This GigaOm Research Reprint Expires: May 18, 2023

GigaOm Radar for Industrial IoT Securityv1.0

How to Protect Operational Technology from Cyber Risks

1. Summary

The convergence of operational technology (OT) and information technology (IT) brings benefits and risks. Industrial plants and systems are designed for long service life. The retrofitting of so-called brownfield plants harbors major security risks in the digital transformation. Networking these legacy facilities with many new devices, sensors, measuring stations, manufacturing robots, and plants with predominantly proprietary programs and protocols is difficult to secure and poses a variety of new threats to existing assets. As data is processed increasingly on-premises or cloud environments, perimeters are blurring. Previously negligible vulnerabilities now can be exploited for an attack.

Industries such as manufacturing, logistics, energy and utilities, automotive, healthcare, and agriculture become highly vulnerable to cyberattacks—and an attractive target for cybercriminals. Outages or production downtimes caused by compromised software, data, or communication channels cause major economic and material damage. Attacks on critical infrastructure (such as energy/water supply, transportation, healthcare, and telecommunications) threaten public safety.

The number of open ports in industrial internet of things (IIoT) environments is alarming. So is the use of outdated firmware and code libraries, with no limitations on access rights or insufficient authentication using shared and default passwords. Therefore, visibility is the most important tool in the fight for effective security. You can only protect what you know about. Security solutions should be implemented as an additional, preferably transparent, layer.

A now-common approach is to prohibit everything first and allow exceptions based on a combination of rule sets, predefined roles, certain device characteristics, and other guidelines. The network’s behavior is monitored and re-evaluated constantly to detect changes in the behavior of people, hosts, machines, or network devices at an early stage. This concept makes it more difficult for attackers to exploit unknown vulnerabilities for so-called zero-day attacks. Furthermore, with next-generation firewall technology, it becomes possible to apply a more granular zero trust approach (including layer 7), which further limits network access to just the industrial protocols and applications needed for business use. It also protects against internal perpetrators and helps to avoid too many open ports. The prerequisite to applying comprehensive network security is the initial inventory of all users, devices, applications, processes, and services, as well as their privileges and the documentation of all access options and accounts for users, administrators, and external parties. After the initial recording, the inventory becomes part of security management as an ongoing process.

Compatibility with existing solutions is important, not just for reasons of investment protection. IIoT security solution providers must cover not only the IT part of the network but also OT devices, protocols, and services. While OT already has its own monitoring and security information and event management (SIEM) applications, integration into the cybersecurity landscape of the IT part, with its firewalls and multiple security orchestration, automation, and response (SOAR) solutions, must also be ensured. Furthermore, IIoT security solutions should be able to verify compliance with standards in both IP and industrial networks. For details, please see the report “Key Criteria for Evaluating Industrial IoT (IIoT) Security Solutions.”

In conclusion, we find that full protection of complex and often hybrid industrial IoT landscapes cannot be achieved with a single product. It requires a comprehensive portfolio and multilayered approaches in security solutions. The greatest possible protection can be guaranteed only with both vendor and technology redundancy. Nevertheless, in this report, our main focus is on maximum possible transparency and threat detection in IIoT environments.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.

2. Market Categories and Deployment Types

For a better understanding of the market and vendor positioning (Table 1), we assess how well solutions for IIoT security are positioned to serve specific market segments.

  • Small-to-medium business (SMB): In this category we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Also assessed are departmental use cases in large enterprises, where ease of use and deployment are more important than extensive management functionality, data mobility, and feature set.
  • Large enterprise: Here offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category will have a strong focus on flexibility, performance, data services, and features that improve security and data protection. Scalability is another big differentiator, as is the ability to deploy the same service in different environments.
  • Manufacturers: Some IIoT solution providers work with vendors of industrial equipment and manufacturing machinery. This makes it easier for users because the security of the equipment is monitored and guaranteed. However, it also limits the choices or increases the complexity if additional, separate solutions are installed. However, the approach is ideal for smaller companies or less security-savvy users.
  • Managed or cloud service providers (MSP/CSP)/system integrators (SI): Some solutions mandate the involvement of service or integration partners. This requirement increases supply chain complexity and can easily lead to finger pointing. Nevertheless, for many users, being able to rely on existing expertise and knowledge is a good way to go. Especially in production plants, the focus is often more on safety than IT security.
  • Industries: Different industries have different requirements, and so some suppliers have specialized in specific areas of application. It is particularly important in critical infrastructure (CRITIS) environments to pay attention to appropriate expertise and suitable certifications.

In addition, we recognize several deployment models for solutions in this report:

  • Physical appliance (on-premises): This is the most traditional form, where the manufacturer supplies hardware pre-installed with its software.
  • Public cloud service (SaaS): These solutions are available only in the cloud and are often designed, deployed, and managed by the service provider. Sometimes availability is limited to one or a few specific providers. The advantage of this type of solution is the integration with other services offered by the cloud service provider (functions, for example) and its simplicity. However, it is often a disadvantage at the same time, since no other third-party services and providers are supported.
  • Software/virtual machines: Here we include virtual machine images as well as cloud images and ready-to-deploy containers. In our expert opinion, virtualization and cloud computing will completely replace classic appliances in the short term. In the long term, it will even come down to pure SaaS or platform offerings.

Table 1. Vendor Positioning

Market Segment

Deployment Model

SMB Large Enterprises Manufacturers MSP/CSP/SI Industries Physical Appliance (On-Premises) Public-Cloud Service (SaaS) Software/Virtual Machine
Nozomi Networks
Palo Alto Networks
Shield IoT
Trend Micro
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

3. Key Criteria Comparison

Building on the findings from the GigaOm report, “Key Criteria for Evaluating Industrial IoT (IIoT) Security Solutions,” Table 2 summarizes how each vendor included in this research performs in the areas that we consider differentiating and critical in this sector. Table 3 follows this summary with insight into each product’s evaluation metrics—the top-line characteristics that define the impact each will have on the organization. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.

Table 2. Key Criteria Comparison

Key Criteria

Deep Packet Inspection Vulnerability Assessment Supports Longer Lifecycles Interoperability Analytics Microsegmentation Automation
Armis 0 3 2 1 3 0 2
Claroty 2 3 2 2 3 2 2
Darktrace 2 3 3 2 3 0 2
Dragos 1 3 2 3 3 0 2
Microsoft 1 3 2 1 2 1 3
Nozomi Networks 3 2 3 2 3 0 3
OTORIO 1 3 3 3 3 2 3
Palo Alto Networks 3 2 2 3 3 2 2
Rhebo 2 2 3 3 2 3 1
SCADAfence 3 3 3 2 3 0 3
Shield IoT 0 2 2 1 3 0 2
Tenable.OT 0 3 2 3 2 2 2
Trend Micro 2 3 1 1 2 2 2
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Table 3. Evaluation Metrics Comparison

Evaluation Metrics

Licenses in Use Scalability TCO & ROI Usability SLA Documentation & Onboarding Implementation
Armis 2 2 2 2 2 3 2
Claroty 2 2 2 2 1 3 2
Darktrace 2 3 2 3 2 1 2
Dragos 2 3 3 2 3 2 3
Microsoft 2 3 2 2 3 3 2
Nozomi Networks 3 3 3 2 3 3 2
OTORIO 3 2 3 3 2 3 3
Palo Alto Networks 2 2 2 3 3 3 3
Rhebo 2 2 2 2 3 2 3
SCADAfence 2 3 3 3 2 3 3
Shield IoT 2 3 3 3 2 2 3
Tenable.OT 2 3 2 3 1 1 2
Trend Micro 2 2 2 2 2 2 2
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Almost all of the vendors listed in the report rank similarly in protection against zero-day attacks, vulnerability assessment, and the fields of artificial intelligence (AI) and analytics. This shows that all vendors have recognized the importance of these areas of functionality. At the same time, however, there are major differences in the areas of zero-trust network access (ZTNA) and microsegmentation, as well as in the use of graphs and interoperability (integrations) (Table 4).

Table 4. IIoT Security Capabilities Comparison

Additional IIoT Security Capabilities

Real-Time Monitoring Zero-Trust Network Access Graphs
Nozomi Networks
Palo Alto Networks
Shield IoT
Trend Micro
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

On a positive note, we noticed that all vendors are focusing increasingly on behavioral analytics and machine learning (ML). The ZTNA architecture, based on behavioral analysis, among other things, can largely compensate for conventional segmentation with its role- and rights-based access model. In addition, we looked at a vendor’s support for long product life cycles and its ability to provide real-time analytics. Fortunately, most companies we looked at offer the latter.

In many cases, however, users still require additional solutions from other manufacturers, increasing complexity. Only a few vendors offer deep packet inspection (DPI) and more extensive next-generation firewall functionality in their portfolios or roadmaps. We don’t see this directly as a disadvantage. Vendor and technology redundancies increase enterprise resilience. Also, a best-of-breed approach is not wrong for an optimal security level. Many enterprise users already leverage extended detection and response (XDR), SIEM, and/or network firewall solutions, making the ability to integrate IIoT security solutions into existing IT services landscapes all the more important.

Technologically, modern offerings actually differ rather marginally. The continuous expansion and further development of solutions are happening so quickly that users have to evaluate very carefully which provider best suits their requirements. Companies that use only one type of control, and perhaps a classic SIEM, do not need 100 or more integrations. Here, attention should be paid instead to OT expertise. Companies without their own, or limited IT staff should prefer SasS offerings or at least look for vendors that have a large service network and extensive service level agreements. For some, telephone support on working days may be enough, while others already rely on ChatOps or at least need a ServiceNow connection. Usability and clean, lightweight user interfaces (GUIs) plus a high degree of automation help organizations avoid configuration and other errors. There are major differences in quality and performance, especially when it comes to service level agreements (SLAs), expertise, and onboarding.

Those planning for the long term should pay attention to cloud capability and the technology used. Graphs offer dynamic, deep insights into network events and visualize hidden communication relationships as well. Digital twins not only allow breach and attack simulations or predictions but are also suitable for vulnerability assessments, diagnosis, and troubleshooting.

By combining the information provided in the tables above, users can develop a better understanding of the technical solutions available on the market. This helps users not only to ask the right questions in the evaluation process but also to select the appropriate solution. The single, perfect, one-size-fits-all solution does not exist; not least because every business case is unique.


4. GigaOm Radar

This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and feature sets.

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—Maturity versus Innovation, and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for IIoT Security Solutions

As you can see in the Radar chart in Figure 1, we did not consider vendors that concentrate exclusively on device security or access control. Some of the solutions we looked at do have that in their portfolio. This is reflected in their positioning as Platform providers. Moreover, with this Radar report, we wanted to focus on IIoT security solution offerings that are already top players in the market, have a reputation among users, or are promising new vendors. As a result, more than half of the solutions considered qualified as Leaders or were well on their way to becoming one.

The solutions of two new market participants stand out. Both Nozomi Networks and OTORIO impress with innovative technology and a well-thought-out approach. Of the vendors in the Leader circle, only Scadafence keeps up.

All the other providers are engaged in product or platform enhancement. Among the vendors in the upper half of the Radar, we currently see little innovation. Sometimes, the existing IT solutions are supplemented by an OT part and enriched with AI. In the case of Rhebo and Darktrace, we had the impression that while the existing platform is continuously being developed, little innovation is being added.

Of course, products or platforms must also have time to establish and mature. Therefore, we see Dragos as a promising candidate on the way to becoming an innovative platform provider mid-term. We consider Tennable to be a new player after its acquisition of Indegy, as its future remains to be seen. During our research for this report, new solutions were emerging on the horizon, including IoTsTrust from Red Alert Labs and solutions from Ondeso and Sequitur Labs. Darktrace, Claroty, and Palo Alto Networks seem to have lost momentum.

With a few exceptions, all the solutions we’re looking at are positioned more as Platforms than Feature-Play products. Trend Micro’s position stems from our impression that its IIoT security solution does not fit in very well with the rest of its portfolio. In this regard, Microsoft in particular provides objective value. Rhebo occupies a unique position in this Radar. Although we have placed it in the top left quadrant, this provider should not be underestimated and is a valuable addition to existing OT security platforms. Rhebo combines both worlds like no other with its technologically high-quality core. It’s only because Rhebo focuses exclusively on its core business and tends to rely on joint ventures or strategic partners that we see it more in the left half of the Radar.

In addition to hard facts such as the number of integrations and technology used, subjective impressions of the platform as well as reviews from users also influenced our evaluation of the individual providers.

In terms of new purchases, vendors in the lower right quadrant are more future-proof and promise a fast or effective ROI. Nevertheless, we see a lot of potential for every individual vendor appearing in this Radar report. The market is in a rapid state of motion, not least due to the progressing digitalization of the industry and the increasing interconnectedness of devices.

Emerging technologies such as digital twinning are on the radar of several vendors. Here, too, we expect more from the individual market participants in the short term. Almost all of them have some catching up to do in automation as a basis for autonomous factories. Providers who entered the field of IIoT later have a clear advantage here, as you can see from the example of OTORIO. Nozomi Networks is another unique case; it’s listed as a strategic partner by other IIoT security solution providers. For example, Tempered, which specializes in microsegmentation and secure remote access, relies on Nozomi Networks for threat detection.

Additionally, we expect more acquisitions soon. Tenable’s acquisition of Indegy was just the beginning of more consolidation and a prelude to the exits we expect to see.

Inside the GigaOm Radar

The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.

The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.

The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.

Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.

5. Vendor Insights


Founded in 2015, Armis is one of the newer players in the IIoT security market. The vendor ranks high on our vulnerability assessment and analytics key criteria, specializing in identifying vulnerable or compromised devices in OT networks and offering impressive analytical capabilities. Continuous behavioral analysis detects new and unknown threats early. Customers receive clear instructions for action and help in finding a strategy. Customers especially praise the handling of unmanaged devices. However, we see the potential for improvement in asset discovery and inventory.

Armis is a cloud-based SaaS platform. The modern GUI impresses with structure and minimalism. Information is easy to grasp and clearly presented. The visual language of the menu may not be as intuitive for new customers. Documentation and onboarding are exemplary, and it received a high score for this evaluation metric.

The vendor excels in identifying new and sophisticated attack scenarios. Compliance is ensured by integrating relevant frameworks such as NIST or MITRE ATT&CK for ICS, among others. Playbooks provide clear instructions for fixing vulnerabilities and dealing with unmanaged devices.

Armis does not segment itself. It needs integration in existing infrastructure. Armis can generate automated segmentation policies based on the attributes and contextual behavior of devices on the network. These policies, such as blocking a connection or quarantining a device, are enforced as they integrate with existing infrastructure components such as NAC, switches, or firewalls.

That said, Armis has significant room for improvement in integrations, contributing to its low score for the interoperability key criteria. Supported firewalls are only those from Cisco, Palo Alto Networks, and Checkpoint. Since the Armis Platform is a passive solution, this is a clear disadvantage. Additionally, the vendor’s website doesn’t list any integrations or adapters for network access control, making it difficult for prospective customers to evaluate the vendor in these areas.

Armis has a strong focus on healthcare, manufacturing, and the public sector. From our point of view, the product complements existing IoT security solutions. Interested parties should definitely take a look at the list of integrations and do a proof of concept (PoC).

Strengths: Armis excels in vulnerability assessment and threat detection.

Challenges: Armis is a passive solution requiring additional third-party security solutions; however, the vendor needs to improve integrations.

Claroty (The Claroty Platform)

Founded in 2015, Claroty’s list of investors includes well-known industry giants such as BMW i Ventures, LG, Schneider Electric, Rockwell Automation, and Siemens.

The Claroty Platform relies on its two fundamental solutions: Continuous Threat Detection (CTD) and Secure Remote Access (SRA). CTD collects asset information and relevant data to detect vulnerabilities, attacks, and so on, and analyzes the data. New assets should be detected automatically. This detection is possible on-premises, and the enriched data can be passed to an external SIEM. With, Claroty also offers its own SaaS platform. There are new possibilities for segmentation (virtual zones). In combination with, SRA offers secure access to industrial networks for tasks like remote, remote auditing, or, in conjunction with Claroty CTD, remote incident response.

Claroty Edge is a self-contained executable. The depth and scope of the information collected is impressive. Identified weaknesses are analyzed and rated, and administrators are provided with instructions on fixing them. It can run on any Windows machine to detect devices and services in its neighborhood. Claroty Edge is a positive addition to the company’s portfolio, although it falls short on its promise of a “zero infrastructure” approach. Claroty promises that users won’t have to install anything, but this is not entirely true because code must be executed on the device to detect neighboring devices. In particularly restrictive environments, this will not be possible. Additional code can introduce a security risk. This may not be so tragic in smart services or IoT, but we see a security risk associated with this scenario in OT.

With its own research team, Claroty continuously evaluates potential vulnerabilities and attack vectors, thus improving the quality of its own products and the security of the industrial assets within its customers’ environments. With Claroty Edge, newcomers in particular get a simple product that delivers an overview of their assets and potential attack surfaces.

In customer reviews, users report that assets were not recognized or not recognized correctly during asset discovery and inventory. Claroty received a low score for the SLA evaluation metric. Users see the potential for improvement in both the quality and response times of the provider. On the other hand, the solution has impressive integrations, as many modern low/no-code platforms are represented.

Claroty does have noteworthy strength in securing remote connectivity; however, that’s not covered in this report. But this is particularly important for remote maintenance access to facilities and devices in the OT, which always pose a particularly high risk.

Strengths: Claroty’s strengths are its risk assessment and securing of remote access, especially for external parties.

Challenges: Claroty has struggled especially in inventory, usability, documentation, and support capabilities.

Darktrace (Industrial Immune System/Cyber AI Analyst/Antigena)

Founded in 2013, Darktrace belongs to the group of established players. The company is headquartered in Cambridge, U.K., and listed on the London Stock Exchange. Darktrace is one of the first providers to recognize the potential of AI and leverage it for greater IT and network security, launching Industrial Immune System deployment in 2014. The solution consists of three closely interlinked modules:

  • Industrial Immune System detects attacks.
  • Antigena forces autonomous responses to attacks and threats.
  • Cyber AI Analyst is the foundation for investigation and reporting.

Industrial Immune System is well developed and robust. In reviews, customers praise the solution’s excellent inventory results. The continuous enhancement of the platform takes into account changes in the threat landscape in a timely manner. In terms of stability, threat detection, and risk and vulnerability assessment, customers can expect a highly reliable product. Vulnerability management, in particular, is among the most trustworthy of the solutions we looked at. This is reflected in its high score for this key criterion.

Darktrace’s AI uses behavioral analytics and deep learning mechanisms to detect deviations from allowed patterns. Behavior can be automatically detected and classified by the ML algorithm. In this way, even the tiniest anomaly can be detected, which makes the platform extremely accurate. Based on many years of implementation in a wide range of industries, Darktrace has a sizeable heterogeneous pool of information on a wide range of devices and services.

In complex systems, the sheer number of alarms and messages can lead to confusion. Antigena’s intelligent autonomous response platform continuously scans the entire network on-premises and in public-cloud environments, including SaaS platforms, for deviations or vulnerabilities. When deviations occur, Darktrace can automatically trigger actions. Available actions include quarantining suspicious network objects for further investigation and analysis, disrupting data flows, disabling compromised devices (shutdown mode), deleting malicious code, or removing malware before it causes any damage.

The high quality of the platform’s analytics capabilities is the basis for Antigena’s ability to respond autonomously to attacks or threats. Automation reduces complexity, which in turn improves usability and user experience (UX). Enterprises can respond to threats earlier and faster, avoiding errors and increasing their resilience and security. Usability is better than in other products available on the market, which is reflected in its high score for this evaluation metric.

However, Darktrace doesn’t have its own firewall functions or access management capabilities. Consequently, Darktrace’s platform can be used only to supplement existing SSA or firewall solutions and not as a standalone system. The ability to integrate into existing IT services landscapes is very important. Darktrace has fewer integrations than the Leaders do, so its interoperability capabilities are limited, although it does integrate natively with Palo Alto Networks, Cisco, Fortinet, Juniper Networks, and Checkpoint. Like many other solutions, Darktrace doesn’t analyze data streams inline in real time. This mode of operation causes a delay in the response chain, even if it’s a small one.

Darktrace is among the first vendors to use graphs to visualize communication relationships, contributing to its high score for usability. Graphs can be used to detect and map network connections at a depth that no other technology currently offers.

Darktrace’s recent acquisition of Cybersprint adds global attack surface mapping capabilities to its platform, and together with its capability for internal attack path modeling, attack chains can be traced end-to-end. Darktrace does not use digital twinning technology.

Darktrace has its origins in the corporate environment, so it is positioned as a Challenger on the edge of becoming a leader in this space. It’s recognized as a renowned vendor in many areas of IT security and a trusted partner for industrial companies.

Strengths: Darktrace has great experience in leveraging AI and ML techniques. The solution is robust and reliable. The inventory is one of the best IIoT security solutions we considered. The platform offers very good and reliable vulnerability management and provides excellent usability.

Challenges: Darktrace has no firewall functionality and depends on third-party providers. Evaluation and analysis don’t take place inline, and therefore, not in real time. The delay—even if only marginal—can nevertheless give attackers a valuable head start. In terms of interoperability, Darktrace is in the middle of the field.


Founded in 2016, Dragos is among the newer players in this space. The vendor received impressive funding of more than $350 million. Its investors include BlackRock, Koch Disruptive Technologies, and Hewlett Packard Enterprise (HPE).

Dragos scored high on the key criteria vulnerability assessment for its ability to reliably discover and visualize assets, track communication relationships in OT networks, and manage vulnerabilities. Continuous behavioral analysis detects threats at an early stage of the cyber kill chain. Insights from the company’s own threat intelligence team are used to continuously update the indicators of compromise (IoC) and TTPs, as well as to correct and enhance new vulnerabilities. Frameworks such as MITRE ATT&CK for ICS help rank and prioritize threats and vulnerabilities. The platform provides concrete guidance for action and curated playbooks to eliminate vulnerabilities or minimize the attack surface. Dragos offers alternative solutions if, for example, patches or updates are not possible or desired.

Dragos excels with its simple implementation and ranks high on the interoperability key criteria. The platform offers an impressive number of integrations and supports a wide range of industry standards, applications, and protocols. The visualization of the network and its participants is one of the best solutions we considered, contributing to a high score for the usability evaluation metric.

The management interface is clean, and information is easy to acquire, but user experience has room for improvement as operating the system is not always intuitive. A split view makes it possible to work in two views in parallel. However, depending on the view chosen, the menu wanders from the left to the right to the middle and can complicate navigation.

Dragos scored high on the SLA evaluation metric, offering comprehensive support and service levels, including expert services such as OT security assessments, risk management analysis, threat hunting, and incident response (either through retainers or upon request). The platform is available as a hardware appliance, a virtual machine, or in the cloud. Customers can operate it themselves, or choose the OT Watch managed service for expert monitoring, vulnerability management, triage, and incident investigation.

The most notable feature of the Dragos platform is its playbooks. Users not only receive straightforward, explicit instructions, but the manufacturer always offers alternative solutions as well. All playbooks are manually curated. This is especially useful in OT environments since patches or configuration changes are not always possible or wanted. This functionality primarily increases security and reduces the burden on operations teams, but also positively impacts usability and increases ROI.

As a passive solution, the platform relies on third-party offerings. That said, the range of integrations is quite impressive. Strategic partnerships like the one with Juniper Networks make the solution highly attractive. It should be noted, however, that Dragos requires port mirroring for traffic analysis in its platform. Users should check beforehand whether their network infrastructure can handle port mirroring or whether new switches and routers must be purchased.

Neighborhood Keeper is a free opt-in solution for Dragos platform customers. It allows participating companies to anonymously provide and retrieve data for global and cross-industry threat intelligence. We already know of this approach from IT security solutions. Large providers of cloud-based IT security solutions have been using their global knowledge of vulnerabilities and threats in conjunction with AI-based predictive analytics as an advantage for their customers for some time.

Strengths: Dragos excels in the areas of asset discovery and inventory, threat detection, and vulnerability management. Action instructions and playbooks are notable features. Despite needing some UX improvements, the split view is a very useful feature.

Challenges: Dragos offers a passive solution. Customers need third-party products for network security and firewall functionality. Traffic needs to be mirrored for monitoring and analysis. The GUI is not always intuitive, and the wandering menu can confuse.

Microsoft Defender for IoT

Microsoft has one of the most comprehensive portfolios among the vendors in this report. Defender for IoT complements the vendor’s broad range of IT services solutions and is ideal for anyone who likes to have everything from a single source. Defender for IoT integrates perfectly into the company’s own portfolio. However, the solution received a low score for integration with third-party platforms. The vendor offers alarm information forwarding and utilizes ClearPass for network access control and policy management. The detailed and high-quality manual is worth mentioning at this point. This is also reflected in the scoring,

Microsoft Defender for IoT can be deployed on-premises or via the cloud. This makes it extremely scalable—receiving a high score for this evaluation metric—flexible, powerful, and highly performant. Users praise its ease of use. Microsoft also offers valuable resources for documentation and onboarding. Simple licensing models at moderate prices make the solution a contender for SMBs. With its global footprint and vast partner network, Microsoft Defender for IoT would be a good fit for those without in-house IT expertise.

Assets and traffic are monitored in real time, and the solution received a high score for this evaluation metric. The solution stands out in inventory but remains in the middle of the field in recognition of industrial protocols and standards. More than 130 protocols from industrial vendors with focus on IoT as well as open standards such as IEC, ISO, and OPC are supported. Nevertheless, among others, important industrial automation communication protocols are missing, making it less suitable for brownfield environments. Additional protocols can be supported via the Horizon SDK. However, the use of development kits or the programming of interfaces requires high-level technical expertise. As a result, vulnerability management and threat detection are not as good as with OT-focused vendors that support these protocols all natively. Microsoft provides all essential security components, including behavioral analysis, firewall, secure user and access management, microsegmentation, SOAR/XDR, and so on. With its cloud-based AI and ML power, Microsoft provides fast and quality analyses. OT-specific SOAR playbooks enable less experienced operators of IIoT infrastructure to automate remediation of OT threats.

For prospective buyers wary of “vendor lock-in,” Microsoft is the vendor with the highest lock-in potential. As tempting as the “everything from a single source” approach may be, dependence on just one provider is also dangerous. This applies both economically and, above all, technologically.

When it comes to microsegmentation, Microsoft Defender for IoT did not receive a high score for this key criterion. It also received a low score for the DPI key criterion and users report deficiencies in this area. Microsoft Defender for IoT combines layer 7 DPI with finite state machine (FSM) modeling. This is a different approach than traditional DPI. Given the ever-evolving threat landscape, it can be used to detect fileless malware, for example. The technology primarily came from the acquisition of CyberX, a startup focused on IoT and network security for large industrial enterprises.

Microsoft is one of two vendors in this report that has already integrated digital twins into its solutions.

Strengths: Microsoft’s strengths are the discovery of assets and inventory. SMBs benefit from simple subscription models. Microsoft provides a strong global partner network and outstanding support and onboarding capabilities. Microsoft Defender for IoT fits seamlessly into the software giant’s product portfolio and is a useful addition to its other security and business products.

Challenges: The solution is not well suited for brownfield industrial plants or critical infrastructure. Threat and vulnerability detection for OT can be improved. The level of protection for proprietary industrial landscapes and the number of integrations are lower than comparable IIoT security solutions.

Nozomi Networks (Guardian/Vantage)

Nozomi Networks was founded in 2013 and is privately held, with its headquarters in San Francisco. Nozomi Networks focuses on building automation, critical infrastructure (electric utilities, gas, and oil), government agencies, manufacturing, healthcare, and transportation and logistics. Nozomi Networks has become a strategic partner of major suppliers such as Tempered (a market leader in ZTNA for critical infrastructure) to add network visibility and threat detection capabilities, or OTORIO (a provider of SIEM and SOAR solutions for OT networks) to correlate asset data and events for an early detection of security incidents.

The platform includes the Vantage and Guardian modules as well as its Central Management Console. Like other market competitors, the company operates its own lab with its own cyberthreat intelligence and asset intelligence services. Data is collected via smart polling and remote collectors. The solution consists of hardware and software and can be transparently inserted into existing networks at the switching layer (layer 2). The costs for hardware and software are separate. This makes the solution more flexible for changing requirements.

The solution received a high score for the documentation and onboarding evaluation metric. Nozomi Networks is one of the few providers that offer extensive video tutorials and live training in addition to detailed documentation.

The graphical user interface is very well thought out and clean, and the user experience (UX) is among the best of the platforms evaluated for this Radar. Nevertheless, it did not receive the highest score for usability because users report difficulties with integration using standard APIs and tools. This is somewhat offset by customer support, which is one of the best-rated by the community.

The solution has been designed especially for OT and ICS landscapes. It provides excellent threat detection and response, vulnerability assessment, and risk management for operational technologies and assets in IT environments, leading to users reporting fewer false positives than with other solutions they’ve assessed. The solution detects threats independently and integrates with all major legacy IoT monitoring and SIEM solutions, leading to a good score for the interoperability key criteria. Integrated user and access management is not part of the functionality, but is compensated by integrations and strategic partnerships.

With deep packet inspection, compromised files and malicious applications can be recognized. AI is at the heart of Nozomi Networks’ solution. The asset inventory is continuously updated based on the traffic. New network objects can be recognized in detail and processed automatically. The Nozomi Networks platform does a good job detecting and correctly assigning devices in inventory.

Nozomi Networks offers the option to add threat intelligence as a service. This option gives users regular updates with enriched data on the current threat landscape at any given time. In combination with the continuous behavioral analysis of network participants and flows, threats can be detected quickly and responded to. Behavioral analysis-based solutions also protect against zero-day attacks. The solution consists of hardware, software, and optional cloud-based SaaS components.

Strengths: The platform impresses with its clear GUI and user guidance. The decoupling of costs for hardware and licenses for the software allows an optimal mix between CapEx and OpEx, and offers sufficient flexibility for a balanced ROI. Nozomi Networks is among the few providers that use DPI. The inventory is more complete and accurate than those offered by other vendors.

Challenges: Nozomi Networks has no user or access management capabilities and depends on third-party providers.


Founded in 2017, OTORIO is also a newer entrant to the market. The Israeli company focuses on OT/IT security for ICS. With risk assessment monitoring and management (RAM2) from OTORIO, customers get a SOAR platform and a digital IT/OT twin created with the information from various operational and security systems. This step makes OTORIO one of two vendors in this report to actively use digital twinning for better cybersecurity, and the vendor received the highest score available for this emerging technology. Among other things, digital twins can be used for predictive analytics or to simulate cyberattacks and evaluate risks to business continuity.

The solution also scored high for the interoperability key criteria, supporting REST API and a wide range of protocols and industry standards and integrating with a large number of IT and legacy OT security solutions—including those of competitors—as well as with industrial systems.

OTORIO’s platform continuously monitors and assesses an industrial organization’s attack surface and threat landscape. OTORIO uses deep packet inspection primarily for asset identification, which is reflected in the lower scoring. Nevertheless, RAM2 can identify malicious patterns reliably by using proprietary plug-ins and engines for collection and analysis of data, as well as by collecting data from security and industrial systems in the OT network. It raises alarms about suspicious activities and proposes clear, concrete, and understandable instructions with actions and playbooks for different stakeholders to mitigate risk and protect against potential attacks. The platform integrates with existing firewall solutions such as Fortinet’s FortiGate. By correlating information from FortiGate’s syslogs with data and events from multiple security and industrial systems, such as DCS, and historical data, it provides suggestions for configuration changes, updates, or segmentation improvements.

OTORIO’s next-generation OT security and digital RAM2 platform includes industry-specific asset inventory lifecycle management, and automatically analyzes and prioritizes cyber risks. OTORIO has its own threat intelligence and incident response expert teams, so it performs penetration testing, threat hunting, or individual training as needed. With the platform, audits are possible that consider all current frameworks and industry standards (such as IEC 62443, NERC CIP, NIST 800-82, or NIST CSF).

With its insights and capabilities, the platform is an important building block in OT and SASE architectures. RAM2‘s advanced AI and high level of automation can be a key to the self-driving (autonomous) factory.

All of this is reflected in good to high scores across the key criteria and evaluation metrics. Its overall impression, technology sophistication, and feature set make OTORIO an Outperformer.

OTORIO’s platform is available as either an appliance, software on a virtual machine, or as a deployment on a customer’s, partner’s, or OTORIO’s cloud. OTORIO specifically addresses critical infrastructure industries (such as water treatment, electricity, oil, and gas), industrial machine manufacturers, MSSPs, pharmaceutical companies, automotive and manufacturing facilities, and the food and beverage industry.

Strengths: It is one of a few vendors that combines both OT and IT security in one platform. With RAM2’s behavioral analysis, deviations from standards and permitted behavior are detected immediately. Users receive clear instructions on how to manage and mitigate risks to increase the security of their operational environment.

Challenges: OTORIO provides just a basic deep packet inspection.

Palo Alto Networks IoT Security

Founded in 2005, Palo Alto Networks is one of the more established and mature vendors reviewed in this report. The vendor is well known for inventing the Next Generation Firewall, a firewall based on a single-pass engine and decoders. Decoders detect applications and protocols much more reliably than IP filters or traditional gateway firewalls. Compared to conventional, modular approaches, a single-pass engine simplifies administration and management while increasing throughput. This underlying technology infers a high detection rate for standards-based, vendor-specific, and even proprietary industrial applications and protocols, and became the foundation of many modern IIoT security solutions.

Palo Alto Networks IoT Security delivers ML-powered device visibility, threat prevention, and zero-trust enforcement in a single platform. OT App-ID and OT threat detection protect IoT devices and monitor ICS device communication in OT environments.

PaloAlto Networks Security scored high on the usability evaluation metric, providing tidy, clear dashboards and an intuitive GUI. Users can see at a glance the level of risk posed by an IoT device or application. Documentation and onboarding of new users is excellent, leading to a high score for this evaluation metric as well.

The vendor offers a wide variety of integrations, both with other IT security solutions (NAC, SIEM, SOAR, XDR, ITSM) and with solutions from other OT-focused vulnerability assessment vendors such as Tenable.

Palo Alto Networks placed an early bet on the power of big data. Companies can have their traffic analyzed centrally by Palo Alto Networks, enabling the company to detect active and new attacks at a very early stage and warn and protect other customers accordingly. A comprehensive database also helps to identify vulnerabilities earlier and more reliably. This is reflected in a high score for threat detection. Users benefit from better protection against zero-day attacks. Customer reviews praise the solution for detection rates in threat detection and inventory.

Palo Alto Networks also made an early investment in continuous behavioral analytics, and their behavioral analytics technology is correspondingly mature. Continuous comparisons with allowed applications, protocols, and behaviors, along with allowing lists in other areas, also protect against unknown threats (zero-day protection). The vendor received a high score for the analytics key criterion and implementation of zero-trust mechanisms (IIoT security capabilities—Table 4).

Palo Alto Networks’ platform can be used as a stand-alone product or as a complement to existing IT services landscapes. In addition to physical appliances, virtual machines or Kubernetes containers are also offered. Panorama is the central management platform. Prisma Access gives users secure service access.

Overall, Palo Alto Networks now offers an impressive range of security solutions for on-premises, edge, or cloud computing. All modules integrate well into the overall portfolio. Palo Alto Networks also enables IIoT SOC automation/playbooks to integrate its XSOAR technology with the IoT security platform.

Strengths: Palo Alto Networks’ solutions are reliable and offer a high level of protection even against unknown attack scenarios. Palo Alto Networks combines OT and IT with its many years of experience. Data analysis is extremely performant and accurate.

Challenges: Palo Alto Networks comes from IT and has yet to prove itself in the OT space. Its technology and the ability to run both as a cloud service and on premises certainly helps.

Rhebo Industrial Protector

The German company Rhebo was founded in 2014 and was among the first vendors using behavioral analysis and allowing lists to actively protect IIoT-environments from unknown attacks (zero day). The founders of Rhebo were experts in IT network security, understanding the special requirements of operational technology and the processes and needs of IT professionals who often manage the OT security systems.

The core of Rhebo Industrial Protector solution includes protocol and application decoders that allow a signature to be created for any application or protocol, no matter how unique.

Rhebo Industrial Protector is a passive solution specially designed for OT and IIoT network security and is one of the few vendors offering deep packet inspection. Behavioral analysis and anomaly detection form the basis for zero trust network access and microsegmentation. But with Rhebo IoT Device Protector, it’s possible to separate a device by blocking the communication link to prevent it from infecting other IoT devices in the fleet. Furthermore, many existing SIEM and monitoring solutions are supported as well. This support means that Rhebo Industrial Protector can also be integrated into legacy IT or OT landscapes and thereby protect existing investments. Rhebo offers extensive support for automation platforms, including Bosch ctrlX and Wago. A RESTful API is provided for further integrations.

The solution is available as a physical or virtual appliance, cloud image, or even as a cloud service. This makes the solution particularly scalable—receiving a good score for this evaluation metric—flexible, and universally deployable. The company also takes part in community efforts such as ctrlX developR Challenge. Rhebo provides optional additional IIoT device protection and so belongs to the more comprehensive group of solution offerings.

Its next-generation OT intrusion and threat detection secures distributed connected critical assets, such as facilities for the production of renewable energy (like wind turbines and solar panels) as well as for energy distribution or automated manufacturing. This is also reflected in the key criteria rating: Rhebo scores high on support for long lifecycles and, more importantly, interoperability.

Sensor applications integrate smoothly with Rhebo Industrial Protector to monitor and detect anomalies in IACS in real time and take immediate action. It can prevent malfunctions on the field bus level or detect an attack very early, such as at the reconnaissance or lateral movement phases in the Cyber Kill Chain or MITRE ATT&CK framework. Important industry standards such as IEC 61850 and IEC 62443, as well as the advanced metering infrastructure (AMI), are supported. These factors contribute to its high score for the implementation evaluation metric.

With the identification and analysis of all active components in industrial control networks, detailed risk maps of all assets can be created. Rhebo thus makes an important contribution to ensuring a plant’s uptime and security.

The management interface is clean and well-organized. Information in the dashboard stands out visually and can be captured at first glance.

Since February 2021, the company has been part of the Swiss corporation Landis+Gyr, a leading energy management solutions provider. The company focuses on direct business. Nonetheless, Rhebo has established strong partnerships with managed service providers (MSPs) and system integrators, as well as vendors of OT components. Furthermore, Rhebo offers a Managed Detection and Response Service for companies running their OT monitoring and anomaly detection solution.

Strengths: Rhebo has a strong focus on critical infrastructure. It fully supports the industry’s IEC standards and advanced metering infrastructure (AMI). Rhebo offers a flexible REST API to integrate its anomaly detection services into new and/or customized environments easily. Furthermore, Rhebo Sensors integrate in Bosch ctrlX and Wago automation platforms as well as the IBM QRadar SIEM system easily.

Challenges: The disadvantages include the lack of integration in IT-automation platforms natively and the regional focus on Europe. There is a limited focus on diverse industries.


SCADAfence was founded in 2014 in New York and is another one of the more established providers of OT security. The OT veteran continuously develops its platform with strong coverage across several key criteria and evaluation metrics.

SCADAfence Platform is a non-intrusive solution. It’s available as software, virtual machine, or cloud service; however, the company also offers an appliance on request. The standout feature is its dynamic baseline technology, which uses ML techniques for fast behavioral analysis. This technology enables reliable discovery of assets, applications, and protocols, which is reflected in a high score for the analytics and automation key criteria.

The optional SCADAfence Governance Portal gives users the ability to test their systems against regulatory or compliance frameworks. The resulting report can be used for audits or as the basis for a catalog of actions to improve the security level.

SCADAfence’s platform is highly scalable and covers a wide range of industry applications and protocols. Customer reviews praise the user interface as intuitive. Our overall impression confirms this.

The vendor received a high score for the vulnerability assessment key criteria. It reliably detects threats and vulnerabilities in real time. The analysis of extensive data and the correlation of events minimize false positives.

SCADAfence also received a high score for the documentation and onboarding evaluation metric. It’s one of the few providers that offer live training in addition to manual and video tutorials. Users regularly praise the quality of the documentation and training in independent reviews.

One aspect of SCADAfence’s platform that’s exceptionally noteworthy is its deep packet inspection, leading to a high score for this key criterion. Typically, vendors beat increasing performance requirements with more and bigger hardware. The use of technology to optimize existing hardware and improve the performance-per-appliance ratio is actually not very common. SCADAfence uses hardware acceleration for high-performance DPI in real time at wire speed. This innovation makes SCADAfence a powerful and efficient platform, and its high scores across several key criteria and evaluation metrics indicate a high ROI for prospective customers.

SCADAfence offers few integrations, nor does it have its own active firewall capabilities. In particular, there is a lack of integrations in OT legacy systems. The strategic partnerships with the most widespread firewall solutions are a plus.

Strengths: SCADAfence is a robust platform. Dynamic baseline technology based on ML ensures a high degree of accuracy in behavioral analysis. DPI at wire speed sets it apart from other providers. Customers regularly praise its reliability in the detection of attacks and threats. The intuitive GUI is often mentioned by users.

Challenges: SCADAfence has no firewall functionality and depends on third-party providers. It has fewer integrations than other platforms.

Shield IoT

Founded in 2017, Shield IoT is one of the newer entrants. The Israeli company specializes in the security of IT/OT gateways and edge devices. The industry focus is on the energy sector (smart grids), logistics and transport, and private 5G networks.

The AI-powered platform uses real-time behavioral analytics to detect threats, compromised assets, or malicious code. With anomaly detection, even the slightest deviations from permitted behavior, industry standards, and recognized frameworks are detected. This approach also protects the infrastructure against new and unknown attacks (zero days) as well as sophisticated attack scenarios. With its own firewall functionality, the platform is one of the few active solutions.

We could not find any evidence of microsegmentation capability or the use of deep packet inspection. Also, there’s room for improvement in the number of integrations and in the documentation and onboarding of new customers. ​​

Shield IoT has developed mathematical methods to efficiently evaluate large amounts of data. This capability makes the platform extremely attractive for landscapes with many devices. Shield IoT uses coresets for this purpose, a method that works with data extracts instead of the total amount of information collected. This makes the solution incredibly scalable and performant without compromising reliability.

Without interfering with the existing infrastructure, the solution monitors and analyzes data in real time. Threats and attacks are detected successfully.

The platform makes a user-friendly impression with a clean and intuitive user interface. Another benefit is the combination of network and device security.

Shield IoT’s solution is available as software-only or as a cloud-based service. Primary target customers are service providers, IoT operators, and integrators of complex networks.

The use of coreset-AI is indeed a quantum leap in analyzing large amounts of data. So far, we have not noticed any other provider that takes this or a similar approach. This technology saves valuable bandwidth in industrial networks. Above all, it reduces storage space requirements and allows reliable data analysis even at less performant endpoints at the edge.

Strengths: The solution is characterized by extremely high scalability and performance. Monitoring and analysis take place in real time.

Challenges: As a new supplier in the market with new technological approaches, the platform must prove itself.


Tenable was founded in 2002; however, we consider it a New Entrant because of the acquisition of Indergy in late 2019. With that acquisition, Tenable—previously a leader in vulnerability management with its Nessus software—effectively started from scratch. Indegy, with its protection of industrial control systems (ICS) against cyberattacks, both external and internal, and operator errors, was one of the market leaders in network visibility. The combined platform is called Tenable.OT. It reliably detects common industrial applications and protocol changes to firmware or configurations and also the manipulation of an ICS. This makes for a powerful platform for IIoT security. Customers tout the classification and prioritization of identified vulnerabilities.

The platform is a passive solution and doesn’t offer deep packet inspection. It relies on third-party solutions to implement policies or execute actions to secure vulnerable or compromised network objects. A high number of integrations compensates this. In fact, at approximately 100 available integrations, Tenable offers the most integrations of the vendors reviewed in this report. This contributed to a high score on interoperability.

Inventory and threat detection scored less well. In customer reviews, inventory management is rated poorly. The lack of filter options, for example, is mentioned by customers.

Also there is room for improvement in onboarding new customers and documentation. For example, we could not find evidence of live training or webinars, and customers report difficulties with implementation and integrations. However, Tenebale.OT offers one of the largest partner networks for this purpose, and customers should utilize this offer. The involvement of specialized partners can also contribute to a higher level of security.

Tenable ranks high on the usability evaluation metric. Its GUI and dashboards are clean and well structured. Different priorities are color-coded and visible at first glance. Only the demarcation between medium and high risks is a bit pale and could perhaps have been unified. The asset map is also very clear and represents communication relationships well. However, the color codes yellow and green are very similar here as well and the map could have been made more eye-catching.

The product is available as software, virtual machine, or as a cloud-based SaaS platform. Target industry sectors include automotive, healthcare, and finance but also critical infrastructure. With support for various standards and frameworks (including NERC CIP, FISMA, HIPAA, CyberScope, NIST), the platform also assists with compliance requirements.

Strengths: Tenable.OT bridges the gap between IT and OT. The solution excels in vulnerability management and network visibility. Network maps and the GUI are appealing and clear. The massive number of available integrations simplifies the embedding into existing IT security landscapes.

Challenges: Identifying lesser common protocols and assets is a challenge, as are documentation and onboarding. Tenable.OT does not do deep packet inspection and does not offer appliances. Like other passive solutions, additional security solutions such as firewalls and network segmenters are needed.

Trend Micro Smart Factory

Trend Micro focuses on threat visibility and extended detection and response (XDR). Founded in 1988, the software company is one of the leading providers of anti-virus and anti-malware for enterprises. With acquisitions such as TippingPoint in 2015, the company continuously expands its portfolio. Trend Micro recently entered the IIoT field. That’s why we see it as a New Entrant.

Trend Micro’s portfolio combines behavioral analysis, user and access management, firewalls, and intrusion prevention in a unified interface. The GUI is well structured; nevertheless, it seems less intuitive, and the entire platform does not seem to be built from one piece. Thus, the vendor received an average score for the usability evaluation metric. It’s also why we see Trend Micro more in the Feature-Play area in the Radar chart (Figure 1).

Trend Micro’s own lab is noteworthy. Its experience in IT security and threat research gives the vendor a certain edge in threat detection, provided Trend Micro manages to look beyond its IT horizons.

Due to the newness of the solution, there’s not much data about the quality of the analyses. Users occasionally report an increase in false positives. The detection rate of legacy OT applications and protocols may also be lower than with comparable IIoT security solutions. This is attributable both to the company’s previous focus, and that Trend Micro has less experience in this area than the industry’s original players. For these reasons, Trend Micro received an average score in most key criteria.

The highest score was given for the vulnerability and risk management key criterion. Customers frequently praise its comprehensive vulnerability scanning capabilities. Trend Micro’s virtual patching functionality offers vulnerability protection of legacy systems that otherwise wouldn’t allow patching, or systems with end-of-support (EoS) operating systems.

The solution is available as software, virtual machine, or cloud platform. This is good for scalability and makes it widely applicable. However, there’s significant room for improvement in integrations in third-party solutions.

Overall, Trend Micro tends to play in the midfield in all areas and brings little innovation. The focus seems to be more on IT and endpoint security. This is undoubtedly due to the strategy of growing through acquisition. We put it on our Radar report primarily because of the potential we see. With other clever acquisitions or joint ventures and a well-thought-out strategy, Trend Micro can become a serious player.

In any case, it is a useful complement to other solutions that increases the level of protection with technology and vendor redundancy. Primary use cases include OT-IT network bridges for smart factories, and SMBs. SMBs in particular are likely to benefit from Trend Micro’s extensive portfolio.

Strengths: Trend Micro is a leader in detecting viruses and malware in corporate networks and devices. With TippingPoint, it also has a solid solution for intrusion prevention.

Challenges: The solution is cloud-based and traffic needs to be rerouted to be analyzed. This may be an exclusion criterion for many businesses. The detection rate of classic OT applications and protocols might be less accurate than for pure IIoT security solution providers.

6. Analyst’s Take

Industrial plants have long been operated as closed systems. New technology, optimized supply chains, and joint ventures have led to a high degree of interconnectedness and the opening up of these systems. Security increasingly became an issue in the industry. With the integration of IT and OT, the attack surface of industrial plants increased massively. From a business perspective, it is not the cost of acquiring an IIoT security solution that should play the main role in decision making, but rather the cost of a production stoppage caused by a cyberattack. Technical managers in industrial plants, meanwhile, should familiarize themselves with the new threats and no longer focus solely on safety aspects.

All the vendors we considered for this Radar offer a sufficiently high level of protection against current, known, and unknown (zero-day) threats. All providers also scored well to very well in the vulnerability analysis.

The main differences are in integrations, interoperability, scope, quality of support, and, above all, onboarding. Buyers should ensure that a manufacturer offers sufficient training options or even installation services. System integrators or managed service providers often provide the latter. This aspect is still a weak point with many vendors and is just being built up or expanded.

There are also differences in the licensing models. Quite often, the number of devices is the basis for pricing. This model only scales to a limited extent and can quickly become a cost trap. Providers like Dragos rely on billing based on the amount of data. This is more calculable in the industrial environment and scales better.

It’s noteworthy that all solutions rely on AI and ML. There are differences in the algorithms and integration. Pay attention to whether AI forms the core of a solution. For example, Darktrace, Rhebo, Microsoft, and Palo Alto Networks have the longest track record in the field. In contrast, younger vendors such as OTORIO and Nozomi Networks benefit from the latest insights and frameworks. Therefore, it’s always important to consider other factors as well. For example, one important aspect is whether a vendor comes from the IT or OT world. Which legacy solutions are supported? Which OT protocols and services are recognized? Which industry standards are taken into account? There are few solutions that support everything.

For first-time buyers, we recommend innovative solutions that leverage future technologies and support OT as well as IT standards, applications, and protocols, and ensure a high level of integration capability. With automated security and compliance risk assessment, OT and IT security, and machine-lifecycle management, as well as global attack surface mapping for industrial organizations, OTORIO is the lone Outperformer and pioneer among the vendors we looked at. The platform is a future-proof investment for all industrial companies that cannot afford downtime and value secure supply chains and resilient production facilities. Another provider that takes a similar approach is Nozomi Networks. Nozomi Networks will be a good choice for companies that prefer to rely on longer-established providers. Microsoft is suitable for distributed organizations that already rely on the software giant’s cloud services in other areas. For critical infrastructure, it’s worth taking a look at Rhebo.

In the case of new purchases, it should be determined whether existing security solutions should be supplemented or replaced. For add-ons, passive solutions are completely sufficient. However, if existing services are to be replaced or even consolidated, it’s worth looking at the functional scope and deployment model. Future-proof investment also means paying attention to the solution’s underlying technology and whether emerging technology is already being used. In our Radar, these providers are in the bottom two (Innovation) quadrants and among the Fast Movers and Outperformers.

Great care must be taken with marketing messages. OT security providers, in particular, are just discovering the power of marketing and outdoing each other with superlative terminology like unique, best, world’s only, unsurpassed, and so on. These statements usually originate from the tunnel vision of the supplier and do not represent the whole truth. There are always at least two providers that are similar or even surpass each other, or one that will do better tomorrow.

7. About Kerstin Mende-Stief

Kerstin Mende-Stief

Kerstin is a technology enthusiast and has been rooted in the ICT world for over 20 years. She has been writing about technology since 2012 – mostly for others – and speaks at events about the opportunities and challenges of smart grids, the origins of cloud computing at Bletchley Park in 1943 or open source. From time to time she (co-)organized technology events, such as in-house fairs, community events and even cooked for more than 200 angels in a CCC camp.

The increasing convergence of IT-services suits her very well. The all-rounder cannot and will not commit herself to just one area. She started her career with a developer of terminal emulation software. In 1999, she switched to the telco scene and in 2009 to high security. Together with other thought leaders, she worked on a reference architecture for an open cloud infrastructure in the 2010s. In between, storage crossed her path every now and then. Her firm conviction is that true convergence can only happen in silicon. In the meantime, she is looking at other technology approaches.

Together with the husband and soulmate Wolfgang, she hosted her first own event in 2019. This dream burst relatively quickly in the flood of digital events during a pandemic that followed in 2020. In response, she initiated her own online magazine.

Kerstin likes Seymour Cray mainframes, large networks and is obsessed with next generation firewalls. She is a cocktail mixer, beer lover, the house electrician and lives with a husband, a cat and a tomcat in the wasteland just outside the German-Austrian border. Someday she will eventually emigrate to Eastern Europe, perhaps Bohemia or the Balkans.

8. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

9. Copyright

© Knowingly, Inc. 2022 "GigaOm Radar for Industrial IoT Security" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact