TTechclick ⚡ XP 0% All lessons
Nozomi · OT/IoT Security · Asset DiscoveryInteractive · L1 / L2 / L3

Nozomi Asset Discovery & Network Visualisation — Passive Inventory & Rogue Detection

You cannot secure what you cannot see — and in OT environments, an accurate asset inventory is notoriously hard to build without disrupting fragile PLCs and RTUs. This lesson shows how Nozomi Networks Guardian builds a rich, continuously updated OT/IoT asset inventory purely by listening to mirrored traffic, renders it as an interactive network map, uses Smart Polling to fill attribute gaps safely, and immediately alerts on any rogue or unmanaged device that appears.

📅 2026-06-18 · ⏱ 16 min · 5 infographics · live discovery demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

How Nozomi Networks Guardian automatically discovers OT/IoT assets passively, builds a rich inventory, renders an interactive network map, and catches rogue devices — plus Smart Polling for deeper attributes.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why it matters

OT inventory problem, passive DPI, zero disruption.

 2

Rich attributes

What Guardian captures per asset, enrichment.

 3

Network map

Graph view, node grouping, reading edges.

 4

Smart Polling & rogues

Active enrichment, new-asset alerts, baseline.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does Guardian send packets to PLCs to discover them?

Answered in Why it matters.

2. What does the Nozomi network map display?

Answered in Network map.

3. Smart Polling is best described as…

Answered in Smart Polling & rogues.

Most engineers think…

Most people assume OT asset inventory means running an active network scanner — the kind of thing that crashes PLCs. That mental model is wrong and dangerous.

Nozomi Guardian builds its inventory entirely from mirrored traffic: no packets are sent to OT devices, no risk of crashing a PLC or RTU. The result is a continuously updated record for every device that communicates — with vendor, firmware, open protocols and Purdue level. Smart Polling is the optional, carefully rate-limited add-on for the narrow set of attributes passive DPI cannot reach. That distinction — passive-first, selective-active-only-when-needed — is what makes Nozomi safe in the most fragile Level 0/1 OT environments.

① Why passive OT asset discovery is the foundation of OT security

The fundamental OT security problem is visibility: most plants run hundreds of PLCs, RTUs and HMIs that were never designed to be scanned, and a badly timed ICMP sweep can crash a running process. The result is that most OT environments have asset lists that are months out of date, filled with devices nobody remembers adding. PLCs and RTUs simply must not be disrupted by discovery traffic.

Nozomi Networks solves this with passive discovery: the Guardian sensor connects to a SPAN/mirror port or TAP on an aggregation switch and reads a copy of all traffic. Guardian applies DPI to every conversation it sees. Every device that sends or receives a packet is catalogued automatically — with no packets ever directed at the OT device itself. The inventory is continuously updated in real time as new conversations appear.

This passive-first approach means Guardian can be deployed in a live plant, at Level 0 right up to Level 3, without a maintenance window. Complete inventory is not optional: you cannot detect anomalies, match CVEs or enforce segmentation policy on devices you do not know exist.

LegendGuardian sensor / Nozomi component (royal)pipeline stage (DPI, detect, enrich)diagram headingdiagram background panelsupporting label / OT detail
Figure 1 — Guardian passive discovery — from mirror port to asset record
Every device that communicates is automatically catalogued; no packets are ever sent to OT devices.Guardian passive discovery — from mirror port to asset recordMirror/TAPcopy of all trafficDPIparse every protocolClassifytype, vendor, levelEnrichfirmware, peers, CVEsAsset recordlive, continuouslyupdated
Every device that communicates is automatically catalogued; no packets are ever sent to OT devices.
Quick check · Q1 of 10 · Understand

Why is passive discovery the preferred approach for OT asset inventory?

Correct: b. Passive DPI listens on mirrored/tapped traffic and never sends packets to OT devices — so fragile PLCs and RTUs are never at risk of being crashed by discovery traffic. Speed is not the primary reason; safety is.
👉 So far: Guardian discovers every communicating OT/IoT device by listening on a mirror port/TAP — zero packets to OT devices, zero disruption, continuous live inventory.

② What Guardian captures — the rich attribute record per asset

Every discovered device gets a rich, continuously enriched attribute record. Core network fields are captured immediately: IP address, MAC address, hostname, vendor/manufacturer, device type (PLC, RTU, HMI, engineering workstation, historian, IoT endpoint, switch…), open protocols, communication peers, first-seen and last-seen timestamps. These come from passive DPI without any query to the device.

Protocol-level enrichment

Guardian goes further by parsing industrial protocols — Modbus, DNP3, Siemens S7/S7Plus, EtherNet/IP (CIP), BACnet, Profinet, IEC 60870-5-104, OPC UA and many more. Fields such as firmware version, OS version, device model and Purdue level are extracted from the protocol conversations themselves. A Siemens S7 exchange, for example, reveals exact CPU type and firmware; a BACnet exchange reveals device object descriptors.

The Asset Intelligence subscription from Nozomi Networks Labs adds curated device profiles that further refine classification — reducing false positives and filling in vendor-specific fields. The Arc endpoint sensor can supplement the network-layer record with host context (users, running processes, USB sessions) for assets where deeper endpoint visibility matters.

Figure 2 — The asset attribute stack — what Guardian knows per device
Attributes build up layer by layer as Guardian observes more protocol conversations.The asset attribute stack — what Guardian knows per deviceNetwork identityIP, MAC, hostname, first/last seenDevice profilevendor, type, model, firmware, OSProtocol contextopen protocols, Purdue level, peers
Attributes build up layer by layer as Guardian observes more protocol conversations.
📡
Guardian (passive sensor)
tap to flip

Nozomi's core network sensor — listens on a SPAN/TAP, runs DPI, discovers every communicating device and builds the live asset inventory with zero OT disruption.

🗺️
Network map / graph
tap to flip

The interactive topology view showing every asset as a node and every communication as an edge. Group by Purdue level, subnet, device type or custom tag.

📶
Smart Polling
tap to flip

Optional selective active querying — targeted, rate-limited, protocol-aware queries to specific devices to retrieve attributes passive DPI alone cannot see.

🚨
Rogue / unmanaged device
tap to flip

Any device that appears on the OT network without an existing authorised record. Guardian fires a new-asset alert and the map shows its communication edges immediately.

Name the attribute source

In an interview, always specify where each attribute comes from: IP/MAC from passive network observation; firmware/model/Purdue level from protocol DPI (S7, Modbus, BACnet fields); deeper host context from Arc; refined classification from Asset Intelligence. Saying 'Guardian sees everything' is imprecise — the depth of the attribute depends on which protocols the device uses and whether Smart Polling is enabled.

Quick check · Q2 of 10 · Remember

Which of these asset attributes does Guardian typically extract from industrial protocol traffic (not just IP headers)?

Correct: c. Guardian performs DPI on protocols like S7, Modbus and BACnet, extracting application-layer fields such as firmware version, device model and Purdue level. Firewall zones and BGP/VLAN config are network infrastructure details not surfaced by OT protocol DPI.
👉 So far: Each asset gets IP, MAC, vendor, device type, firmware, OS, open protocols, Purdue level and peers — extracted from protocol DPI (S7/Modbus/BACnet/EtherNet-IP) with Asset Intelligence and Arc adding depth.

③ The interactive network map — reading nodes, edges and groups

Guardian renders the entire discovered asset set as an interactive network graph: every device is a node and every observed communication link is an edge. The map is live — new devices and new connections appear automatically as Guardian sees traffic. Clicking any node opens its full attribute record, alert history and communication log.

Node grouping lets analysts orient large, complex environments. Devices can be grouped by subnet, Purdue level, zone, device type or custom tags. A power utility might group by substation and then by Purdue level within each substation. This makes the map a practical operations tool, not just a pretty diagram.

What to look for on the map

The map is most powerful for spotting unexpected lateral communications: a PLC initiating a connection to an external IP, a historian talking directly to a field device it should never reach, or an unknown node that appeared in the last hour. Rogue devices appear as new, unclassified nodes. Communication edges to those nodes are immediately visible, showing exactly what the rogue device was talking to before the analyst isolates it.

Figure 3 — Network map — node grouping options
Guardian lets analysts organise the same asset graph by any dimension to suit their workflow.Network map — node grouping optionsGuardian maplive asset graphBy Purdue levelBy subnet/zoneBy device typeBy site/plantBy custom tag
Guardian lets analysts organise the same asset graph by any dimension to suit their workflow.
Figure 4 — Passive discovery vs Smart Polling — when to use each
Passive DPI is always on; Smart Polling is the selective add-on for attributes that require asking.Passive discovery vs Smart Polling — when to use eachPassive DPI (always on)Zero packets sent to OT devicesWorks on all protocolsCaptures comms-visible attributesSafe in most fragile Level 0/1Smart Polling (selective add-on)Targeted queries perRate-limited, OT-safe intervalsFills firmware & register gapsEnabled per device or segment
Passive DPI is always on; Smart Polling is the selective add-on for attributes that require asking.
Treating the map as static

The Nozomi network map is live — it updates as new traffic is observed. A common mistake is checking it once at deployment and assuming it stays accurate. New devices, new communication links and rogue nodes all appear automatically. Build a habit of reviewing the new-asset alert queue alongside the map, especially after maintenance windows when contractors may have added or connected devices.

▶ Watch a rogue device get discovered and investigated

How Guardian catches an unauthorised device the moment it connects. Press Play for the normal detection path, then Break it to see what happens when the mirror port is misconfigured.

① Device connectsAn unmanaged laptop is plugged into a substation switch. Its first DHCP/ARP traffic is mirrored to Guardian.
② Guardian detectsGuardian's DPI sees a new MAC address and fires a new-asset alert. The device appears instantly on the network map as an unclassified node.
③ Map shows edgeThe analyst opens the map and sees the new node communicating with the engineering workstation on port 502 (Modbus) — the communication edge is visible immediately.
④ Isolate & logThe analyst cross-checks the change log (no approved request), contacts the field team, and the device is disconnected. The rogue node clears from the map.
Press Play to step through the rogue-device detection path. Then press Break it.
Quick check · Q3 of 10 · Apply

An analyst opens the Nozomi network map and sees an unclassified node connecting to a PLC on port 502. What is the first thing the map tells them — before any external check?

Correct: b. The network map immediately shows the new node and the communication edge to the PLC — that is the first thing visible without any external check. CVE matching requires the vulnerability database; user identity requires endpoint or authentication logs; firmware version of an unknown device may not yet be determined from passive traffic alone.
👉 So far: The interactive network map shows every asset as a node and every communication as an edge. Group by Purdue level, subnet or type. Rogue devices appear as new unclassified nodes with visible edges to their peers.

④ Smart Polling & rogue-asset detection — completing the picture

Passive DPI captures the majority of asset attributes from observed traffic. But some fields — certain firmware registers in Modbus devices, SNMP system descriptions, BACnet object lists — are only available if you ask for them. Smart Polling is Nozomi's optional selective active querying add-on that fills these gaps.

Smart Polling is not a network scan. Queries are targeted to specific devices and specific protocols, rate-limited to OT-safe intervals, and protocol-aware — so a Modbus device is queried with valid Modbus read requests, not generic probes. You can enable Smart Polling per device, per protocol or per network segment. The enriched attributes flow back into the same asset record, giving a more complete picture than passive alone can achieve.

Rogue and unmanaged asset alerting

Any device that appears on the network for the first time generates a new-asset alert in Guardian. Analysts see the alert, open the map, examine the new node's attributes and communication edges, and cross-check the change-management log. If the device has no approved change request, it is treated as a rogue device. Guardian continuously compares the live asset set against the known-good baseline, so any drift — a new PLC, a new wireless access point, a contractor laptop — is caught in minutes rather than months.

Figure 5 — Rogue device response workflow
From new-asset alert to isolation — a Guardian-guided investigation flow.Rogue device response workflowAlert firesnew/unknown deviceMap reviewnode + edge contextChange checkauthorised or rogue?Isolateblock or quarantineBaseline updateapprove or remove
From new-asset alert to isolation — a Guardian-guided investigation flow.

Deepa at an Indian power utility faces this

During a routine review in Nozomi Vantage, Deepa Krishnan — OT Security Analyst at IndoPower Grid Pvt. Ltd. in Hyderabad — notices a new unclassified MAC address in a substation LAN that was first seen 30 minutes ago and is communicating with the substation engineering workstation on port 502.

Likely cause

A contractor plugged a personal laptop into the substation switch to download a relay configuration file, bypassing the formal change-management process.

Diagnosis

Guardian fired a new-asset alert automatically. The network map shows the rogue node and its Modbus edge to the engineering workstation. No approved change request exists in the CMDB for today.

Vantage ▸ Assets ▸ New & Unmanaged ▸ Network Map node
Fix

Deepa contacts the field team; the contractor is asked to disconnect the laptop immediately. The device is logged as a policy violation and a formal change request is opened for future authorised access.

Verify

After disconnection, the rogue node disappears from the Guardian map; the unmanaged asset alert clears; the asset count returns to the authorised baseline.

Always check the change-management log

When Guardian fires a new-asset alert, the first verification step is the change-management log — not an assumption that the device is malicious. Many new-asset alerts are authorised additions that bypassed the process. Cross-check before isolating: confirm no approved change request exists, then treat it as rogue. Document the outcome either way to refine the known-good baseline.

Quick check · Q4 of 10 · Analyze

A site engineer wants to enable Smart Polling to get firmware versions from Modbus devices. What is the key constraint they must respect?

Correct: d. Smart Polling is safe precisely because it is selective and rate-limited. Enabling it as a broad scan across all devices at aggressive intervals could disrupt fragile OT equipment — defeating the purpose of a passive-first platform. Target only the devices and protocols that need enrichment.
👉 So far: Smart Polling = selective, rate-limited, OT-safe active queries for attributes passive DPI cannot reach. Any new device triggers a Guardian alert — check change-management, examine the map, then isolate if unaccounted for.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which Guardian deployment component provides the traffic copy for passive asset discovery?

Correct: b. Guardian connects to a SPAN/mirror port or TAP to receive a copy of all network traffic. Arc is an endpoint sensor; Vantage is the management platform; Smart Polling sends queries but is not the traffic source for passive discovery.
Q6 · Understand

Why does passive DPI sometimes fail to capture certain asset attributes like specific firmware registers?

Correct: c. Some attributes — specific Modbus holding register values, SNMP system descriptions, BACnet object lists — are only transmitted when the device is explicitly asked for them. They never appear in normal process traffic, so passive DPI cannot see them. That is precisely why Smart Polling exists as a selective active add-on to fill those gaps.
Q7 · Apply

An OT team wants to see all assets grouped by Purdue level in the Nozomi network map. What does this help them do?

Correct: c. Grouping by Purdue level organises the map by the OT reference architecture (Level 0 field devices through Level 3 site operations). This makes cross-level communication edges — e.g. a PLC talking directly to a corporate IT server — visually obvious, helping enforce segmentation policy.
Q8 · Analyze

Guardian fires a new-asset alert at 02:00 for a device on the Level 1 network. Before treating it as a threat, what is the correct first analysis step?

Correct: d. New-asset alerts fire for both rogue devices and legitimate authorised additions that were not notified to the security team. The change-management log is the first check — it either confirms a known addition or proves the device is unauthorised, at which point isolation steps begin.
Q9 · Evaluate

An interviewer asks: 'How is Nozomi Smart Polling different from a traditional network vulnerability scanner?' What is the strongest answer?

Correct: c. Traditional vulnerability scanners do broad, aggressive sweeps that can crash fragile OT devices. Smart Polling is the opposite: targeted per-device or per-protocol, rate-limited to OT-safe intervals, using valid protocol requests rather than generic probes. The distinction is safety through selectivity.
Q10 · Evaluate

What makes the Nozomi network map more useful than a static CMDB spreadsheet for OT security operations?

Correct: a. A static CMDB is a point-in-time snapshot that goes stale. The Guardian network map is live: new devices appear automatically, communication edges reveal unexpected lateral traffic, and rogue nodes are surfaced in real time. The map is dynamic operational intelligence, not just an inventory list.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is passive discovery safer than active scanning in OT environments? Then compare with the expert version.

Expert version: Active scanners send probe packets to every device on the network — and fragile OT devices like PLCs, RTUs and HMIs were never designed to handle unexpected TCP/IP traffic. A single malformed probe or timing collision can crash a running process, cause a safety shutdown, or corrupt a device state. Passive discovery never sends a single packet to an OT device: Guardian reads a copy of the traffic that already exists on the network via a SPAN port or TAP, so no device ever knows it is being observed. That is why passive-first is the only safe default in OT, with Smart Polling as the carefully controlled, selective exception for the narrow cases where asking is unavoidable.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Guardian
Nozomi's core passive OT/IoT network sensor — performs DPI on mirrored traffic for asset discovery, network visualisation and threat detection, with zero traffic sent to OT devices.
Passive DPI
Deep packet inspection performed on mirrored or tapped network traffic — reads every protocol conversation without injecting any packets into the OT network.
SPAN / mirror port
A switch feature that sends a copy of selected port or VLAN traffic to a monitoring port — how Guardian receives traffic without being inline.
Smart Polling
Optional selective active querying add-on in Nozomi — targeted, protocol-aware, rate-limited queries to specific devices to retrieve attributes that passive DPI alone cannot see.
Network map / graph
The interactive topology view in Guardian and Vantage showing every discovered device as a node and every observed communication link as an edge, updated live.
Rogue / unmanaged device
Any device that appears on the OT network without a prior authorised record — Guardian fires a new-asset alert and shows its communication edges on the map.
Asset Intelligence
A subscription feed from Nozomi Networks Labs containing curated device profiles and behaviour templates that improve classification accuracy and reduce false positives.
Purdue model
Reference architecture for ICS/OT networks organising devices into Levels 0 (field) through 5 (enterprise); Guardian auto-maps each asset to its Purdue level.
Arc
Nozomi's lightweight endpoint sensor that adds host-context attributes (users, processes, USB sessions) to complement the network-layer inventory Guardian builds.

📚 Sources

  1. Nozomi Networks — Guardian sensor datasheet: passive OT/IoT network monitoring & asset discovery. nozominetworks.com/products/guardian
  2. Nozomi Networks — Vantage: cloud-native SaaS platform for multi-site OT/IoT visibility. nozominetworks.com/products/vantage
  3. Nozomi Networks — Asset Intelligence subscription feed. nozominetworks.com/products/asset-intelligence
  4. Nozomi Networks — Smart Polling: selective active enrichment for OT asset attributes. nozominetworks.com
  5. Nozomi Networks Labs — OT/IoT Security Report 2026. nozominetworks.com/labs
  6. CISA — ICS asset management and inventory best practices. cisa.gov/ics

What's next?

Got the inventory? Next, learn how Nozomi's hybrid detection engine — behavioural anomaly baseline plus signatures plus threat intelligence — uses that same asset graph to catch zero-days and known threats across your OT network.

Next · All interview lessons → Practice on exam.techclick.in →