Passive OT asset discovery in place
Demonstrate that the organization has deployed and operates passive network monitoring capabilities that identify and inventory OT assets without active interrogation, and that discovered assets are documented and maintained in an authoritative asset register.
Description
What this control does
Passive OT asset discovery uses network monitoring techniques such as span ports, network taps, or inline sensors to identify industrial control systems, PLCs, HMIs, SCADA devices, and other operational technology assets without transmitting packets to or actively probing those devices. This approach is critical in OT environments where active scanning can disrupt real-time processes, cause equipment malfunctions, or trigger safety interlocks. The control establishes continuous or scheduled asset inventory updates by analyzing existing network traffic patterns, protocol communications (Modbus, DNP3, OPC, etc.), and device behaviors.
Control objective
What auditing this proves
Demonstrate that the organization has deployed and operates passive network monitoring capabilities that identify and inventory OT assets without active interrogation, and that discovered assets are documented and maintained in an authoritative asset register.
Associated risks
Risks this control addresses
- Unidentified or shadow OT devices connected to critical networks enable attacker persistence or lateral movement without detection
- Active scanning tools cause process disruptions, equipment shutdowns, or safety system failures in production environments
- Rogue or unauthorized industrial devices operate undetected, introducing vulnerabilities or backdoors into operational networks
- Outdated or incomplete OT asset inventories prevent effective patch management and vulnerability remediation prioritization
- Lack of visibility into protocol-level communications allows adversaries to manipulate industrial control commands without triggering alerts
- Unmonitored changes to OT network topology enable attackers to establish covert communication channels or data exfiltration paths
- Inability to correlate asset configuration drift with operational anomalies delays incident detection and response in ICS environments
Testing procedure
How an auditor verifies this control
- Obtain and review the OT network architecture diagram identifying locations of passive monitoring sensors, span ports, or network taps
- Request configuration exports from passive discovery tools (e.g., Claroty, Nozomi, Armis) showing monitoring interfaces, protocol decoders enabled, and collection scope
- Verify sensor placement covers all OT network segments, VLANs, and zones where industrial devices operate, including DMZs and cell/area zones
- Review the current OT asset inventory generated by passive discovery tools, noting device types, protocols, firmware versions, and last-seen timestamps
- Select a sample of 10-15 known OT devices from operational zones and confirm their presence, attributes, and communication patterns in the discovery system
- Examine logs or reports demonstrating passive discovery events over the past 90 days, including newly detected devices and topology changes
- Interview OT security personnel to confirm passive discovery findings are integrated into the CMDB or asset management system and trigger change control workflows
- Review alerts or notifications configured for new device detection, unexpected protocol usage, or unauthorized network connections within OT segments
Where this control is tested