OT asset discovery is the foundation of any effective operational technology (OT) security programme. Without a clear understanding of what OT assets exist, how they communicate, and where risk resides, organisations struggle to manage cyber risk, respond to incidents, or meet regulatory and compliance expectations.
Unlike IT asset discovery, OT asset discovery must be performed in environments where availability, safety, and operational continuity are non-negotiable. OT systems are often legacy, highly sensitive, and were never designed to be scanned or interrogated aggressively.
This creates a fundamental challenge: how do organisations achieve meaningful OT asset visibility without introducing operational risk?
The answer lies in understanding the difference between passive and active OT asset discovery, and knowing when, and how, to use each.
Why OT asset discovery is different from IT asset discovery
OT asset discovery goes far beyond identifying IP-addressable devices. It includes visibility across:
- PLCs, RTUs, and industrial controllers
- HMIs, SCADA systems, and historians
- Safety Instrumented Systems (SIS)
- Industrial network infrastructure
- Vendor-managed and third-party systems
Many OT environments contain assets that are decades old, poorly documented, or shared across teams. Ownership is often split between engineering, operations, IT, and external suppliers. This makes OT asset discovery both essential and sensitive.
Traditional IT asset discovery techniques prioritise completeness and speed. In OT, that mindset can introduce risk.
What is passive OT asset discovery?
Passive OT asset discovery works by observing existing network traffic rather than interacting directly with OT assets. Sensors are typically connected via SPAN ports or network TAPs, allowing tools to monitor communications without sending any traffic into the environment.
This passive approach aligns naturally with OT operational constraints. Because no queries are sent to devices, passive OT asset discovery introduces no operational risk and is widely accepted by operations and engineering teams.
Passive asset discovery is particularly effective at:
- Identifying actively communicating OT assets
- Understanding industrial protocols in use
- Mapping real communication paths and dependencies
- Establishing behavioural baselines
Perhaps most importantly, passive OT asset discovery shows how the environment actually behaves, not how it is assumed to behave in documentation.
Limitations of passive OT asset discovery
It is often stated that passive OT asset discovery cannot provide a complete asset inventory. Technically, this is correct.
Passive discovery only sees assets that communicate during the monitoring period. Assets that do not communicate during the observation period — such as standby PLCs, redundant safety systems, or seasonal equipment — may not be visible. Certain asset attributes, including firmware versions or configuration details, may also be difficult to determine passively.
The key point is that passive OT asset discovery is intentionally conservative. It provides high-confidence visibility without introducing risk — a trade-off that is essential in operational environments.
These gaps are not a failure of passive OT asset discovery. They are the result of prioritising operational safety over intrusive techniques.
What is active OT asset discovery?
Active OT asset discovery involves directly querying OT devices to identify their presence, characteristics, or configuration. This may include protocol-aware interrogation of PLCs and HMIs, network-level discovery scans, or targeted techniques to retrieve firmware and version information.
Active asset discovery can uncover:
- Silent or rarely used OT assets
- Devices outside monitored network paths
- Firmware and patch-level detail
- Undocumented or misconfigured systems
This makes active OT asset discovery useful during commissioning, maintenance windows, or focused investigations.
However, active discovery interacts directly with live control systems. Many OT devices were never designed to handle unexpected queries or high request volumes. Limited processing capacity, deterministic timing requirements, and fragile protocol implementations all increase the risk of disruption.
Risks associated with active OT asset discovery
Active OT asset discovery carries higher risk because OT systems prioritise availability and safety over resilience. Industrial protocols assume trusted communication and often lack safeguards such as rate limiting or robust error handling.
Unexpected traffic can lead to delayed control cycles, device faults, or safety system responses. In some cases, OEMs explicitly advise against scanning their equipment due to stability or support concerns.
In OT environments, even a small chance of disruption must be weighed carefully. A discovery approach that causes a production outage is rarely acceptable.
The best approach: passive first, targeted active second
Mature OT asset discovery programmes do not rely on a single technique. Instead, they adopt a hybrid, risk-based approach.
Typically, this involves:
- Starting with passive OT asset discovery to build safe, trusted visibility
- Identifying gaps based on risk, compliance, or operational needs
- Applying tightly scoped, operations-approved active discovery only where justified
- Maintaining continuous passive monitoring for long-term visibility
This model delivers meaningful OT asset discovery without compromising operational continuity.
What about regulatory compliance?
It’s true that regulatory frameworks such as NIS2 and IEC 62443 require organisations to understand and manage their OT assets. But they do not mandate intrusive or aggressive asset discovery techniques. Regulators expect risk-based, defensible OT asset discovery that reflects the operational context of industrial environments.
Discovery without disruption
OT asset discovery is not about achieving perfect visibility. It is about achieving sufficient, defensible visibility without disrupting operations.
Passive and active OT asset discovery both have a role to play. The difference between success and failure lies in understanding their trade-offs and applying them with judgment.
At Harpoon Consulting, our OT asset discovery service is carried out as a risk and operations challenge, not a technology deployment exercise. We prioritise approaches that protect production, build trust with operations teams, and provide defensible visibility aligned to business risk. Our approach is vendor-agnostic, passive-first by default, and deliberately cautious with active techniques.
If you’d like to find out more about our OT asset discovery service, why not arrange a free call with the Harpoon team to discuss your environment, your priorities, and the most practical next steps.
