What Is Active OT Asset Discovery?
Active OT asset discovery sends controlled queries to network devices to elicit identification responses. For OT environments, active discovery must use OT-safe query types that don't overwhelm legacy devices: read-only protocol queries (Modbus read device identification, EtherNet/IP identity list queries) rather than the TCP SYN probes, service banner grabs, and vulnerability probes that IT scanners use. OT-safe active discovery is available in Tenable OT Security, Nozomi Networks, and Claroty, with scan profiles specifically designed to avoid disrupting production equipment.
Active discovery identifies devices that don't generate sufficient passive traffic to be discovered through traffic analysis alone. Devices that communicate very infrequently, or that use protocols not recognized by the passive sensor's fingerprint library, may be missed by passive-only discovery. A targeted active query to the IP address range of the OT network can surface these silent devices. Active discovery should always be preceded by passive baseline establishment and should be scheduled during maintenance windows for maximum safety in environments with legacy equipment.
What Is Shadow OT and Why Does It Matter?
Shadow OT refers to devices connected to industrial networks without going through the formal OT change management process. Shadow devices enter OT networks through several mechanisms: vendor laptops connected for maintenance and left connected; IoT sensors deployed by facilities management without OT security review; engineering workstations connected for temporary project work; and IT-managed devices (printers, HVAC controllers, cameras) connected to OT network segments for convenience. Each shadow device represents unmonitored attack surface that may lack the security controls applied to formally managed OT equipment.
Claroty's research finding of 27% undocumented device prevalence means that for every 100 OT devices a security team monitors, there are 27 additional devices they don't know about. Those 27 devices are invisible to the monitoring system, excluded from vulnerability management, and unreachable by incident response procedures. In an environment where a single compromised device can serve as a lateral movement pivot to reach critical PLCs or safety systems, each undiscovered device is a potential unmonitored attack path.
Citation Capsule: Industrial organizations have an average 27% more OT-connected devices than their manually maintained asset inventories document, a gap primarily attributable to shadow OT: vendor laptops, IoT sensors, and IT-managed devices entering OT networks outside formal change management processes. This undiscovered device population represents unmonitored attack surface that passive OT asset discovery is specifically designed to surface ([Claroty, 2024](https://claroty.com/team82/research)).
What Information Should an OT Asset Inventory Contain?
A complete OT asset inventory includes more than a device list. Each asset record should contain: device type and manufacturer; model and hardware version; firmware or software version; IP address and MAC address; physical location (building, floor, panel, rack position); network zone and VLAN assignment; communication relationships (which devices it talks to and which protocols it uses); function and criticality (what process does it control and what's the consequence of its failure?); ownership (which operations team is responsible for it?); and patch status (current firmware version vs. available updates, with reason for any gap).
Firmware version is the most security-critical attribute in the asset inventory. Knowing the firmware version enables mapping against known CVEs for each device model, identifying which devices have unpatched vulnerabilities, and prioritizing vulnerability management activity. Without firmware version data, vulnerability management is impossible. OT monitoring platforms extract firmware versions from passive protocol traffic for many device types, eliminating the need for manual firmware audits in environments where passive monitoring is deployed.
How Do You Maintain an OT Asset Inventory Over Time?
A one-time OT asset discovery exercise produces a point-in-time inventory that quickly becomes outdated as devices are added, removed, and reconfigured. Continuous passive monitoring is the most effective method for maintaining an accurate, current inventory: the monitoring platform automatically adds new devices to the inventory when they first appear on the network, flags devices that disappear from the network (which may indicate decommissioning or unauthorized removal), and updates device attributes when firmware versions or configuration data changes are detected in traffic.
The inventory should be integrated with the OT change management process: every authorized OT change that adds, removes, or modifies a device should trigger an inventory update, and the continuous monitoring alerts for new device appearances should trigger a review to confirm the new device is authorized. Unauthorized device appearance (a device not registered in the change management system appearing on the OT network) should generate an immediate security alert for investigation.
Frequently Asked Questions
Can passive OT discovery find all devices?
Passive discovery can identify all devices that communicate during the monitoring period. Devices that are powered on but don't generate network traffic (because they are in standby mode or communicate only periodically) may not appear in a short passive discovery window. Extended passive monitoring periods (4-8 weeks) capture a more complete device population than short-duration exercises. Passive discovery combined with targeted active queries for silent device ranges provides the most complete coverage ([Nozomi Networks, 2024](https://www.nozominetworks.com/ot-iot-security/ot-asset-discovery/)).
What is the difference between asset inventory and asset management?
Asset inventory is the documented list of assets with their attributes (type, location, firmware, owner). Asset management is the ongoing process of maintaining that inventory, managing the lifecycle of assets (procurement, commissioning, maintenance, decommissioning), and ensuring assets are operated within their authorized configuration baselines. OT asset discovery produces the inventory. Asset management processes maintain it over time, integrating discovery data with change management, vulnerability management, and configuration management processes to keep the inventory current and actionable.
Which OT asset discovery platforms are most widely used?
The most widely deployed OT asset discovery platforms in industrial environments are Claroty, Nozomi Networks Guardian, Dragos Platform, Microsoft Defender for IoT, and Tenable OT Security (formerly Indegy). Each provides passive discovery as the default, with varying levels of active discovery capability and OT protocol coverage. Platform selection should be driven by your specific OT protocol environment and integration requirements with existing IT security tools. All major platforms provide asset inventory as a foundation for their monitoring, vulnerability management, and threat detection capabilities.
Conclusion
OT asset discovery is the foundational capability that enables every other OT security function. Vulnerability management requires knowing what assets exist and their firmware versions. Network monitoring requires knowing what normal communication looks like for each device type. Incident response requires knowing the full network topology to make containment decisions. Without a current, accurate asset inventory, all of these functions operate on incomplete information and produce correspondingly incomplete results.
The 27% shadow device gap documented by Claroty means that most industrial operators are making security decisions about an incomplete picture of their own OT environment. Passive OT asset discovery, deployed continuously and integrated with change management, closes that gap and provides the accurate inventory that security decisions require.
