and block malware and traffic attempting to compromise the connection. These can be used to support secure file transfers into CPS environments. Palo Alto Networks offers cloud, on-premises, and hybrid deployment models. In July 2025, Palo Alto Networks announced its intention to acquire CyberArk. Any impact on their position in this market is unknown at this stage.

Secomea A/S

Secomea’s remote access product comprises “SiteManager” gateways (hardware or software) LinkManager (access client used by technicians to connect), GateManager (central server/M2M server that brokers the encrypted connection) and the “Secomea Prime” cloud platform. The product targets at CPS environments global manufacturers for maintenance and diagnostics. Secomea also embeds into industrial equipment. Technical features include a purpose-built relay protocol that avoids the need for open inbound firewall ports and supports compliance with IEC 62443. The platform enables granular access to specific industrial components (e.g., PLCs, HMIs) while preventing access to the broader factory network. It includes session logging and audit trails. The product is primarily cloud-based or hybrid, facilitating rapid deployment for distributed field assets.

SSH Communications Security

SSH’s PrivX OT provides identity-based access to industrial systems without exposing passwords or creating standing privileges. It eliminates static credentials through a keyless and passwordless authentication model, provides CPS access through centralized policies, strong authentication, and just in time authorization — with support for native industrial protocols. PrivX OT brokers credentials transparently, eliminating risks associated with shared accounts and hard coded secrets common in OT environments. Sessions are encrypted, audited, time limited, and connections are quantum-safe.

Tosi

Tosi (formerly Tosibox) offers a proprietary connectivity product involving physical or software “Tosi Gateways” (at the asset), physical “Tosi Keys” and software “Tosi Clients” (for the user) to automatically establish a secure VPN tunnel. A recent addition to the platform is “Tosi Insight” (advanced network traffic analytics), which provides CPS-specific traffic monitoring and anomaly detection. The architecture uses a point-to-point AES-256 end-to-end-encryption VPN connection, minimizing third-party cloud data transit. Deployment is designed to be automated, without requiring advanced IT configuration. The product supports hybrid and cloud deployment of central components via “Tosi Hub,” but relies on physical or virtual “Tosi Gateways” for connectivity at remote sites. The entire platform is managed through “Tosi Control,” a cloud-based console.

WALLIX

While it is primarily an IT privilege access management (PAM) vendor, Wallix also provides Secure Remote Access with “PAM4OT,” a product emphasizing PAM adapted for industrial constraints. A core feature is “Universal Tunneling,” which encapsulates legacy industrial protocols within SSH or HTTPS tunnels to facilitate secure remote connection through a single port. The product includes session management, real-time monitoring, and recording capabilities. The platform is certified by ANSSI (French National Cybersecurity Agency). Wallix supports cloud, on-premises, and hybrid deployment models.

Waterfall Security Solutions

Waterfall’s new HERA (Hardware Enforced Remote Access) offering uses Unidirectional Gateways (data diodes) to physically prevent inbound network attacks. The system functions by replicating the screen of the industrial asset to the remote user; only keyboard and mouse commands are sent back through a strictly controlled hardware interface, enabling remote access without internet access. This “physics-based” approach ensures that no network packets can flow from the external user to the CPS network. HERA supports session recording, real-time moderation (allowing admins to terminate sessions), Trusted Platform Module (TPM)-based and software multi-factor authentication (MFA), as well as multisite management. The product is deployed on-premises with physical hardware.

Xage Security

Xage Security employs a mesh “Fabric” architecture with a “no single point to hack” structure, which is designed to operate in “Denied, Disrupted, Intermittent, and Limited” (DDIL) environments. This allows the product to function without reliance on a centralized connection, making it suitable for infrastructure that requires continuous operation such as pipelines or energy grids. The platform offers identity-based access control to CPS assets, zero trust tunneling with multi-hop session termination for layered environments, network segmentation, and multi-party secure data exchange, which protects data transfer alongside access. Xage supports granular policy enforcement down to the asset level and provides privileged access management capabilities. Xage Security offers deployment models including cloud, on-premises, and hybrid.

Xona Systems

Xona Systems secures CPS access using distributed Critical System Gateways (CSG), centrally managed by Xona Central Manager (XCM), with Centralizer providing cross-deployment visibility and scalable governance. The clientless, browser-based architecture isolates critical assets through protocol isolation, eliminating direct network exposure and supporting legacy industrial systems without requiring VDI, jump servers, or network reconfigurations. Optimized for low-bandwidth industrial operations, session control, video recording, MFA, and granular policy enforcement enable secure third-party and remote access aligned with IEC 62443 and NERC CIP requirements. Xona unifies governance for both remote and local access with Just-in-Time policies and centralized visibility. Deployment options include cloud, on-premises, hybrid, and air-gapped environments.

Zscaler

Zscaler provides access to CPS environments via its cloud-native “Zero Trust Exchange” platform. The product, Zscaler Private Access (ZPA), connects users directly to applications or assets rather than the network, effectively making the underlying infrastructure invisible to the user. It enables third-party access through browser-based interfaces without requiring software agents on the vendor’s device. Key features include privileged remote access, app-to-user segmentation, and integration with the broader Zscaler security stack for threat inspection. It is available as SaaS and ZPA Private Service Edges offers an on-premises single-tenant instance broker option. Customer deployed App Connectors are required with both options to secure remote access to CPS.

Market Recommendations

Audit for “shadow access” immediately: Do not assume your current inventory of remote connections is complete; “shadow access” is a critical blind spot where undocumented connections — often installed by OEMs to meet service-level agreements (SLAs) or by employees avoiding friction — bypass corporate firewalls. Actively deploy tools such as External Attack Surface management or CPS Protection Platforms capable of discovering these unmanaged connections and integrate them into a centralized governance framework to close backdoors. This is operationally critical because managing a “multitude of products” pushed by different OEMs introduces inconsistent session-log schemas and varying encryption protocols, making incident response nearly impossible. With attacks leveraging CPS remote access vectors projected to grow, organizations must pivot to vendors that bundle access capabilities with asset discovery to inventory these “shadow” pathways before securing them.
Replace VPNs and proceed with caution with IT-centric tools: Replace general-purpose VPNs and avoid extending IT-centric PAM tools into CPS environments without rigorous validation, as these traditional methods offer broad network access that lacks the contextual granularity required for mission-critical safety. Organizations must pivot from simple “secure connectivity” to “secure operations.” Prioritize platforms that offer deep protocol inspection to block unauthorized changes at the packet level. These products must be capable of parsing native industrial protocols (e.g., Modbus, Profinet, CIP) to distinguish between safe “read-only” diagnostic commands and dangerous “write” commands to PLCs. This level of granularity is essential to prevent the abuse of remote connections that can lead to severe real-world consequences, including environmental damage and operational failure, which legacy jump servers and VPNs cannot effectively mitigate.
Pay close attention to architecture decisions: Implement protocol and session termination at a centralized hardware or software gateway in the DMZ or lower levels to prevent direct network communication with protected CPS assets, such as PLCs, HMIs, and SCADA systems. By utilizing an agentless, reverse-proxy architecture, organizations can eliminate the operational risk of installing software on fragile legacy endpoints while ensuring that external users never establish a direct connection to the OT network. This gateway must support protocol-level granularity, capable of performing deep packet inspection (DPI) on native industrial protocols (e.g., Modbus, PROFINET, CIP) to enforce safety by distinguishing between harmless “read-only” diagnostics and potentially hazardous “write” commands.
Choose solutions that enhance secure and safe operations: Understand the production engineers’ need over products that solely focus on cybersecurity-related access management: mandate agentless architectures for legacy assets; enable “over-the-shoulder” supervision by engineers to allow local operators to supervise third-party vendors in real-time and retain a “kill switch” to terminate connections instantly if safety is compromised; eliminate standing privileges by adopting Just-in-Time (JIT) access. Avoid products that require inbound connections to be enabled.

Note 1: Gartner’s Initial Market Coverage

This Market Guide provides Gartner’s initial coverage of the market and focuses on the market definition, rationale for the market and market dynamics.