Only 34% of industrial organizations use ICS/OT-specific tools to prepare for cyber incidents - yet the environments they protect control power generation, water treatment, and critical manufacturing processes where a single unpatched vulnerability can cascade into a physical event. That gap between threat reality and operational readiness is precisely the problem OPSWAT and Emerson now target with a significantly expanded collaboration.
The two companies have announced a global strategic reseller agreement1global strategic reseller agreement under which Emerson will integrate OPSWAT's operational technology (OT) patch management capabilities into its Ovation Automation Platform - a control system deployed at more than 800 sites globally across the power generation and water treatment sectors. The deal extends a partnership built over six years and formalizes a cross-vendor approach to securing heterogeneous industrial control environments.
From Removable Media to Full OT Security Stack: A Six-Year Arc
The OPSWAT-Emerson relationship did not emerge from a single commercial decision. Emerson and OPSWAT have been working together for at least 6 years, with the relationship beginning with a need for removable media scanning. That initial use case - securing the physical interface between contractor laptops and DeltaV distributed control systems (DCS) - proved the template for deeper integration.
In June 2023, the collaboration was formally elevated when OPSWAT's NetWall and MetaDefender Kiosk products were accepted into Emerson's DeltaV Alliance Program2OPSWAT's NetWall and MetaDefender Kiosk products were accepted into Emerson's DeltaV Alliance Program. OPSWAT's NetWall Optical Diode and Security Gateways provide real-time access to OT data and enable secure data transfer to OT environments while defending against network-borne threats, while MetaDefender Kiosk addressed the persistent threat of malware introduction via portable media - a vector that remains relevant given that 33% of ICS/OT professionals identified internet-accessible and removable devices as initial attack vectors in 2025.
By May 2025, Emerson's own Zero Trust architecture white paper for DeltaV systems cited OPSWAT as a key Alliance Member with data diode technology extending to the DeltaV Edge environment - signaling that the vendor relationship had matured into a co-engineered architecture reference. The new Ovation reseller agreement represents the next logical expansion: applying the multi-layer security model validated in the DeltaV environment to Emerson's separate control platform serving power and water utilities.
What the New Agreement Adds
The reseller agreement specifically integrates MetaDefender Endpoint and My OPSWAT Central Management (on-premises) as components of Emerson's cybersecurity package for energy and water customers. These tools add:
- Centralized OT patch management - automating the detection, cataloging, and deployment of software updates across endpoints in the Ovation environment
- Unified governance layer - a single management console for monitoring asset patch status, compliance posture, and remediation workflows across distributed plant sites
- Cross-platform telemetry - bridging visibility between DeltaV and Ovation environments and IT-adjacent systems
The Multi-Vendor Problem in OT Security
This collaboration's significance extends beyond a single product integration. It addresses a structural challenge that has long plagued industrial cybersecurity programs: the fragmentation of security tools across vendor ecosystems.
Most medium-to-large industrial enterprises operate control environments spanning multiple automation vendors, each with distinct security toolsets, update mechanisms, and monitoring schemas. The result is a patchwork of siloed security products that struggle to share telemetry, align on threat classifications, or coordinate remediation. Security operations teams bear the burden of reconciling alerts from incompatible systems - friction that directly degrades mean time to detect and respond.
The OPSWAT-Emerson model seeks to address this by:
- Standardizing the patch management workflow across control system environments through validated, Emerson-approved update processes
- Normalizing asset inventory data so that plant security teams, IT teams, and OT engineers operate from a shared, current view of endpoint state
- Aligning with established standards - OPSWAT's MetaDefender Bilateral Security Gateway, for instance, has achieved IEC 62443 certification3IEC 62443 certification, supporting compliance-oriented deployments in regulated sectors
This approach also reduces a secondary risk: uncoordinated vendor updates. When multiple independent security vendors push updates simultaneously into the same OT environment without a coordinated test-and-release process, the update cycle itself can introduce instability or conflict vectors. A jointly managed security stack anchored by Emerson's patch validation process mitigates that risk.
Capability Comparison: Before and After the Expanded Agreement
| Capability | Fragmented Multi-Vendor Baseline | OPSWAT-Emerson Integrated Model |
|---|---|---|
| OT Patch Management | Manual, vendor-specific workflows; limited cross-system visibility | Centralized via My OPSWAT Central Management; integrated into Ovation platform |
| Removable Media Security | Managed separately from control system workflows | MetaDefender Kiosk vetted and embedded in DeltaV Alliance Program |
| Network Security / Data Transfer | Siloed perimeter tools; limited OT-specific gateway validation | OPSWAT NetWall validated for DeltaV; optical diode technology for DeltaV Edge |
| Asset Visibility | Fragmented across vendor dashboards | Unified telemetry and inventory targeting IT/OT boundaries |
| Compliance Reporting | Time-intensive manual audits per system | Standardized patch-status and alert schemas across platforms |
| Zero Trust Readiness | Defense-in-depth without cross-vendor verification model | OPSWAT solutions referenced in Emerson's formal Zero Trust architecture framework |
Regulatory and Insurance Implications
Operators in the energy and water sectors face intensifying compliance scrutiny. Frameworks including IEC 62443, NERC CIP, and sector-specific guidance from the Cybersecurity and Infrastructure Security Agency (CISA) increasingly require demonstrable, documented security controls - not aspirational policies.
A standardized, verifiable security stack offers concrete advantages in this environment. Automated patch-status reporting reduces the manual audit burden during compliance cycles. Documented asset inventories satisfy audit requirements for asset management controls. Standardized alert schemas improve cross-team coordination, enabling security operations, IT, and facility engineering teams to work from consistent data during incident response.
Industry observers note that regulators and insurers are watching developments like the OPSWAT-Emerson collaboration closely. Verifiable, standardized security stacks are beginning to emerge as prerequisites for certain critical infrastructure contracts and insurance coverage tiers - a dynamic that gives this class of cross-vendor partnership direct commercial relevance beyond the security engineering community.
Emerson is not alone in pursuing this model. In December 2025, Emerson and Armexa announced a separate collaboration4Armexa announced a separate collaboration to offer DeltaV customers a unified cybersecurity services provider capable of simplifying vendor management and accelerating project timelines. Together, these moves signal a deliberate strategy to build a cohesive, auditable security ecosystem around Emerson's automation platforms rather than leaving customers to assemble disparate tools independently.
Implementation Challenges Operators Should Anticipate
No multi-vendor security integration deploys without friction. The OPSWAT-Emerson collaboration faces several structural challenges that operators and architects should factor into planning:
Legacy device compatibility. Many OT environments include controllers, HMIs, and networking gear that predate modern security agent architectures. Deploying endpoint-based patch management tools in environments with unsupported operating systems - a reality across much of the installed base - requires compensating controls and careful segmentation to avoid creating new exposure.
Data privacy harmonization. Emerson's Ovation platform operates globally across jurisdictions with divergent data sovereignty requirements. Unified telemetry collection and centralized management introduce cross-border data flow considerations that must be addressed in multi-regional deployments.
Update coordination risk. Coordinating cross-vendor updates carries risk if staging and rollback procedures are not rigorously validated. Operators should require vendor-validated test procedures before deploying joint update cycles to production environments.
IT/OT skills gap. Only 9% of professionals dedicate 100% of their time to ICS/OT security, leaving most organizations reliant on shared resources across IT and OT disciplines. Realizing the full value of a standardized security stack requires personnel who can operate tools across both domains - a workforce constraint the broader industry continues to grapple with.
The Blueprint Question: Can This Scale?
The deeper significance of the OPSWAT-Emerson agreement may lie in what it implies for the broader OT security vendor landscape. Industrial environments are inherently multi-vendor - a single facility might operate Emerson DeltaV for process control, a separate vendor's SCADA for substation automation, and a third party's historian for data aggregation. No single security vendor secures the entire surface.
Cross-vendor security collaborations that establish shared data models, standardized alert taxonomies, and jointly validated update processes could materially reduce the integration complexity that currently keeps OT security programs fragmented. The question is whether this model can extend beyond bilateral arrangements to become a genuine industry standard.
OPSWAT's data diode business grew by triple digits in 2025, and its MetaDefender Bilateral Security Gateway has achieved IEC 62443 certification - indicators that the underlying technology portfolio is gaining traction in regulated industrial environments. Combined with Emerson's deep installed base in power generation and process industries, the collaboration carries the scale necessary to influence broader industry practice.
For now, the immediate deliverable is concrete: energy and water operators running Emerson Ovation gain a validated, centrally managed patch management capability built for OT realities rather than adapted from IT tooling. As Robert Yeager, President of Emerson's Power and Water business, stated: "Our customers need cybersecurity solutions purpose-built for operational technology - not adapted from IT."
That distinction - purpose-built versus adapted - is increasingly the differentiator separating defensible OT security programs from those that merely satisfy compliance checkboxes.
Key Takeaways for Operations and Security Leaders
- The OPSWAT-Emerson partnership has expanded from removable media security to a full OT security stack, now covering patch management, network security gateways, removable media controls, and zero trust architecture alignment across DeltaV and Ovation platforms.
- The new global reseller agreement targets Emerson's Ovation Automation Platform, integrating MetaDefender Endpoint and My OPSWAT Central Management for energy and water sector operators.
- Centralized OT patch management directly addresses one of the sector's most persistent compliance and risk challenges - unpatched vulnerabilities that expose industrial control systems to increasingly capable threat actors.
- The model has regulatory and insurance relevance, with standardized, verifiable security stacks gaining traction as prerequisites for critical infrastructure contracts and coverage.
- Implementation requires careful planning around legacy device compatibility, data privacy obligations, and coordinated update validation before production deployment.
- This collaboration may serve as a template for broader cross-vendor OT security standardization - a direction Emerson appears to be actively pursuing through parallel cybersecurity services partnerships.
For operations leaders evaluating OT security investments, the expanding OPSWAT-Emerson ecosystem warrants attention - not only as a procurement option, but as an indicator of where cross-vendor security architecture in critical infrastructure is heading. For deeper context on the threat environment driving these investments, see coverage of systemic OT security gaps in 2026 and the shift toward intelligence-driven OT security programs.
Frequently Asked Questions
What is the scope of the new OPSWAT-Emerson global reseller agreement? Under the agreement, Emerson integrates OPSWAT's OT patch management capabilities - specifically MetaDefender Endpoint and My OPSWAT Central Management (on-premises) - into its Ovation Automation Platform. Emerson will resell these capabilities to energy and water sector customers, building on existing coverage for DeltaV environments.
How does this agreement differ from the existing DeltaV Alliance relationship? The original DeltaV Alliance relationship, formalized in June 2023, covered OPSWAT NetWall Security Gateways and MetaDefender Kiosk for removable media scanning within DeltaV DCS environments. The new reseller agreement extends the collaboration to Emerson's separate Ovation Automation Platform and adds a full OT patch management layer - representing a significant expansion in both product scope and target sector.
Why is OT patch management particularly difficult for critical infrastructure operators? OT environments typically run long-lifecycle systems where downtime for patching can disrupt physical processes, safety systems, or energy production. Many sites lack centralized visibility across vendors, and applying IT-style patching cadences risks operational instability. Unpatched vulnerabilities remain a leading attack vector in ICS/OT incidents.
What are the main implementation risks operators should anticipate? Key challenges include reconciling legacy OT devices that may lack agent support, managing data privacy requirements across multi-regional deployments, and ensuring that cross-vendor update cycles do not introduce new risk vectors. Operators should stage deployments in test environments and follow Emerson's patch validation processes before rolling out to production control networks.
Does the collaboration align with IEC 62443 and other regulatory frameworks? OPSWAT's MetaDefender Bilateral Security Gateway has achieved IEC 62443 certification, and the centralized patch management and asset inventory capabilities directly support audit requirements under frameworks including IEC 62443 and NERC CIP. The Emerson Patch Management Service also tests and approves Microsoft Windows OS security updates monthly for DeltaV environments.
