Here is a question that should make every plant manager, OT engineer, and CISO uncomfortable: if a threat actor planted a device on your OT network six months ago, would you know about it today?

For most industrial organizations, the answer is no-and that is not a failure of effort or intent. It is a structural problem. Operational technology networks were engineered for uptime, reliability, and decades of continuous service. Cybersecurity visibility was never part of the original design. The result is that today's manufacturing floors, power substations, oil refineries, and water treatment plants are running connected infrastructure that nobody has fully mapped.

That invisible infrastructure is where attacks begin. Not through the firewall. Not through the perimeter defenses your IT team maintains. Through the PLC nobody logged, the vendor remote access node that persisted after a maintenance window, and the HMI installed during a plant expansion that never made it into any register.

This guide walks you through what comprehensive OT asset discovery actually requires, why it is the foundational layer of every industrial cybersecurity program, and what it looks like when it is done right. If you are responsible for the security of industrial assets, this is your starting point.

Before we move forward, don’t forget to check out our previous blog post on What "Appropriate Security Measures" Actually Mean Under NIS2 here

The Blind Spot That Attackers Exploit First

Before you can protect your OT environment, you need to know what is in it. That sounds obvious. In practice, it is one of the hardest problems in industrial security.

Consider what a typical OT environment actually contains:

• Legacy PLCs running proprietary firmware versions with no documentation from the past decade

• HMIs added during plant expansions that were never formally logged

• Sensors communicating over protocols the IT team has never encountered

• Vendor remote access nodes that persisted long after a maintenance window closed

• Devices installed by third-party contractors without formal change management

None of these appear on the asset register. All of them are connected to your network. And every undocumented device is a potential entry point.

The most well-documented attacks on industrial infrastructure share a consistent pattern: attackers found and exploited pathways that defenders didn't know existed. They moved laterally through devices that were not on any inventory. They operated inside network segments that were not being monitored.

Your asset register is not your actual network. The gap between them is your attack surface.

Why OT Asset Management Is Nothing Like IT Asset Management

If your organization uses IT asset management tools, you might assume the same approach transfers to operational technology. It does not-and misunderstanding this leads to either ineffective discovery or, worse, production disruptions caused by the discovery tools themselves.

Here is what makes OT fundamentally different:

Protocol Complexity

A single OT network may carry traffic across Modbus TCP, DNP3, EtherNet/IP, PROFINET, IEC 61850, OPC-UA, BACnet, HART, Foundation Fieldbus, and a dozen other protocols simultaneously. Each has its own data structures, timing requirements, and vendor-specific extensions. Most were not designed to handle unexpected traffic.

Active Scanning Can Cause Real Harm

In IT environments, an aggressive network scan is a minor inconvenience. In OT, sending unsolicited packets to legacy PLCs or RTUs can cause them to restart, freeze, or behave unpredictably. A production stoppage in a chemical plant or power facility carries safety consequences, regulatory exposure, and financial costs that can reach millions of dollars per hour. Any discovery approach that does not account for this is a liability.

Asset Lifespans Measured in Decades

It is common to find PLCs and SCADA components in active operation that were commissioned 20, 25, or 30 years ago. They may have no patching history. Their firmware documentation may barely exist. Modern network tools often cannot natively understand how they communicate.

Fragmented Ownership and Documentation

Engineering teams, operations teams, IT teams, and third-party vendors all interact with OT assets. There is rarely a centralized record. Devices get added during maintenance windows and quietly remain on the network after upgrades or decommissioning. In many plants, the real asset register lives in the memory of engineers who have been there for 20 years-knowledge that walks out the door when they retire.

OT Asset Discovery: What a Professional Approach Looks Like

Effective OT asset discovery starts from the network itself, not from documentation. Here is the methodology that works in real industrial environments:

Step 1 - Passive Traffic Monitoring as the Core Mechanism

Rather than sending probe packets into the network, passive monitoring listens to traffic that is already flowing between PLCs, HMIs, SCADA servers, historians, and field devices. It extracts comprehensive asset information from that traffic without injecting a single byte into the operational network.

This is the only safe discovery method for live production environments. It carries zero risk of triggering unexpected device behavior and works continuously in the background without any changes to network configuration.

From passive traffic analysis, you can build a detailed picture of every communicating device:

Step 2 - Deep Protocol Decoding

Recognizing an IP address tells you almost nothing about an OT device. The meaningful information-device identity, firmware version, operational state-is embedded inside industrial protocol payloads. Extracting it requires deep, protocol-specific parsing.

Effective OT discovery requires native decoding across the full range of protocols in active use:

• Modbus TCP/RTU - the most widely deployed industrial protocol globally

• DNP3 - predominant in utility and water/wastewater environments

• EtherNet/IP and CIP - ubiquitous in manufacturing automation

• PROFINET and PROFIBUS - dominant in European and Siemens environments

• IEC 61850 - the standard for substation automation

• IEC 60870-5-101/104 - widely used in energy sector SCADA

• OPC-UA and OPC-DA - for historian and data aggregation

• BACnet - building automation increasingly connected to industrial networks

• HART and Foundation Fieldbus - field instrument communication

Without this depth of decoding, you get a list of IP addresses with vendor tags. That is not an asset inventory. That is a starting point for guessing.

Step 3 - Multi-Layer Asset Fingerprinting

Identifying that a device exists is only the beginning. Classifying it accurately-vendor, model, firmware, role in the process-requires layered analysis:

Layer 1 - Protocol signatures. The specific protocols a device uses, and the nuances of how it implements them, provide strong initial classification signals.

Layer 2 - Traffic behavior analysis. Polling intervals, response timing, and communication patterns distinguish device roles even where protocol-level identification is incomplete.

Layer 3 - Embedded asset metadata. Many industrial protocols carry firmware version strings, hardware revision codes, and serial numbers within normal communications.

Layer 4 - Contextual inference. A device that accepts control commands from an engineering workstation and issues outputs to field devices is almost certainly a PLC-even if identity information is incomplete.

OT Asset Visibility Checklist: What Your Inventory Should Cover

Use this checklist to evaluate the completeness of your current OT asset inventory. If you cannot confidently check most of these, your visibility gap is significant.

Device Inventory Completeness

• [ ] Every communicating device on the OT network is identified (not just devices on the approved list)

• [ ] Device type, vendor, and model are documented for all assets

• [ ] Firmware versions are recorded for PLCs, RTUs, HMIs, and controllers

• [ ] Network addresses (IP and MAC) are mapped to physical locations

• [ ] Serial numbers are captured where extractable from protocol communications

• [ ] Safety instrumented systems and emergency shutdown devices are inventoried separately

Network Topology and Connectivity

• [ ] A current network topology map exists showing communication flows between assets

• [ ] Cross-zone connections (OT to IT, OT to cloud, OT to vendor access) are documented

• [ ] Remote access paths for vendors and contractors are identified and monitored

• [ ] Wireless devices and access points are included in the inventory

• [ ] Unexpected device-to-device communications are flagged for review

Vulnerability and Risk Context

• [ ] Known CVEs are mapped against documented firmware versions for all assets

• [ ] End-of-life and end-of-support status is recorded for each device

• [ ] Assets lacking available patches are identified with compensating controls documented

• [ ] ICS-CERT advisories are cross-referenced against the asset inventory on a regular cycle

Change Detection and Maintenance

• [ ] A process exists to detect unauthorized devices on the network within hours (not days or weeks)

• [ ] New devices added during maintenance windows are automatically logged

• [ ] Firmware changes are detected and recorded

• [ ] The asset inventory is updated continuously, not just during scheduled audits

• [ ] Historical asset and topology data is retained for forensic investigation purposes

Third-Party and Vendor Devices

• [ ] All vendor-installed remote access nodes are identified and monitored

• [ ] Contractor and integrator devices are tracked during and after maintenance visits

• [ ] Approved vendor device baselines are defined and deviations generate alerts

What Complete OT Visibility Enables: Four Practical Outcomes

Comprehensive asset discovery is not an end goal. It is the foundation that makes every other security layer work properly.

1. Threat Detection That Actually Works

Behavioral monitoring can only detect anomalies when it knows what normal looks like. A PLC that starts communicating with an unexpected host, a historian polling at unusual intervals, an HMI initiating outbound connections to the internet-these are early indicators of compromise.

But you cannot define normal communication patterns without knowing what devices exist and what they legitimately do. The asset inventory becomes the baseline. Without it, your detection system is generating alerts without context and missing the ones that matter.

2. Vulnerability Management with Operational Context

With a complete inventory including firmware versions, you can cross-reference against ICS-CERT advisories and CVE databases automatically. When a new vulnerability is disclosed, you immediately know which assets in your environment are affected-not after a manual audit cycle, but instantly.

Effective prioritization goes beyond CVSS scores. It requires operational context: how critical is this asset to the process? What network exposure does it have? Is patching feasible given operational constraints? Asset visibility gives you the data to answer those questions.

3. Incident Response in Minutes, Not Days

When a security incident occurs, the first questions are always about scope: what is connected, what was affected, how did the attacker move? Without a comprehensive inventory and topology map, answering these questions takes hours or days-time you do not have when operational systems are at risk.

With a current, accurate asset register and historical network data, incident responders can determine scope in minutes. Forensic reconstruction of attacker movement through the network becomes possible. The difference between a contained incident and an extended production shutdown often comes down to how quickly you can answer these questions.

4. Third-Party and Vendor Access Monitoring

Compromised vendor credentials and vendor-connected systems are a significant entry vector in OT security incidents. Continuous monitoring of vendor-connected devices-tracking when remote access sessions are initiated, what systems they interact with, and whether activities match approved maintenance windows-is an essential control. You cannot manage what you cannot see.

OT Asset Discovery Across Industrial Sectors

The visibility challenge exists across every sector that operates industrial technology, but the specific requirements vary.

The Compliance Dimension: Asset Visibility Is Now a Regulatory Requirement

For organizations operating in regulated sectors, OT asset visibility is not optional-it is mandatory. The major frameworks are consistent on this point.

IEC 62443 requires asset identification as the foundation of its security program model. Zone and conduit modeling, security level assignment, and risk assessment all depend on a comprehensive asset inventory. IEC 62443-2-1 explicitly mandates asset inventory as part of the security management system.

NERC CIP requires operators to identify and document all applicable cyber assets within the Electronic Security Perimeter. NERC CIP-002-5.1 mandates high and medium impact BES Cyber System identification, and an accurate asset inventory is the prerequisite for that classification. NERC CIP audits routinely examine inventory completeness and accuracy.

NIS2 Directive imposes risk management obligations on operators of essential services that include explicit asset management requirements. Member state implementations are progressively requiring continuous OT asset visibility as part of cybersecurity risk management documentation.

NIST SP 800-82 identifies asset inventory as a foundational security control, embedded in the Identify function of the NIST Cybersecurity Framework. No framework built on CSF principles is satisfied without documented asset visibility.

The pattern is the same across every framework: you cannot demonstrate compliance without demonstrating control over what is connected to your network. Asset visibility is not a feature that supports compliance. It is compliance.

Compliance Coverage Summary

Deploying OT Asset Discovery Without Operational Disruption

Deployment architecture matters as much as discovery methodology. Here is what a non-disruptive deployment actually requires:

Passive-first, always. The primary discovery mechanism must not send traffic to OT devices. It must observe and analyze existing communications only. This is an architectural principle, not a configuration option.

No agents on OT devices. Installing software on PLCs, HMIs, or SCADA servers is not feasible in most environments and introduces its own risk. Effective OT discovery operates entirely from network-level visibility.

Sensor placement at aggregation points. Hardware sensors can be deployed at network switches with SPAN port configurations, at DMZ boundaries between OT and IT networks, and at other traffic aggregation points. They do not touch the operational devices directly.

Support for air-gapped environments. Some OT environments have strict data sovereignty or connectivity requirements. Effective discovery must be capable of operating in fully air-gapped environments with intelligence updates delivered through secure offline channels.

Continuous, not periodic. The security value of asset visibility is entirely dependent on it being current. A point-in-time inventory that is not updated when a vendor installs a new device next month provides a false sense of security. Monitoring must be continuous.

Five Signs Your OT Asset Visibility Is Inadequate

Review this list honestly against your current environment:

1. Your asset register was last updated during a scheduled audit cycle. If your inventory reflects where assets were six months ago rather than where they are today, it is not visibility-it is archaeology.

2. You rely on engineering team memory for asset information. If the most complete picture of your OT network exists in the knowledge of two or three senior engineers, you have a single point of failure that retires, gets promoted, or resigns.

3. You cannot answer "what is connected right now" without a site visit. If answering a basic connectivity question requires physically checking control panels or consulting with site teams, your visibility is insufficient for security operations.

4. You don't know every vendor access path into your network. Remote access for ICS vendors is one of the most common attack vectors in OT security incidents. If you cannot enumerate every active and dormant vendor connection, you have an unmanaged risk.

5. You have never detected an unauthorized device before it was reported to you. If the way unauthorized devices come to your attention is through reports from operations staff or vendor notices rather than automated detection, your network monitoring is not working.
   
   

The Risk of Waiting Is Not Hypothetical

The gap between the sophistication of threats targeting industrial infrastructure and the maturity of OT security programs in most organizations is narrowing-but the attacks are accelerating faster than the defenses are maturing.

Threat actors have spent years building ICS-specific capabilities. The regulatory environment is moving quickly, with NIS2, NERC CIP, and IEC 62443 all demanding demonstrable OT security programs with documented asset visibility. Neither of these pressures will diminish.

Every day that connected OT assets remain undiscovered and unmonitored is a day that threat actors can operate in your environment undetected. Every firmware version running a known vulnerability that has not been identified is an open door. Every unauthorized device on the network is a potential foothold.

The question is not whether your organization needs comprehensive OT asset visibility. The question is how long it can operate without it.

Your Key Takeaways

• OT environments contain undocumented devices that do not appear on any asset register-and attackers exploit this systematically

• Active scanning in OT can cause production disruptions; passive monitoring is the only safe discovery method

• A complete OT asset inventory is a mandatory requirement under IEC 62443, NERC CIP, NIS2, and NIST SP 800-82

• Asset visibility enables threat detection, vulnerability management, incident response, and vendor access control-none of which function effectively without it

• Continuous, real-time discovery is the only form of visibility that has actual security value

Take the Next Step With Shieldworkz

Shieldworkz works with organizations across manufacturing, energy, oil and gas, chemical processing, and critical infrastructure. Our OT security experts understand the operational constraints, protocol complexity, and regulatory requirements that are specific to industrial environments-and they approach every engagement from an operational perspective, not an IT one.

Ready to find out what is actually connected to your OT network? Schedule a free demo see the Shieldworkz platform working on real industrial network data. Request Our OT Security Risk Assessment. Let our experts evaluate your current asset visibility posture and identify gaps

If your organization is operating OT assets without comprehensive visibility, that conversation is overdue.

Additional resources:

OT Cyber Threat Intelligence Advisory - Middle East here
NIS2 Directive Achieving NIS2 Compliance Through IEC 62443 here
What Is Removable Media? Risks, Policies, and Industrial OT Security Solutions here
Free Removable Media Policy Template for OT and IT Teams here
Remediation Guides here