The OT Asset Inventory Problem: Visibility Gaps, Passive Discovery, and Unmanaged Devices

The Visibility Problem

Ask an OT security manager how many devices are on their industrial network, and the typical response reveals a gap: they know how many PLCs were commissioned in the most recent plant upgrade project, but not how many are actually communicating on the network today. They have a spreadsheet of major SCADA components from their system integrator, but it hasn’t been updated since the last expansion. They know there’s a laptop somewhere in the control room that a vendor left during a maintenance visit three years ago.

This is the OT asset inventory problem. It is pervasive, deeply understood by practitioners, and yet remains unsolved at most industrial facilities. Surveys consistently find that between 40% and 70% of OT network devices are not captured in operators’ asset inventories. In facilities that have not deployed dedicated OT network monitoring tools, the true number of unknown devices is often even higher.

The gap exists for structural reasons that are specific to OT environments and not easily resolved by borrowing IT asset management practices.

Why OT Inventory Is Hard

Heterogeneous, Long-Lived Equipment

A typical manufacturing plant or utility substation contains devices from dozens of vendors, purchased across decades, running on diverse communication protocols. A single process area might include 1980s-era PLCs on serial Modbus, 2000s-era RTUs on DNP3, a 2015-era process controller on EtherNet/IP, and a 2023-vintage safety system on IEC 61508. No single tool speaks all these protocols; no single discovery method covers all these vintages.

Unlike IT assets—laptops and servers with 3–5 year refresh cycles—OT devices are engineered for 20–30 year operational lives. A PLC commissioned when Windows XP was current may not have been touched since. Its existence in any inventory is purely a function of whether paper records from its original commissioning survived organizational changes, office moves, and the departure of engineers who installed it.

Active Scanning is Dangerous

In IT security, active network scanning (Nmap, vulnerability scanners) is a standard practice for asset discovery. In OT environments, it is genuinely dangerous. Many industrial devices—particularly older PLCs, RTUs, and intelligent electronic devices (IEDs)—were never designed to handle unexpected network traffic at scanning rates.

Documented incidents include: Modbus devices that restart or enter fault states when they receive unexpected TCP SYN packets; IEC 61850-speaking IEDs that drop protection functions when flooded with network traffic; serial-to-Ethernet converters that buffer overflow and require manual reset when scanned. In a nuclear plant, an unscheduled restart of a safety-related controller is not a minor IT incident—it is a reportable event.

This prohibition on active scanning eliminates the most common and mature IT asset discovery methodology entirely.

Vendor Lock-in and Documentation Gaps

System integrators and OEM vendors who build and commission OT systems rarely hand over complete network documentation. Control system commissioning historically focused on operational functionality—does the system control the process correctly?—not on producing detailed network architecture documentation for a security team that didn’t exist at the time.

When operators request as-built network diagrams and device inventories from integrators, they frequently receive outdated documents or partial information. Vendors protecting proprietary system architectures may deliberately limit the documentation they provide. The result is that operators of even recently commissioned systems often lack reliable inventory data.

Unmanaged Devices and Shadow OT

Industrial facilities accumulate network-connected devices outside formal procurement and change management processes. Common examples:

• Vendor laptops and tablets used for PLC programming or calibration that are left connected or reconnect periodically
• Wireless access points installed by maintenance teams for convenience without security review
• Smart sensors and IoT gateways installed as part of energy management or predictive maintenance projects managed by operational rather than IT/OT security teams
• Legacy test equipment with Ethernet ports that got connected to the process network for a one-time test and never disconnected

These devices—“shadow OT”—often run outdated software, have no patch management, and may have default credentials. Because they’re outside formal inventory and change management, they’re often invisible to security teams.

Passive Discovery: The Primary Tool

Given the constraints on active scanning, passive network monitoring is the dominant approach for OT asset discovery. Passive tools analyze traffic on the network without generating any probing traffic—they listen to existing communications and extract device information from observed protocol frames.

How Passive Discovery Works

Industrial protocols are talkative. A Modbus TCP session between a SCADA master and a PLC reveals: the PLC’s IP address, the master’s IP address, the Modbus unit ID (slave address), which function codes are in use, which register addresses are read and written, and the timing of communications. DNP3 traffic reveals source and destination link layer addresses, which data objects are reported, and which control operations are performed.

Beyond protocol-level information, passive tools extract:

• Device identification from traffic patterns: Vendor-specific function codes or protocol extensions that identify the device manufacturer and model (e.g., Siemens S7 PDU types, Rockwell’s EtherNet/IP identity object responses)
• Firmware version information embedded in protocol handshakes or management interfaces (LLDP, CDP, SNMP community responses observed passively)
• Operating system fingerprinting from TCP/IP stack behaviors and HTTP server headers
• Communication relationships: Which devices communicate with which others, at what frequency, and with what data—the communications baseline

Commercial Passive Discovery Platforms

Claroty Platform: Deploys as a virtual appliance or hardware sensor with SPAN/TAP access to OT network traffic. Identifies devices through deep protocol inspection across 300+ industrial protocols. Produces an asset inventory with device type, vendor, firmware version (where inferrable), and network connectivity map. Integrates with ServiceNow, Splunk, and most SIEM platforms.

Dragos Platform: Focuses on threat detection and asset visibility jointly. Particularly strong in electric utility protocol support (IEC 61850, DNP3, CIP) and threat intelligence integration. The asset inventory module tracks communication history per device, enabling detection of new or changed communication patterns.

Nozomi Networks Guardian: OT/IoT visibility and threat detection. Supports hybrid passive/active discovery modes where a limited and controlled active interrogation can be selectively applied to specific devices if the operator accepts the risk—useful for filling gaps where passive traffic observation is insufficient.

Microsoft Defender for IoT (formerly CyberX): Agentless passive discovery integrated with Azure Sentinel. Attractive for organizations already in the Microsoft security ecosystem.

Limitations of Passive Discovery

Passive discovery only finds devices that generate network traffic during the observation period. A PLC that communicates once per day at a scheduled polling interval will only appear in inventory after that polling event is observed. A device that communicates only with a specific master that was offline during the monitoring window may not appear at all.

Silent devices—those with network interfaces that are not currently communicating—are invisible to passive discovery. These may include: standby systems, backup controllers, decommissioned equipment that wasn’t physically disconnected, and devices on network segments where no traffic is currently flowing.

Building a Practical Inventory Program

A credible OT asset inventory program requires combining multiple data sources:

1. Passive network monitoring as the continuous, primary source of truth for active network devices
2. Engineering system exports from SCADA configuration databases, DCS configuration tools, and PLC programming environments—these contain device definitions that may not yet appear on the network
3. Active directory and IT infrastructure inventory for Windows-based OT components (historians, HMIs, engineering workstations)
4. Physical walkdowns on a scheduled basis—a human being physically inspecting all OT network cabinet spaces, identifying equipment, and verifying connectivity
5. Change management integration—requiring that all new OT device installations generate an inventory update as part of the change request

Critically, the inventory must be maintained, not just built. A one-time discovery project that produces a spreadsheet which then sits untouched for two years does not provide security value. The inventory must be continuously updated through network monitoring and integrated with change management processes so new devices are captured at installation rather than discovered retroactively.

The Business Case for Visibility

Operators who resist OT asset inventory investment sometimes frame it as a security overhead that doesn’t improve operational reliability. This framing misses the operational value. An accurate, continuously maintained OT asset inventory directly supports:

• Vulnerability management: You cannot assess or remediate vulnerabilities in devices you don’t know exist. CISA’s Known Exploited Vulnerabilities catalog regularly includes OT device vulnerabilities; operators can only determine exposure if they know what devices they’re running.
• Incident response: When a security incident occurs, responders need an accurate network map to understand what was exposed, what lateral movement paths exist, and which systems need forensic examination. Without an inventory, incident response is significantly slower and less effective.
• Regulatory compliance: NERC CIP (electric utilities), AWIA (water sector), and nuclear regulatory requirements all include asset identification requirements. Audits in these sectors increasingly test the accuracy and completeness of OT asset inventories.
• Maintenance planning: Knowing every device on the network, its firmware version, and its vendor end-of-support status enables proactive maintenance planning before devices become unmanageable liabilities.