OT environments are notoriously sensitive. Many devices were built for serial lines decades ago and only later adapted to TCP/IP. They tend to be underpowered, rarely updated, and expected to operate for ten to twenty years without interruption. No one wants to bring down a production line or a power grid because of a routine scan.
But ignoring them due to their fragility is a recipe for disaster. These same devices often end up directly exposed to the public internet, whether by design, accident, or slow drift. And while they may not be prime targets for opportunistic botnets, even noisy background internet traffic can be enough to cause outages. Visibility is not optional.
On last week’s webcast, the runZero research team dug into the hard-earned lessons of managing sensitive OT environments, and how our research into protocols like Modbus and DNP3 shapes safer techniques for active discovery and exposure detection. Here’s a recap of what we covered.
What safe discovery looks like #
Discovery doesn’t have to be reckless. It’s not about flooding a network and hoping it stays upright. It’s about approaching OT the way you would approach a delicate, mission-critical system that people’s lives and livelihoods depend on:
Start with respect. OT protocols like Modbus or DNP3 were never designed for today’s internet. Treating them like REST APIs is asking for trouble. The right way is to use the identification functions they already provide. Politely ask “who are you?” instead of hammering away with random requests. That gets you clarity without chaos.
Pace yourself. Imagine walking into a control room. You wouldn’t shout over the operators and flip every switch just to see what happens. The same principle applies here. Safe discovery means rate-limiting scans, tuning probe sets for the environment, and letting devices breathe between requests.
Think about the middle. It’s not just the endpoints that matter. Routers, switches, and firewalls in OT networks are often just as brittle. A careless scan that leaves half-open sessions or fills up state tables can cause as much pain as a crashed PLC. Safe discovery closes the loop politely.
Avoid the cowboy move. Fuzzing unknown protocols, blasting “Christmas tree” packets with every TCP option set, or running mass scans at pure wire speed doesn’t make you thorough, it makes you reckless. Safe discovery is disciplined: valid traffic only, every time.
Fragility is not an excuse #
The myth that OT is “too fragile to see” is holding defenders back. Fragility is real, but it’s also the reason you must look carefully, consistently, and with the right approach.
Check out the recording to learn about the history of industrial control protocols, live data showing the age and exposure of OT devices today, and how runZero can help arm you with safe techniques for active discovery.
Watch the webcast #
You can catch the full webcast on demand below:
