TTechclick ⚡ XP 0% All lessons
Forescout · Network Access Control · OT/IoTInteractive · L1 / L2 / L3

Forescout OT, IoT & Medical Security — eyeInspect, Purdue Visibility & Risk Scoring

Most OT and IoT devices cannot run an agent, never appear in Active Directory, and speak industrial protocols no IT scanner understands. Forescout eyeInspect (formerly SilentDefense) solves this with passive discovery across all Purdue Model levels — from Level 0 field sensors to Level 3 operations systems — then scores every device by asset criticality, network exposure and known exploited vulnerabilities, giving your SOC a unified IT/OT risk picture without touching a single PLC.

📅 2026-06-20 · ⏱ 17 min · 5 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master Forescout OT, IoT and medical device security in 2026: passive discovery with eyeInspect, Purdue-aware visibility across all levels, unmanaged device detection, risk scoring, and IT/OT convergence strategies.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why passive?

OT/IoT cannot survive active scans — passive is the only safe path.

 2

eyeInspect & Purdue

Passive discovery mapped across all six Purdue Model levels.

 3

Rogue & unmanaged

How eyeInspect detects unseen and unauthorised devices.

 4

Risk score & IT/OT

Composite scoring and converged IT/OT visibility strategy.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Why can't you run an Nmap scan across an OT network to find devices?

Answered in Why passive?.

2. What does eyeInspect (formerly SilentDefense) use to discover OT assets?

Answered in eyeInspect and Purdue.

3. What three factors combine to produce an OT device risk score in Forescout?

Answered in Risk score and IT/OT.

Most engineers think…

The most dangerous assumption in OT security is: 'We can just run our standard vulnerability scanner across the factory floor and see what's there.' In OT environments, an active scan can crash a PLC mid-cycle, trip a relay, or stop a production line.

Forescout eyeInspect takes the opposite approach: it receives a passive mirror of OT network traffic and decodes hundreds of industrial protocols — Modbus, DNP3, EtherNet/IP, PROFINET, BACnet, HL7 for medical — without sending a single packet to any device. The result is a complete Purdue-aware asset inventory that includes the PLCs, RTUs, infusion pumps and SCADA historians that no IT tool can see, scored by real-world exploitability, not just CVSS.

① Why OT/IoT security demands passive discovery — not active scanning

In an enterprise IT environment, an Nmap sweep across a /16 is routine housekeeping. On an OT network the same sweep can crash a PLC, corrupt a SCADA historian state, or trigger an unexpected relay in a power substation. Active scanning is unsafe in OT — this is not a policy limitation but a physical-world safety issue.

Forescout addresses this with passive, agentless discovery. A network TAP or SPAN port mirrors a copy of OT traffic to the eyeInspect sensor. The sensor never sends anything onto the OT network; it only reads. Because industrial protocols like Modbus, DNP3 and EtherNet/IP carry device identity, firmware version and function codes in plain-text headers, passive deep-packet inspection can build a richer asset profile than most active scanners produce on IT networks.

Medical devices face the same constraint: infusion pumps, patient monitors, and MRI controllers often run embedded real-time operating systems that respond to unexpected traffic by halting or alarming — a clinical risk no security tool should create. IoMT visibility therefore requires exactly the same passive approach as OT.

Figure 1 — Why passive discovery is the only safe OT method
Active scanning endangers OT/IoT devices; passive mirroring gives visibility without risk.Why passive discovery is the only safe OT methodActive scan (UNSAFE)Packets sent to PLC — crash, reboot or relay trip riskPassive mirror (SAFE)SPAN/TAP copy to sensor — zero packets sent to OTDPI decodingModbus, DNP3, EtherNet/IP, HL7 decoded silently
Active scanning endangers OT/IoT devices; passive mirroring gives visibility without risk.
Quick check · Q1 of 10 · Understand

Why is active scanning dangerous on an OT network?

Correct: b. OT devices like PLCs and RTUs often have no memory protection against unexpected packet floods. An active scan can halt a PLC mid-cycle, trip a relay or corrupt historian state — a physical-world safety issue, not just a policy one.
👉 So far: OT/IoT demands passive, agentless discovery — active scans can crash PLCs and trigger relays. eyeInspect mirrors traffic via SPAN/TAP and decodes industrial protocols without sending a single packet.

② eyeInspect and the Purdue Model — visibility layer by layer

The Purdue Model divides OT into six levels. Forescout eyeInspect (formerly SilentDefense) delivers visibility at every one of them — not just at the IT/OT boundary (Level 3/4) where most tools stop.

What you see at each level

Because eyeInspect decodes over 150 industrial protocols via DPI, it automatically classifies each discovered device with vendor, model, firmware version, open communication ports and recent protocol behaviour — without any agent or device configuration change.

Figure 2 — Purdue Model — eyeInspect visibility layer by layer
eyeInspect covers all Purdue levels from Level 0 field sensors up to the enterprise IT boundary.Purdue Model — eyeInspect visibility layer by layerL0 FieldSensors &actuatorsL1 ControlPLCs, RTUs, IEDsL2 SupervisorySCADA, DCS, BMSL3 OperationsHistorians, MESL4-5 EnterpriseIT & cloud assets
eyeInspect covers all Purdue levels from Level 0 field sensors up to the enterprise IT boundary.
🔍
eyeInspect (SilentDefense)
tap to flip

Forescout's passive OT/ICS sensor — decodes 150+ industrial protocols via DPI on mirrored traffic, building a full asset inventory without sending a single packet to any OT device.

🏭
Purdue Model
tap to flip

Six-level reference architecture separating physical processes (L0–L2), operations (L3) and enterprise IT (L4–L5). eyeInspect provides visibility at every level, not just the IT/OT boundary.

⚠️
Rogue device alert
tap to flip

Triggered when eyeInspect detects a device communicating on an OT VLAN with no baseline entry — carries derived identity, first-seen timestamp and communication peer for rapid triage.

📊
OT risk score
tap to flip

A composite 0–10 score combining asset criticality, network exposure and CISA Known Exploited Vulnerabilities (KEV). Surfaces the highest-priority remediations across the converged IT/OT estate.

Name the sensor placement, not just the product

In an interview, go beyond 'we deployed eyeInspect'. Say where: SPAN ports on the Level 2/3 boundary switch and TAPs at the IT/OT demilitarised zone (DMZ). Placement determines whether you see Level 1 control traffic or only the historian-to-IT path — and examiners know the difference.

Quick check · Q2 of 10 · Remember

At which Purdue Model level are PLCs, RTUs and IEDs found — the layer Forescout's 2025 research identified as most targeted?

Correct: c. Level 1 (Control) contains PLCs, RTUs and IEDs — the devices that directly actuate physical processes. Forescout's 2025 research found Level 1 to be the most targeted Purdue layer by adversaries.
👉 So far: eyeInspect covers all Purdue levels (0–5): field sensors, PLCs/RTUs, SCADA, historians, and enterprise IT — classifying each device by vendor, firmware and protocol behaviour from DPI.

③ Unmanaged and rogue device detection — finding what should not be there

Two distinct problems exist in OT/IoT environments. Unmanaged devices are legitimate assets that were never enrolled in any asset management system — legacy PLCs installed years ago, a smart UPS added by facilities, or an IoMT pump whose purchase bypassed the IT procurement process. Rogue devices are unauthorised additions — an attacker's Raspberry Pi bridging OT to IT, or an unsanctioned wireless access point connected to the control network.

eyeInspect distinguishes these by comparing discovered devices against a learned baseline of authorised communication paths and device identities. Any device communicating on an OT VLAN that has no baseline entry generates an alert. The alert carries the device's derived identity (vendor, firmware, protocol spoken), the first-seen timestamp, and the communication peer — enough for an operator to confirm 'new PLC we just installed' versus 'unknown device, escalate immediately'.

For IoMT, Forescout also integrates with clinical asset data to detect devices operating outside their approved network segment (for example, an infusion pump communicating with an external IP address) — a common indicator of compromise or misconfiguration in hospital environments.

Figure 3 — eyeInspect — one sensor, every device class
A single eyeInspect passive sensor discovers and classifies all device classes by their protocol traffic.eyeInspect — one sensor, every device classeyeInspectPassive DPI sensorPLCs & RTUsSCADA / DCSIoMT devicesRogue endpointsUnmanaged IoTIT / historian
A single eyeInspect passive sensor discovers and classifies all device classes by their protocol traffic.
Figure 4 — Unmanaged devices vs rogue devices
eyeInspect distinguishes legitimate-but-unenrolled assets from genuinely unauthorised additions.Unmanaged devices vs rogue devicesUnmanaged (legitimate)Known vendor/model from DPICommunicates with expected peersNever enrolled in asset DBAction: enrol and tag criticalityRogue (unauthorised)Unknown or spoofed identityNew or unexpected comm pathFirst-seen anomaly alert firesAction: isolate and investigate
eyeInspect distinguishes legitimate-but-unenrolled assets from genuinely unauthorised additions.
'All unknown devices are rogues' over-alert trap

eyeInspect's first-time baseline phase typically surfaces hundreds of 'unknown' devices — most are legitimate but unenrolled legacy assets. Jumping straight to isolation causes operational disruption. Always spend the baseline period classifying devices by protocol fingerprint before defining rogue-detection rules.

▶ Watch eyeInspect passively discover a rogue device on the OT network

A Modbus traffic mirror reveals an unauthorised device on the Level 1 segment. Press Play for the healthy discovery path, then Break it to see the classic passive sensor failure.

① MirrorThe Level 1 switch SPAN port copies all Modbus traffic to the eyeInspect sensor — zero packets are sent back onto the OT network.
② DPI decodeeyeInspect decodes the Modbus frames, extracts the device's vendor fingerprint and communication peer list, and compares against the established baseline.
③ Rogue alertA device with no baseline entry is communicating on the OT VLAN. eyeInspect raises a rogue-device alert with derived identity, first-seen timestamp and the peer it is talking to.
④ Risk scoreThe new device is assigned a risk score factoring its unknown identity (high criticality risk), cross-zone communication path (high exposure) and any matching KEV entries.
Press Play to step through passive rogue detection. Then press Break it.
Quick check · Q3 of 10 · Apply

An infusion pump appears in the eyeInspect discovery log with no baseline entry and is communicating with an external IP. What is the correct classification?

Correct: a. Communication with an external IP from an IoMT device with no baseline entry matches the rogue device pattern: unknown communication path + first-seen anomaly. Isolation and investigation are the correct first actions.
👉 So far: Unmanaged = legitimate but unenrolled; rogue = unauthorised addition. eyeInspect distinguishes them by comparing discovered devices against a learned communication baseline and alerting on first-seen anomalies.

④ Risk scoring and IT/OT convergence — the unified security picture

Knowing a device exists is not enough. Forescout eyeInspect computes a composite risk score for every OT/IoT asset using three factors: asset criticality (what would fail if this device were offline or compromised?), network exposure (what can reach it and what can it reach, including cross-zone paths?), and Known Exploited Vulnerabilities (KEV) from CISA's catalogue. The 2025 Forescout report found the average device risk score rose to 8.98, a significant increase from the prior year, driven primarily by vulnerabilities in Purdue Level 1 and Level 3 devices.

IT/OT convergence is the hardest operational challenge: historians at Level 3 bridge the OT network to enterprise systems and cloud services, creating lateral movement paths that adversaries actively exploit. Forescout addresses this by feeding the eyeInspect asset and risk data into the Forescout platform alongside IT device posture, so a single dashboard shows the full estate — managed laptops, unmanaged PLCs, IoMT pumps and cloud workloads — with a common risk vocabulary.

Practical convergence workflow

The recommended approach is to deploy eyeInspect passive sensors at the IT/OT boundary VLANs first, confirm coverage of Level 2–3 assets, then extend sensors deeper into Level 1 segments. Import the OT asset inventory into the Forescout platform, define criticality tags (safety-critical, revenue-critical, low-impact), and let the risk engine surface the highest-priority remediations before touching any device.

Figure 5 — OT risk score — three contributing factors
Forescout combines criticality, exposure and known exploits into one actionable risk priority.OT risk score — three contributing factorsCriticalitySafety vs revenueimpactExposureCross-zone reach &pathsKEV matchCISA exploited vulnsRisk scoreComposite 0–10 valueRemediationPatch / segment /monitor
Forescout combines criticality, exposure and known exploits into one actionable risk priority.

Kavita at a Mumbai pharmaceutical plant faces this

After a Forescout eyeInspect deployment, the risk dashboard shows 47 devices with scores above 8.5 — far more than the security team expected. Management wants an explanation and a remediation plan within 48 hours.

Likely cause

Dozens of legacy PLCs and unpatched SCADA historian servers at Levels 1–3 were never enrolled in any asset management system. Several have CISA KEV entries and communicate across the IT/OT boundary with no segment controls.

Diagnosis

eyeInspect asset report: filter by risk score >8.5, sort by network exposure. Historians at Level 3 with routes to enterprise IT appear at the top — they have KEV matches and high criticality tags.

eyeInspect ▸ Asset Intelligence ▸ Risk Dashboard ▸ Filter: exposure=cross-zone, KEV=yes
Fix

Tag the Level 3 historians as safety-critical in Forescout, immediately enforce micro-segmentation policies to block unnecessary cross-zone paths, apply compensating controls (IDS alerts) on KEV-matched Level 1 PLCs that cannot be patched, and schedule firmware updates for devices where patches exist.

Verify

Re-check the risk dashboard after 72 hours: cross-zone exposure count should drop, and the average risk score for tagged devices should reflect the compensating controls applied.

Validate KEV coverage, not just CVSS

A PLC with CVSS 9.8 but no active exploit matters less than one with CVSS 6.5 and a CISA KEV entry actively used in ICS campaigns. Always verify your OT risk prioritisation filters on KEV flag, not raw CVSS — that is what Forescout's composite scoring enforces.

Quick check · Q4 of 10 · Analyze

A legacy PLC has a CVSS 9.8 vulnerability but sits on an isolated Level 1 segment with no cross-zone reach. How does Forescout's composite risk score reflect this?

Correct: d. Forescout's composite risk score combines criticality, network exposure AND KEV. Low network exposure reduces the overall score even for a high-CVSS vulnerability, helping teams prioritise cross-zone exposed devices first.
👉 So far: OT risk score = asset criticality + network exposure + KEV match. Forescout feeds this into the unified IT/OT dashboard, making historians at Level 3 the first convergence remediation priority.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What is the primary reason eyeInspect uses passive traffic mirroring rather than active scanning in OT environments?

Correct: c. Safety is the driver: OT devices often have no protection against unexpected packet floods. An active scan can halt a PLC mid-cycle or trip a relay — a physical-world risk that makes passive-only discovery mandatory in these environments.
Q6 · Understand

A hospital deploys eyeInspect and immediately sees hundreds of IoMT devices it never knew existed. What does this most likely indicate?

Correct: b. IoMT devices like infusion pumps and patient monitors are routinely purchased by clinical departments without IT involvement. eyeInspect's passive discovery surfaces this shadow asset estate — most devices are legitimate but unmanaged, not rogue.
Q7 · Apply

You need to extend eyeInspect visibility from Level 3 to Level 1 in a running power substation. What is the safest first step?

Correct: b. A passive SPAN or TAP is the only zero-impact method. Active scanning (Nmap) is unsafe; agent installation is impossible on most PLCs; and shutting down operations is unacceptable in a live substation.
Q8 · Analyze

Why does a CVSS 9.8 vulnerability on a PLC with zero cross-zone exposure score lower in Forescout's composite OT risk than a CVSS 6.5 vulnerability on a historian with enterprise network reach and a CISA KEV entry?

Correct: c. Forescout's composite score weights network exposure and real-world exploitability (KEV) alongside raw CVSS. An isolated high-CVSS device is harder to reach; an exposed, actively exploited lower-CVSS device is more immediately dangerous — the composite score reflects this.
Q9 · Evaluate

An SOC analyst notices a new device with no baseline entry appearing in eyeInspect that speaks Modbus to a known PLC. The device vendor fingerprint matches an authorised sensor vendor. What is the recommended response?

Correct: c. A first-seen device with a plausible identity could be a legitimate but unenrolled new installation OR a spoofed rogue. The correct step is to verify with the OT/engineering team before deciding whether to enrol or escalate — not to immediately isolate or ignore.
Q10 · Evaluate

Which deployment sequence gives the fastest IT/OT convergence risk visibility with the least operational disruption?

Correct: b. Starting at the Level 2/3 boundary provides the most IT/OT convergence visibility immediately (historians, SCADA) with zero disruption. Baselining before enabling alerts prevents false-positive storms. Extending to Level 1 afterwards is safer because the communication map is already established.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does Forescout use passive discovery for OT/IoT instead of active scanning, and what makes the Purdue Model relevant to how it deploys sensors? Then compare with the expert version.

Expert version: Active scanning is physically unsafe in OT: unexpected packets can crash PLCs, corrupt SCADA state or trigger relays — a production or safety incident no security tool should cause. Forescout eyeInspect instead receives a passive SPAN/TAP copy of OT traffic and decodes industrial protocols via DPI, building a complete asset inventory without touching any device. The Purdue Model matters because it defines WHERE sensors go: a SPAN at the Level 2/3 boundary sees historians and SCADA; sensors extended to Level 1 see PLCs and RTUs. Covering all six levels is what makes Forescout's OT visibility complete rather than boundary-only.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

eyeInspect (SilentDefense)
Forescout's passive OT/ICS sensor — decodes 150+ industrial protocols via traffic mirroring to build a full asset inventory without sending any packets to OT devices.
Purdue Model
Six-level reference architecture (L0 field → L5 enterprise) separating OT physical processes from operations management and IT — used to define security zones and sensor placement.
Passive discovery
Asset identification by reading mirrored network traffic only, with no packets sent to target devices — mandatory in OT/IoT to avoid disrupting PLCs and medical devices.
IoMT (Internet of Medical Things)
Networked clinical devices in healthcare settings — infusion pumps, patient monitors, ventilators, imaging systems — requiring the same passive discovery approach as industrial OT.
Known Exploited Vulnerabilities (KEV)
CISA's catalogue of vulnerabilities actively exploited in real-world attacks, used by Forescout as one factor in the composite OT risk score.
Rogue device
An unauthorised device communicating on an OT network segment with no baseline entry — distinguished from unmanaged devices by anomalous identity or communication path.
IT/OT convergence
The integration of enterprise IT networks and operational technology networks, creating lateral movement paths that adversaries exploit — especially through Level 3 historian systems.
Deep Packet Inspection (DPI)
Reading the full payload of a network packet — not just the header — to extract device identity, protocol state and operational data from industrial protocol frames.

📚 Sources

  1. Forescout — eyeInspect product page: passive OT/ICS security and protocol coverage. forescout.com/products/eyeinspect/
  2. Forescout Press Release — First Solution to Cover Managed and Unmanaged Devices Across All Purdue Levels (eyeInspect 5.5, 2024). businesswire.com/news/home/20240919149447/
  3. Forescout — 2025 Riskiest Connected Devices Report: average device risk score 8.98, Level 1 and Level 3 most targeted. forescout.com/press-releases/forescout-announces-riskiest-connected-devices-of-2025/
  4. Industrial Cyber — Forescout OT Security SaaS: asset intelligence, risk management and threat detection for hybrid OT environments (2025). industrialcyber.co/technology-solutions/forescout-ot-security-saas
  5. Forescout Blog — Providing Scalable ICS Visibility for Converged IT-OT Cybersecurity. forescout.com/blog/providing-scalable-ics-visibility-for-converged-it-ot-cybersecurity/
  6. CISA — Known Exploited Vulnerabilities (KEV) Catalogue — used by Forescout for OT risk prioritisation. cisa.gov/known-exploited-vulnerabilities-catalog

What's next?

Got the OT/IoT visibility picture? Next, go deep on Forescout eyeSegment — how dynamic segmentation policies enforce micro-perimeters around PLCs, IoMT devices and cloud-connected OT assets without touching existing network infrastructure.

Next · All interview lessons → Practice on exam.techclick.in →