The Vendor Sprawl Problem Every OT Security Manager Recognizes
Count the products managing connectivity between your IT and OT environments. Not just the ones you bought – the ones that are actually running. The VPN concentrator that handles remote access. The jump server for RDP to SCADA workstations. The SMB proxy for firmware updates and configuration backups. The data diode for historian replication. The point TCP connectors for vendor-specific applications. The separate session recording tool – if you have one at all.
That is typically 4–6 products from 3–5 different vendors. Each with its own management console, its own firmware update cycle, its own log format, its own vendor support channel, and its own attack surface.
Dragos tracked 119 ransomware groups targeting industrial organizations in 2025 – a 64% increase from 2024. These groups did not attack data diodes or exploit obscure OT protocols. They authenticated into VPN portals with stolen credentials, then used RDP and SMB to move laterally toward SCADA systems. Claroty found that 82% of verified OT intrusions used internet-facing remote access tools as the initial entry point. The SANS 2025 ICS/OT survey found that 40% of OT security incidents caused operational disruption.
The attackers are not targeting your most sophisticated security tool. They are targeting the gaps between your tools – the seam between the VPN and the jump server, the handoff between the file gateway and the access control, the blind spot where one vendor’s logs end and another’s begin.
The solution to consolidate OT security vendors is not to buy better individual products. It is to replace the multi-vendor stack with a single platform that handles all OT connectivity types – interactive access, file sharing, session recording, and network segmentation – through one architecture, one policy engine, one audit trail.
What Exactly Is in Your OT Security Vendor Stack?
Before consolidating, OT security managers need a complete inventory of what is actually deployed. The documented inventory is almost always incomplete – legacy infrastructure accumulates over years, and undocumented connections are the norm.
The Typical Multi-Vendor OT Stack
Vendor/Product | Connectivity Type | Why You Bought It | What It Creates |
VPN vendor (Cisco, Fortinet, Palo Alto, Ivanti) | Employee + vendor remote access to OT | Engineers and vendors need to reach SCADA workstations | Internet-facing attack surface; network-level access; primary ransomware entry vector |
Jump server (Windows Server, CyberArk) | RDP/SSH to OT workstations and servers | VPN lands on jump server; RDP from there to targets | Lateral movement pathway; shared credentials; limited session visibility |
File gateway vendor (various SMB proxies, MFT products) | Firmware updates, config backups, vendor deliverables | Files must flow bidirectionally between IT and OT | Separate logs; no identity integration; no CDR scanning |
Data diode vendor (Waterfall, Owl Cyber Defense, OPSWAT) | Historian replication, syslog forwarding | One-way data transfer from OT to enterprise | Excellent at its function – but cannot handle any bidirectional connectivity |
Point connector vendor (embedded in vendor equipment) | Specific application integrations | Vendor application requires bidirectional TCP | Undocumented; invisible to SOC; unmanaged; no policy enforcement |
Session recording vendor (CyberArk, BeyondTrust, Wallix) | Video capture of admin sessions | Compliance or forensic requirement | Separate procurement; separate logs; covers only sessions that route through it |
The hidden layer: Run a 14-day network flow analysis at each IT/OT boundary. Most OT security managers discover 30–50% more active connections than documented – persistent SSH sessions that were “temporary,” direct database links, embedded vendor tunnels in PLC programming software.
What Vendor Sprawl Actually Costs
The product licenses are the visible cost. The operational cost is larger:
Cost Category | Per-Site Annual Cost (4–6 Vendors) |
Product licenses and maintenance | $70K–$180K |
SIEM integration labor (4–6 log formats) | 40–80 hours initial + ongoing tuning |
Incident response coordination (3–5 vendor escalation paths) | Hours per incident vs. minutes with unified platform |
Firmware patching for internet-facing components | Critical priority – VPN CVEs actively exploited |
Integration labor (keeping products working together) | 0.3–0.5 FTE |
Procurement/contract administration (3–5 contracts) | 20–40 hours/year |
Training (3–5 different product interfaces) | 5–10 days/year per operator |
And the security cost is largest of all: Dragos reported 42 days average dwell time for ransomware in OT environments in 2025. Fragmented visibility – where the IR team must correlate logs from 4–6 systems in different formats – is a primary contributor to that dwell time.
What Does the Consolidated Platform Replace?
The consolidation is not “replace everything with one magic product.” It is architecturally specific: replace the supplementary products that grew around the data diode, retain the diode only where regulation requires it, and unify all other connectivity through a single reverse-access architecture.
Product-by-Product Replacement
What Gets Eliminated | What Replaces It | Architectural Change |
VPN concentrator | Access Gateway (DMZ) + Access Controller (OT zone) – zero inbound ports | Internet-facing VPN replaced by outbound-only tunnel from OT; firewall goes to deny-all inbound |
Jump server | Per-workstation RDP access through reverse-access tunnel | Network-level RDP replaced by application-level per-workstation access with MFA and session recording |
SMB proxy / file gateway | Integrated SMB Proxy with Kerberos/NTLM, SMB Signing, encryption, CDR scanning | Standalone file gateway replaced by platform-integrated file sharing with identity attribution and malware scanning |
Point TCP connectors | Zero Trust Application Access for all TCP applications through the same tunnel | Undocumented point connections replaced by policy-enforced, identity-attributed application access |
Separate session recording tool | Built-in session recording (video + keystroke) for all session types | Separate product eliminated; recording integrated into every session automatically |
Legacy MFA appliance | Built-in per-session MFA (FIDO2, PIV/CAC, authenticator app) | VPN-level MFA replaced by per-session MFA with device posture verification |
What stays: The data diode – for flows where regulation mandates physical unidirectional enforcement (nuclear under RG 5.71, IEC 62443 SL4). For non-regulated one-way flows, the platform’s outbound-only architecture provides equivalent security with identity-based access control and unified audit.
truePass Gravity delivers this consolidation through a three-layer architecture: Layer 1 (Reverse Access) provides the zero-inbound-port foundation. Layer 2 (SMB Proxy with CDR) handles all file exchange. Layer 3 (Zero Trust Application Access) provides per-session RDP, SSH, and HTTP with MFA and recording. All three layers share one policy engine, one audit trail, and one management console.
How to Execute the Consolidation: Phase by Phase
Phase 1: Inventory and Infrastructure (Weeks 1–4)
Week 1–2: Complete the real inventory.
Not the documented inventory – the actual inventory. Export every firewall rule permitting traffic between IT and OT. Run the 14-day flow analysis. Map every user and service account with cross-boundary access. Document every vendor remote access mechanism, including embedded tunnels. Record firmware versions of every gateway component.
Week 3–4: Deploy the platform infrastructure.
Deploy the Access Controller inside the OT network (IDMZ or SCADA zone). Deploy the Access Gateway in the DMZ. Establish the outbound TLS tunnel. Integrate with the organization’s identity provider. Configure MFA. Test 3–5 sessions to non-production OT resources. Validate the complete path without touching production traffic.
Rollback criteria: If the outbound tunnel requires any inbound firewall rule – stop. The truePass platform must operate with zero inbound ports or the consolidation does not proceed.
Phase 2: Replace VPN + Jump Server (Weeks 5–8)
This is the highest-impact phase because it removes the two components with the largest attack surface – the internet-facing VPN and the lateral-movement-enabling jump server.
Migrate employee and vendor interactive sessions (RDP, SSH, HTTP) from the VPN + jump server path to the platform. Each session now requires named identity + MFA + device posture check + per-workstation policy + session recording.
Decommission: Remove VPN inbound firewall rules. Decommission VPN concentrator. Remove jump server. Run external scan – verify zero discoverable services.
Vendor count change: From 4–6 to 2–4 (VPN vendor and session recording vendor eliminated).
Phase 3: Replace File Gateway (Weeks 9–16)
Migrate bidirectional file sharing from the standalone SMB proxy to the platform’s integrated SMB Proxy with CDR scanning. Run in parallel for 4 weeks to validate compatibility, performance, and CDR scanning across all OT file types.
Decommission: Remove standalone file gateway once all transfers are validated on the platform.
Vendor count change: From 2–4 to 1–2.
Phase 4: Replace TCP Connectors + Hardening (Weeks 17–24)
Identify and migrate point TCP connectors. This phase always uncovers undocumented connections that were invisible to the security team. Evaluate diode-handled flows – retain for regulated, migrate to platform for non-regulated. Set all OT zone firewalls to deny-all inbound. Run external scan. Complete compliance documentation.
Final vendor count: 1 (platform) + diode vendor if retained for regulated flows = 1–2 vendors total.
For OT security managers following a structured migration playbook, the entire consolidation completes in 6 months.
What Are the Measurable Outcomes?
OT security managers must justify the consolidation with numbers that operations leadership and the CISO understand. These are not theoretical projections – they are the documented outcomes of replacing a multi-vendor OT security stack with a single platform.
Metric | Before (4–6 Vendors) | After (1–2 Vendors) | Change |
Products at IT/OT boundary | 4–6 | 1–2 | -70% |
Vendor contracts | 3–5 | 1–2 | -70% |
Inbound firewall ports to OT | 3–8 | 0 | -100% |
Management consoles | 4–6 | 1 | -80% |
Log formats for SIEM | 4–6 | 1 (Syslog) | -80% |
Session attribution | 40–60% (shared credentials, no recording) | 95%+ (named identity, MFA, full recording) | +40pts |
Mean investigation time per OT session | 3–6 hours | < 15 minutes | -95% |
Internet-facing components | 1–2 (VPN, SSL gateway) | 0 | -100% |
External scan: discoverable OT services | 2–5 | 0 | -100% |
Annual cost (licenses + maintenance + integration) | $100K–$260K per site | $40K–$80K per site | -60–70% |
What Are the Top Concerns OT Security Managers Raise?
“My SCADA vendor requires direct RDP access”
They require RDP access to the workstation – not an inbound port on your firewall. The reverse-access architecture delivers a standard RDP session to the vendor through an outbound tunnel. The vendor sees the same RDP experience. Your firewall stays at deny-all inbound.
“We cannot tolerate additional latency on SCADA operations”
The TLS tunnel adds 2–8 milliseconds depending on the network path. For HMI interaction, historian queries, and diagnostic operations, this is imperceptible. Control loops run locally on the PLC and are not affected by the remote access architecture.
“Our OT team does not have bandwidth to learn a new platform”
One platform is easier to learn than six. The consolidation reduces training from 5–10 days across multiple vendor interfaces to a single training program on one console. OT operators report that the per-workstation access model is simpler than the VPN + jump server + RDP chain they currently navigate.
“What if the single platform goes down?”
The platform operates on-premises with HA (high availability) deployment options. The Access Controller and Gateway can be deployed in active-active or active-passive configurations. Legacy infrastructure configurations are archived for 90-day rollback during migration. And the data diode – if retained for regulated flows – continues independently.
“We already invested in these products”
Sunk cost. The question is not what you paid for the VPN concentrator – it is what you are paying annually in licenses, maintenance, integration labor, and security risk to keep 4–6 products running. The annual operational cost of the multi-vendor stack exceeds the annual cost of the consolidated platform in most OT environments.
How Does Vendor Consolidation Map to IEC 62443?
OT security managers operating under IEC 62443 can map vendor consolidation directly to Foundational Requirements:
IEC 62443 FR | Multi-Vendor Stack | Consolidated Platform |
FR1 – Identification & Authentication | VPN authenticates at login only; jump server may use shared credentials; file gateway has separate identity system | Per-session MFA with named accounts for every connection type; single identity system across all connectivity |
FR2 – Use Control | VPN grants network access; per-resource policies split across multiple products | Application-level access to specific workstations; unified policy engine governs all connectivity types |
FR3 – System Integrity | Session recording separate (if exists); file scanning in standalone gateway | Session recording built-in for all sessions; CDR scanning integrated into file sharing |
FR4 – Data Confidentiality | Encryption varies by product; SMB shares may transit unencrypted | TLS 1.2/1.3 for all tunnels; AES-256 for stored files; SMB Signing enforced |
FR5 – Restricted Data Flow | Firewall rules with inbound exceptions; multiple data paths | Zero inbound ports; all data flows through single platform with policy enforcement |
FR6 – Timely Response | 4–6 log sources in different formats; hours to correlate | Single audit trail; per-session recording; investigation in minutes |
FR7 – Resource Availability | VPN and jump server are internet-facing DDoS targets | No internet-facing components in OT zone; zero discoverable services |
The multi-vendor stack partially addresses FR1 (VPN authentication) and FR5 (firewall rules). The consolidated platform addresses all seven FRs through a single architecture. For OT environments pursuing SL2 or SL3 certification, this difference is significant – auditors evaluate the completeness of FR coverage, not the number of products deployed.
Frequently Asked Questions
How long does it take to consolidate OT security vendors?
The four-phase consolidation completes in approximately 6 months. Phase 1 (inventory + infrastructure deployment) takes 4 weeks. Phase 2 (VPN and jump server replacement – the highest-impact phase) completes in weeks 5–8. Phase 3 (file sharing migration) runs weeks 9–16 with 4 weeks of parallel operation. Phase 4 (TCP connectors, diode evaluation, and hardening) finishes by week 24. Simpler environments can compress to 4 months; complex multi-site environments may extend to 9 months.
Can we consolidate if some OT systems are air-gapped?
Truly air-gapped systems (zero network connectivity) are outside the scope of connectivity consolidation – they have no connectivity to consolidate. The consolidation targets systems that claim to be air-gapped but in practice have VPN tunnels, jump servers, vendor remote access, or file sharing mechanisms bridging the gap. In the SANS 2025 ICS/OT survey, the majority of organizations with OT security incidents had some form of IT/OT connectivity in place.
Does consolidation affect PLC programming workflows?
PLCs are not accessed directly through the platform. Engineers access PLC programming software (Siemens TIA Portal, Rockwell Studio 5000, etc.) through RDP sessions to engineering workstations – and the platform provides that RDP session. The PLC programming workflow is unchanged from the engineer’s perspective. What changes is how they reach the workstation: through a per-session authenticated tunnel instead of VPN + jump server.
What about sites that already use Claroty or Dragos for OT monitoring?
OT monitoring platforms (Claroty, Dragos, Nozomi) provide asset visibility and threat detection – they do not provide cross-boundary connectivity. They complement the consolidated platform, they do not conflict with it. The platform handles how users and data cross boundaries. The monitoring platform watches what happens inside the OT network. The consolidated platform’s unified Syslog feed integrates with Claroty/Dragos/Nozomi SIEM integration, providing richer context for alerts.
What is the ROI timeline?
Most OT environments see positive ROI within 12 months. The annual savings in product licenses, maintenance, and integration labor ($70K–$180K per site) offset the platform deployment cost. The harder-to-quantify savings – faster incident investigation, eliminated VPN patching urgency, reduced compliance documentation effort – accelerate ROI further. For multi-site organizations, the per-site savings multiply while the platform management cost stays relatively flat.
Conclusion
The vendor sprawl in OT security stacks is not the result of poor planning – it is the result of solving one connectivity problem at a time. The VPN came first (for remote access). The jump server came next (for RDP). The file gateway followed (for firmware updates). The data diode addressed one-way flows. Point connectors filled remaining gaps. Each made sense individually. Together, they create an unmanageable, fragmented, expensive stack that attackers consistently exploit at the seams.
To consolidate OT security vendors, OT security managers need a platform that replaces the VPN, jump server, file gateway, TCP connectors, session recording tool, and legacy MFA appliance with a single architecture – while retaining the data diode only where regulation mandates it.
The consolidation sequence is clear: inventory first, VPN and jump server next (highest risk), file gateway after that (highest operational sensitivity), TCP connectors and hardening last. Measure at every phase. Decommission legacy products only after their replacements are validated.
Fewer vendors. Fewer consoles. Fewer log formats. Fewer contracts. Fewer attack surfaces. Zero inbound ports. One audit trail. One platform. That is what OT security vendor consolidation looks like – and it starts with an honest inventory of what is actually running at your IT/OT boundary today.
