The Visibility Gap in OT: Why You See Less Than You Think

Every OT security program I have seen begins with some version of the same question: what do we have? And almost universally, the answer that comes back, whether a spreadsheet, a network diagram, or a list from the CMMS, understates the actual environment by a factor that surprises people who have not done this work before. The gap between documented assets and actual assets is not a sign of organizational incompetence. It is a structural feature of how industrial environments are built, operated, and modified over time.

Industrial systems are not deployed the way enterprise IT systems are deployed. There is no provisioning workflow, no CMDB ticket, no standard imaging process. Equipment is installed by contractors, integrated by systems integrators, and handed off to operations teams who are focused on making the process work rather than maintaining a configuration record. When that equipment is modified, through a firmware upgrade, a replaced board, or an additional field device, the change may or may not find its way into the documentation. When that equipment reaches end of life, it may be powered down but remain physically connected, or powered down and physically removed but left in the asset register, or simply forgotten. All three outcomes are common.

The communication topology in OT environments compounds the visibility problem. Industrial protocols are not chatty. A Modbus device responds when polled; it does not announce itself. A PROFIBUS node participates in a scan cycle defined by the master; it does not broadcast its presence to observers. Protocols designed for deterministic control, where the timing and content of every message is defined in advance, have no concept of dynamic discovery. The network visibility tools that work in enterprise environments, where devices use DHCP, respond to ARP, and generate regular traffic to shared services, are not appropriate instruments for environments where devices may communicate exclusively with a single master over a serial bus.

Physical access is the remaining piece that most remote monitoring approaches cannot address. Wireless devices, serial-connected sensors, and field instruments connected through marshalling panels may be completely invisible to a network-based monitoring system. Not because the monitoring is misconfigured, but because the assets do not participate in the networks being monitored. OT environments have historically layered serial, proprietary fieldbus, and Ethernet communications in ways that reflect the vintage of each component rather than a unified network architecture. A visibility program that only covers the Ethernet layer is incomplete in ways that do not show up in dashboard metrics.

Threat actors who conduct reconnaissance in OT environments are not constrained by the asset inventory used by the security team. They can find assets that the asset management program does not know about. They can find communication paths that the network diagram does not show.

The security posture is only as complete as the asset picture, and if that picture is built primarily from passive network monitoring of the Ethernet layer, there are structural gaps that are predictable and exploitable.

Closing the visibility gap requires combining methods that are individually insufficient. Passive network monitoring covers the Ethernet layer and builds a picture of active communication. Targeted active interrogation, carefully scoped to devices and protocols where it is safe, extends coverage to assets that do not generate traffic spontaneously. Physical inspection and engineering documentation review captures the serial and fieldbus layers that network monitoring cannot reach. Integration with the DCS or SCADA historian, which maintains communication with field devices as part of normal operation, can reveal asset data that security tools would never collect independently. None of these alone is adequate. Together, they move the picture from a confident undercount to a defensible approximation.

The practical implication for leadership is that a visibility metric, such as percentage of assets inventoried, is only meaningful if you understand how it was derived. An organization that reports ninety percent asset coverage based on passive Ethernet monitoring is not reporting the same thing as an organization that arrived at ninety percent through a combination of network monitoring, physical inspection, and historian integration. The denominator is different. Knowing what you can see is the beginning of an honest conversation about what you cannot.