Eclypsium was recently named as a Sample Vendor in the Gartner® Hype Cycle™ for CPS Security, 2026 in the category of CPS Supply Chain Security.
We view this recognition as further evidence that organizations are expanding how they think about cyber-physical systems security. CPS risk is not limited to industrial controllers, sensors, OT protocols, or production networks. Modern CPS environments depend on a broad set of supporting infrastructure, including network devices, edge systems, remote access appliances, embedded firmware, supplier-provided components, and other hardware that traditional security tools often cannot fully validate.
In many cases, that infrastructure serves as the control plane that connects and supports physical operations. As the Hype Cycle states:
“CPS underpin safety-critical operations where cyber compromise can trigger physical,environmental and human harm. Supply chain weaknesses, such as counterfeit hardware, insecure firmware, hardcoded credentials and uncontrolled remote access, are individually dangerous and collectively create systemic risks. These and other exposures bypass perimeter defenses and persist across decades-long life cycles. CPS supply chain security is therefore foundational to operational resilience and integrity.“
CPS supply chain security is an operational resilience issue
Cyber-physical systems connect digital processes to physical outcomes. They support manufacturing operations, energy systems, water utilities, transportation networks, healthcare environments, smart buildings, and other systems where disruption can affect both operations and safety.
In these environments, supply chain security extends beyond procurement reviews, supplier questionnaires, and compliance assessments. CPS environments rely on hardware, firmware, software, services, and third-party components that often remain deployed for years. Vulnerabilities, misconfigurations, counterfeit components, unauthorized modifications, or insecure remote access paths can introduce risk that persists long after deployment.
The challenge is compounded by increasing connectivity. Systems that were once isolated now connect to enterprise networks, cloud platforms, remote support workflows, wireless infrastructure, and external supplier ecosystems. These connections improve operational efficiency and visibility, but they also expand the attack surface.
For security teams, the implication is straightforward: CPS supply chain security must be treated as a lifecycle discipline. Organizations need to understand what they acquire, verify what is deployed, monitor changes over time, and detect drift from approved device and firmware baselines.
Network infrastructure is part of the CPS attack surface
CPS environments depend heavily on network infrastructure. Routers, switches, firewalls, VPNs, wireless controllers, remote access systems, and edge devices provide the pathways that connect physical operations to users, vendors, applications, and data.
These devices occupy positions of trust. They route traffic, enforce segmentation policies, broker remote access, and connect IT, OT, cloud, and third-party environments. When compromised, they can provide attackers with persistence, visibility into communications, opportunities to manipulate traffic, and access to operational systems.
They are also among the most difficult assets to validate. Traditional endpoint security tools are designed for managed operating systems and applications, not firmware-centric infrastructure devices. Many network devices rely on specialized firmware and embedded operating environments that do not support standard EDR agents. Vulnerability scanners may identify exposed services or known CVEs, but they often cannot verify firmware integrity, inspect low-level components, or determine whether a device has been modified below the OS.
As a result, the infrastructure that supports CPS operations may also be the infrastructure security teams have the least visibility into.
Moving from supplier trust to infrastructure verification
Organizations have historically relied on assumptions of trust: trust that devices are authentic, trust that firmware is legitimate, trust that updates are valid, trust that configurations remain secure, and trust that suppliers maintain effective controls.
Those assumptions increasingly require verification.
CPS supply chain security depends on evidence. Security teams need to identify the devices operating in their environments, understand the hardware and firmware components those devices contain, verify firmware against known-good versions, monitor for unauthorized modifications, detect vulnerable or outdated components, and prioritize remediation based on operational exposure.
Organizations need a way to verify the infrastructure that supports modern enterprises and CPS environments.
Eclypsium provides visibility into hardware and firmware components across network devices, servers, endpoints, and other infrastructure systems that traditional security tools often cannot inspect directly. The platform helps teams establish known-good baselines, verify firmware integrity, detect drift, identify vulnerable or misconfigured components, and investigate signs of tampering or compromise below the OS. By validating underlying infrastructure rather than relying solely on version strings or OS-level signals, security teams gain evidence they can use to assess exposure and prioritize remediation.
For CPS environments, these capabilities matter because infrastructure compromise can have operational consequences. A compromised network device is more than an IT issue. It may provide access to production systems. A vulnerable remote access appliance can expose critical operational environments. An unauthorized firmware modification can undermine the trust assumptions that segmentation, monitoring, and incident response depend upon.
CPS security depends on infrastructure trust
Effective CPS security programs require visibility into industrial assets, operational processes, communications protocols, and safety requirements. They also require confidence in the infrastructure those systems depend on.
That means being able to answer questions such as:
- What network and infrastructure devices support CPS operations?
- What firmware and hardware components are running on those devices?
- Do those components match approved and known-good baselines?
- Are any components vulnerable, outdated, or modified?
- Have device configurations drifted from approved standards?
- Are unnecessary services, interfaces, or radios enabled?
- Can device integrity be verified after procurement, after updates, and during ongoing operations?
Conventional IT and OT security tools often struggle to answer these questions because they lack visibility into the hardware and firmware layers. Addressing them requires the ability to inspect and validate infrastructure below the OS, where attackers increasingly seek persistence and evasion.
Recognition in a broader security shift
We believe Eclypsium’s inclusion as a Sample Vendor in Gartner’s Hype Cycle for CPS Security, 2026 reflects growing attention to a challenge many organizations are already confronting.
Cyber-physical systems depend on infrastructure that is distributed, supplier-driven, firmware-heavy, and often difficult to assess using traditional security tooling. Verifying the integrity of that infrastructure, from network devices and embedded firmware to hardware components and configuration state, is becoming a foundational part of operational resilience.
Protecting CPS environments is not only about securing the physical process. It also requires validating the infrastructure that connects, manages, updates, and supports those processes.
As organizations continue to connect operational environments with enterprise systems, cloud services, AI infrastructure, and remote support ecosystems, infrastructure verification becomes increasingly important. Security teams need the ability to verify what is deployed, detect unauthorized changes, monitor device and firmware posture, and prioritize remediation based on actual exposure.
Eclypsium was built to address that challenge by helping organizations establish trust in the hardware and firmware foundations of their infrastructure, from edge systems and network devices to servers and other critical assets that support CPS operations.
Assess Infrastructure Trust Across Your Environment
Discover how Eclypsium helps security teams verify firmware integrity, detect unauthorized modifications, identify vulnerable components, and establish trusted baselines across network devices, servers, endpoints, and other critical infrastructure.
Learn More About the Eclypsium Platform
Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.
GARTNER and HYPE CYCLE are trademarks of Gartner, Inc. and/or its affiliates.
Frequently Asked Questions
CPS supply chain security focuses on validating the hardware, firmware, software, services, and third-party components that support cyber-physical systems. This includes not only industrial assets, but also the network devices, remote access systems, edge infrastructure, and embedded firmware that connect and manage physical operations.
Cyber-physical systems depend on infrastructure that routes traffic, enforces segmentation, enables remote access, and connects operational environments to enterprise systems, cloud services, and suppliers. If that infrastructure is compromised, attackers may gain persistence, visibility, or access to systems that affect physical operations.
Many traditional IT and OT security tools focus on operating systems, applications, network traffic, or known vulnerabilities. They often cannot verify firmware integrity, inspect hardware-level components, or detect unauthorized modifications below the OS, where infrastructure compromise can persist.
Firmware verification helps security teams determine whether device firmware matches known-good versions, whether components are vulnerable or outdated, and whether unauthorized changes have occurred. This gives teams evidence they can use to validate device and firmware posture across critical infrastructure.
Organizations should identify the network and infrastructure devices that support CPS operations, validate hardware and firmware components, establish known-good baselines, monitor configuration drift, detect vulnerable components, and prioritize remediation based on operational exposure.
Eclypsium helps organizations verify infrastructure trust across network devices, servers, endpoints, and other critical assets. The platform provides hardware-level visibility, validates firmware integrity, detects unauthorized modifications, identifies vulnerable components, and helps teams monitor drift from approved baselines over time.
