The technical issues associated with Mitsubishi’s $1 billion buyout of Nozomi Networks are relevant to other operational technology (OT) network monitoring suppliers like Claroty, Armis and Dragos. OT network monitoring is a necessary, but not sufficient, part of control system cybersecurity. Nozomi is known for its OT network monitoring product which is a behavior-based asset inventory and anomalous message detection solution that leverages passive and active scanning, behavioral analytics and signature methods.
Control system ownership
Around 2008, Wurldtech developed the Achilles tool to perform robustness testing on control systems. It was generic and was used by many control system vendors. In 2014, GE bought Wurldtech and stated they intended to leave Wurldtech as a wholly owned subsidiary that would create security solutions for GE products while continuing to support other customers. Unfortunately, other control system suppliers stopped using Achilles because it was now a GE product.
In 2020, Microsoft bought CyberX to complement its existing Azure IoT security capabilities. As Microsoft is a partner and not a competitor with the control system industry, this was not viewed as a vendor-specific product and consequently CyberX is used by multiple control system vendors as part of Microsoft.
The Nozomi acquisition resembles the Wurldtech acquisition more than it does the CyberX acquisition as Nozomi is an independent cybersecurity vendor used by multiple control system suppliers bought by a control system supplier. According to the Mitsubishi announcement:
“Nozomi Networks will be a wholly owned subsidiary, operating independently of Mitsubishi Electric. This acquisition accelerates Nozomi’s industrial cybersecurity innovation while maintaining the company’s heterogeneous approach to supporting customers and partners.”
Mitsubishi’s statements are like those GE made at the time of the Wurldtech purchase. Mitsubishi’s purchase could introduce questions about whether non-Mitsubishi control system vendors will support a Mitsubishi product that is monitoring the other vendors’ control systems.
Achilles was a testing tool that could readily be replaced. Nozomi and other OT network monitoring systems are comprehensive monitoring systems that would not be easy or inexpensive to replace.
Get your subscription to Control's tri-weekly newsletter.
OT network monitoring gaps
Nozomi, like the other OT network monitoring vendors, monitor Ethernet packets as they assume Level-0 devices (e.g., process sensors, actuators, etc.) are uncompromised, authenticated and correct. The physical characteristics monitored by the Level-0 devices provide critical indications of process and sensor health. However, the data that provides those indications are filtered out before the Ethernet packets are created so this information is gone before it gets to Nozomi or other OT network monitoring systems. Once this information is gone, it can’t be recreated. As a result, the Level-0 data input to the network monitoring systems are untrusted and can’t provide indications of process or process sensor health.
In an August 2025 joint announcement, Nozomi and Schneider Electric announced they would be including security (not process) sensors embedded in Remote Terminal Units (RTUs). RTUs collect, process, and transmit data from process sensors and actuators in water systems, electric substations, etc. as bridges between the field equipment and central control systems. The Nozomi-Schneider announcement incorrectly states this approach will provide Level-0 visibility stating the sensors extract process variable data directly from the RTUs, enabling visibility into physical processes and device states. However, as mentioned, Nozomi’s network monitoring solution does not address the integrity or authentication of the process sensors which is the input to the RTUs. This gap has been exploited by Stuxnet and Chinese-made large electric transformers.
On September 13, 2015, Roger Hill wrote a blog entitled “OT Security Meets AI: Blind Spots in the Plant Floor.” As Roger stated, AI (or network monitoring) cannot protect what it cannot see, and in plants, the most important data are often invisible. That means this data won’t be captured by network monitoring.
Moreover, kinetic cyberattacks rely on the network monitoring data being untrusted. These conditions lead to a false sense of security.
Summary
The Nozomi buyout is good news for the OT network security industry. However, it also carries baggage. A control system vendor buying a cybersecurity monitoring system may limit support to that cybersecurity vendors’ existing systems, as well as potential impediment to providing new OT monitoring systems to non-Mitsubishi control systems. Independent of the buyout, the generic shortcoming of OT network monitoring systems continues to be assuming the untrusted Level-0 input data is valid.
