OT asset discovery is only effective if its scope reflects how industrial environments actually operate. Focusing on a narrow set of devices can leave significant gaps in visibility, risk understanding, and operational awareness.
A meaningful OT asset discovery exercise should account for all assets that influence the behaviour, availability, and security of operational systems — not just the most visible control equipment.
The sections below outline the main asset categories that should be included, and why each matters.
Core OT devices
At the centre of any OT environment are the systems that directly monitor and control physical processes. These are typically the first assets people think of, and they form the foundation of any discovery effort.
This category includes:
- Programmable logic controllers (PLCs)
- Human-machine interfaces (HMIs)
- Remote terminal units (RTUs)
- Distributed control system (DCS) controllers
- Safety instrumented systems (SIS), where applicable
For each device, asset discovery should aim to capture more than just its presence. Useful attributes often include vendor, model, firmware version, communication protocols, network location, and functional role in the process.
In real environments, these devices are often deployed in layers or generations, with newer systems added alongside older ones rather than replacing them outright. Capturing this mix is essential for understanding both operational dependencies and potential exposure.
Supporting systems and network infrastructure
OT systems do not operate in isolation. A wide range of supporting components enable communication, data flow, and system coordination. These assets are frequently overlooked, despite playing a critical role in how OT environments function.
Supporting assets typically include:
- Industrial switches and routers
- Firewalls separating zones or cells
- Wireless access points and radios
- Serial-to-Ethernet gateways
- Time servers and domain services used by OT systems
- Engineering workstations and operator PCs
These components often determine how traffic flows through the environment and where boundaries exist — or fail to exist. Asset discovery should identify how these systems are connected, what they communicate with, and whether they are shared with IT networks.
It is common to see network infrastructure installed incrementally over many years, sometimes by different integrators. Without explicit discovery, documentation may no longer reflect the current state of the network.
Legacy and undocumented assets
Legacy systems are a defining characteristic of OT environments. Equipment can remain in service for decades if it continues to perform its function reliably.
This category includes:
- End-of-life PLCs and controllers
- Unsupported operating systems
- Devices with unknown ownership or unclear purpose
- Temporary systems that became permanent
- Assets missing from diagrams or inventories
In many operational environments, undocumented assets are not rare exceptions but an expected condition. They may still communicate actively on the network and interact with critical processes.
Including these assets in discovery is not about immediate remediation. It is about establishing awareness: knowing what exists, where it is, and how it behaves. Without this visibility, risk assessments and change planning are based on incomplete information.
Vendor access and remote connections
Modern OT environments often rely on third-party access for maintenance, support, and monitoring. These connections can be persistent or ad hoc, but both should be included in asset discovery.
Relevant assets and pathways include:
- Remote access gateways and VPNs
- Jump hosts and bastion systems
- Modems and cellular routers
- Vendor-managed monitoring appliances
- Cloud-connected OT platforms
Asset discovery should identify not only the technical components involved, but also how and when access is used. In observed environments, remote access arrangements may have evolved informally over time, with limited central oversight.
Understanding these connections is essential for building an accurate picture of external dependencies and potential exposure points.
Why IT-only views are incomplete
Traditional IT asset inventories are typically built around endpoints such as laptops, servers, and virtual machines. While useful, this approach does not translate well to OT environments.
Key limitations of IT-only views include:
- Limited visibility into industrial protocols
- Poor identification of embedded or headless devices
- Inability to distinguish between similar-looking control assets
- Lack of context around process roles and dependencies
OT assets often communicate in ways that standard IT tools do not fully interpret. As a result, critical devices may appear as generic network nodes or not be detected at all.
An OT-aware asset discovery approach recognises that operational systems require different techniques, different context, and a broader definition of what constitutes an asset.
Defining scope before discovery
Before starting OT asset discovery, it is important to define what “asset” means in the specific operational context. This definition should reflect:
- The technologies in use
- The maturity of existing documentation
- Regulatory or safety considerations
- How the resulting information will be used
A clear scope helps ensure discovery efforts are thorough without being unnecessarily disruptive or unfocused.
All OT Asset Discovery Articles
Passive OT Monitoring and Continuous Asset Discovery
OT Asset Inventory vs OT Asset Discovery
When Should you Carry Out OT Asset Discovery?
Common Challenges in OT Asset Discovery (and How to Overcome Them)
OT Asset Discovery Software
What Good OT Asset Discovery Reporting Looks Like
Maintaining OT Asset Visibility Over Time
In-house vs External OT Asset Discovery
What Assets Should be Included in OT Asset Discovery
Active vs Passive OT Asset Discovery
