As remote operations become the operational norm across industrial and critical infrastructure sectors, organizations are rethinking how they secure cyber-physical systems (CPS), often encompassing Operational Technology (OT) and Industrial Control Systems (ICS). In its February 2026 Market Guide for CPS Secure Remote Access, Gartner® highlights the accelerating shift from simple “secure connectivity” toward purpose-built platforms designed for secure operations.
Xage Security is proud to be included among the Representative Vendors in this rapidly evolving market. The report outlines key trends reshaping industrial remote access—from shadow access discovery to protocol-aware enforcement—and underscores the need for architectures purpose-built for CPS environments.
Below are several key findings from the report, along with our perspective.
Key Findings (and Commentary)
Gartner Finding: “Shadow Access” Is a Critical Blind Spot
“Cybersecurity leaders are discovering that ‘shadow access’ is a critical blind spot: undocumented remote connections that bypass corporate firewalls permeate CPS environments, and remote access has become a new operational reality.”
The Xage Take:
Undocumented remote connections—often deployed by OEMs or employees—are pervasive across CPS environments and frequently bypass corporate firewalls. These unmanaged access paths create serious operational risk, increasing the likelihood of costly breaches, safety incidents, and compliance failures.
Shadow access is not just a cybersecurity concern; it is an operational governance problem. In distributed environments such as pipelines, utilities, and manufacturing facilities, unmanaged connections create dangerous blind spots that undermine safety, resilience, and regulatory compliance. When an incident occurs, organizations often lack clear accountability or forensic visibility into who accessed what, particularly in environments where shared credentials are still in use.
The Xage Fabric enables centralized, identity-based policy enforcement across distributed assets while maintaining local autonomy and resilience. By consolidating access control, eliminating unmanaged tunnels, and replacing shared credentials with cryptographically secure identities, organizations can restore visibility, enforce least privilege, and regain operational control without disrupting critical operations.
Gartner Finding: VPNs and IT-Centric Tools Lack CPS Context
“Attackers are increasingly attacking weak or vulnerable legacy remote access such as VPN and jump boxes to gain access to CPS environments, requiring organizations to adopt purpose-built CPS remote access to mitigate risks.”
The Xage Take:
Traditional VPNs were not designed with a security-first mindset, and jump servers were later introduced as compensating controls to help mitigate the risks inherent in broad network access. Together, they were never architected for the safety, resilience, and precision required in mission-critical industrial systems. They provide expansive, network-level connectivity but lack the contextual granularity necessary to securely manage CPS environments. Industrial operations demand enforcement at the identity, asset, and protocol level to ensure that access is tightly scoped, continuously verified, and aligned with operational safety requirements.
VPNs continue to make headlines due to architectural weaknesses, exposed attack surfaces, and credential-based compromises. Gartner is right to recommend that enterprises move away from these legacy approaches.
Xage delivers identity-based, Zero Trust access to CPS assets with granular policy controls enforced down to the individual asset. Instead of exposing networks, access is explicitly defined, continuously verified, and tightly scoped to the task at hand.
The Xage Fabric enforces multi-hop access with session termination and protocol breaks at every layer of the network architecture. Each hop requires re-verification of identity and policy before access is permitted to proceed, preventing direct, end-to-end network exposure and eliminating implicit trust between zones. This architecture ensures that connections are inspected, segmented, and controlled at every stage, dramatically reducing lateral movement risk.
Built on a distributed mesh architecture with no single point of failure, the Xage Fabric is secure by design and engineered for resilience, including quantum-resistant cryptography to help future-proof critical infrastructure.
Gartner Finding:
“Deploying multiple remote access products from different vendors for accessing cyber-physical system (CPS) assets introduces significant complexity in the management and integration of these products. This is due to diverse configurations, varying encryption protocols and inconsistent session-log schemas, thereby increasing security risks.”
The Xage Take:
Fragmentation is a hidden risk multiplier in CPS environments. When organizations deploy multiple remote access tools across plants, substations, or field sites, they inherit inconsistent policies, incompatible encryption standards, and siloed audit logs. This complexity makes centralized governance extremely difficult and slows incident response when every second matters.
Xage eliminates this fragmentation by unifying remote access under a single, identity-centric control plane that spans CPS, IT, and even emerging AI environments. Policies are centrally defined and governed, but enforcement is distributed across the Xage Fabric, creating a highly available architecture with no single point of bottleneck or failure. This approach combines consistent, centralized management and visibility with resilient, local policy enforcement at each site.
By consolidating access into a single, distributed architecture, organizations simplify compliance, reduce operational overhead, strengthen availability, and close the gaps that attackers exploit—without sacrificing uptime or operational continuity.
Gartner Finding:
“Organizations are pivoting from ‘secure connectivity’ to ‘secure operations.’ This shift is driven by the operational necessity of managing complex, distributed environments, products innovators are bringing to market steeped in CPS environment knowledge, and the reality that traditional IT-centric tools lack the contextual granularity required for mission-critical safety.”
The Xage Take:
Secure connectivity is no longer enough. Industrial organizations need platforms designed for how operations actually run—across geographically dispersed sites, legacy equipment, low-bandwidth links, and safety-critical workflows. Security must enable uptime, workforce flexibility, and third-party collaboration without introducing new risk.
Many OT assets were never designed with modern access controls. PLCs, RTUs, and other field devices often lack native authentication mechanisms, rely on insecure protocols, or cannot support credential-based access management at all. This creates a fundamental security gap in mission-critical environments.
Xage was purpose-built for secure operations. Our distributed mesh architecture enforces identity-based, Zero Trust access at the asset level, even when the underlying device lacks credentials or uses insecure, legacy protocols. By abstracting access control into the Fabric, Xage enables granular, policy-driven enforcement to individual assets such as PLCs and RTUs without requiring agents or modifications to fragile systems. Combined with segmentation, continuous verification, and resilient distributed enforcement, Xage enables organizations to securely operate, maintain, and scale their CPS environments without compromising safety, availability, or performance.
Secure Remote Access for Secure Operations
The future of CPS security belongs to architectures built for operations—identity-centric, protocol-aware, and resilient by design. If your organization is still relying on legacy VPNs, unmanaged OEM connections, or fragmented access tools, now is the time to pivot from “secure connectivity” to secure operations.
Request a meeting with our team of experts to learn how Xage Fabric enables resilient, Zero Trust secure remote access for CPS environments.
Gartner Disclaimer
Gartner, Market Guide for CPS Secure Remote Access, Katell Thielemann, Wam Voster, Sumit Rajput, 3 February 2026.
Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.
Gartner is a trademark of Gartner, Inc., and/or its affiliates.
