EASM for OT/ICS
Standard IT scanners miss industrial systems entirely. We built a specialized OT assessment pipeline that detects PLC, RTU, HMI, and SCADA systems exposed to the internet using passive-first probes across 6 industrial protocols — Modbus, DNP3, OPC-UA, S7comm, IEC 104, and BACnet. Every probe is read-only. No write operations, no fuzzing, no state changes. Automatic IEC 62443 compliance mapping and MITRE ATT&CK for ICS technique coverage.
Looking for IT EASM?
For standard IT external attack surface management, see our product Discovero.io — automated asset discovery, continuous monitoring, and expert-verified reports.
Visit discovero.io →What's Included
OT Protocol Fingerprinting
Active detection across 6 industrial protocols with read-only probes: Modbus TCP, DNP3, OPC-UA, S7comm, IEC 60870-5-104, BACnet/IP. Plus port detection for EtherNet/IP, PROFINET, and HART-IP. 11 OT vendors automatically identified — Siemens, Schneider, ABB, Rockwell, Honeywell, and more.
Purdue Model Zone Assessment
Every OT asset classified by Purdue level. We detect zone violations — a PLC (Level 1) directly on the internet (Level 5) without DMZ is a critical finding. IT/OT segmentation gaps mapped and reported.
IEC 62443 Security Level Assessment
Automatic mapping to IEC 62443 Security Levels (SL0-SL4). Each asset gets a rating based on detected controls, authentication, encryption, and exposure. Clear picture of where you stand vs. where you need to be.
MITRE ATT&CK for ICS Mapping
Findings mapped to ATT&CK for ICS techniques — Unauthorized Command (T0855), Manipulation of Control (T0831), Program Download (T0843), Internet Accessible Device (T0883), and more. 10 techniques auto-detected from external scanning.
CVE Correlation
Detected vendor/product combinations correlated against NVD API and CISA Known Exploited Vulnerabilities catalog. Not just what's exposed — specific CVEs that apply to your firmware versions.
Safety-First Scanning
Intensity levels adapted per asset type: passive for PLCs/RTUs, careful for HMIs, guarded for candidates. RTT fragility detection, abort triggers on anomalies, complete audit trail. We never brute force, fuzz, or write to devices.
Professional Assessment Report
Executive summary, internet-exposed OT inventory, zone violation analysis, protocol security findings with 3-tier remediation (immediate/medium/long-term), ATT&CK mapping, IEC 62443 SL assessment, and CVE correlation.
How It Works
Scope & Consent
Define IP ranges, domains, subsidiaries. Signed consent with audit trail. Agree on intensity levels and maintenance windows. Safety is the priority — we discuss every constraint before scanning.
Discovery & Fingerprinting
Passive pre-classification from hostname patterns, HTTP keywords, and OSINT. Then active protocol fingerprinting across 6 protocols with read-only probes. Two-tier classification: candidates + confirmed.
Zone & Compliance Assessment
Purdue level classification. Zone violation detection. Automatic mapping to IEC 62443 Security Levels and MITRE ATT&CK for ICS. CVE correlation from NVD and CISA KEV.
Remediation Planning
Every finding gets immediate action (firewall rules), medium-term (DMZ, VPN, segmentation), and long-term remediation (protocol-level security, IEC 62443 compliance program).
Report & Debrief
Comprehensive report with prioritized findings. Face-to-face debrief. Optional ongoing monitoring for new exposures via Discovero platform.