Why passive visibility is the only acceptable approach in OT
In IT, a network scan is routine. In a production plant, the same scan can crash a controller or stop a line. This difference is the starting point for almost everything that separates OT security from IT security.
Anyone coming from IT security brings a toolkit proven over decades: active scanners that systematically query a network, probe ports and identify services. In an office network this is harmless. A server that receives an unusual request either answers or ignores it. In the worst case, an entry appears in a log.
In operational technology, different laws apply. Here there are no robust servers, but programmable logic controllers (PLCs) that have run uninterrupted for fifteen years, with firmware that was never designed for unexpected network packets. A single unexpected request can be enough to put such a controller into an undefined state.
The scan that stopped the line
The literature and field reports from OT security are full of incidents where well-intentioned security measures triggered exactly what they were meant to prevent: a production outage. An active scan that accidentally ran into an OT segment; a vulnerability scanner that overwhelmed an old controller with requests; an asset-discovery tool that misinterpreted a protocol and sent a machine into emergency stop.
The insidious part: these incidents arise not from malice or incompetence, but from simply transferring IT methods to an environment where they don't apply. The assumption "a scan can't break anything" is simply wrong in OT.
What passive really means
The answer to this dilemma is a fundamentally different approach: purely passive visibility. Instead of actively querying the network, you only listen. Concretely: via a so-called SPAN port (also called a mirror port), a copy of all network traffic is mirrored to a separate port — and you analyze this copy without ever sending a packet into the network yourself.
The decisive point: a passive solution is non-intrusive. It technically cannot disrupt anything because it technically sends nothing. It is invisible to the plant — and that is precisely what makes it usable in OT in the first place.
What a picture is built from, passively
Astonishingly much can be reconstructed from pure listening:
- Asset inventory: Every device that communicates reveals itself — through IP and MAC address, often also through hostname and protocol idiosyncrasies. This yields a complete register without actively querying a single device.
- Communication relationships: Who talks to whom, how often, in which direction? From this follows the actual network topology — not the one that should be in the wiring diagram, but the one that really exists.
- Protocol and function level: With the right tools, even the industrial language can be read along — for instance whether a read command or a write command goes to a controller.
- Vulnerabilities: If device type and firmware version are identifiable, they can be matched against known vulnerability databases — entirely without an active vulnerability scan.
Passive visibility in OT does not deliver a worse picture than active scanning — it delivers the only picture you can take responsibility for without endangering operations.
How far does it get you?
The honest answer: astonishingly far, but not infinitely far. Passive methods see everything that communicates. A device that hangs on the network but is currently silent only appears when it speaks. In practice this is rarely a problem, because OT devices almost always communicate cyclically — a PLC that never sends anything barely exists.
For the vast majority of requirements — asset inventory for NIS2, network transparency for a zoning concept per IEC 62443, detection of forbidden communication paths — passive visibility is not only sufficient but the only professional way. Where depth is later missing, you can supplement in a targeted, controlled manner — but the foundation stands, without there ever having been a risk to the plant.
The practical consequence
For me as a consultant, passive visibility is therefore not one feature among many, but a fundamental stance. Every project begins with creating a reliable picture of the production OT — in such a way that the plant notices nothing. Only on this foundation can segmentation, monitoring, compliance and measures be meaningfully discussed.
Anyone who begins in OT with active methods risks squandering the trust of the plant operators before the actual security project even starts. Anyone who begins passively shows from day one that they have understood the rules of OT.