CypherCon 2023

No Longer a No-Go: How to Safely Scan OT Devices in Critical Environments

Chris Kirsch


Active scanning is often considered a no-go on industrial control systems and other OT and IoT devices because of bad experiences they’ve had. However, the reasons that led to devices freezing up are entirely avoidable. Alternatives, such as passive monitoring, are expensive and don’t yield great results.

In this talk, you’ll learn about the most common reasons why embedded devices become unstable and how to make active scanning perfectly safe. The talk is based on lab research. Its recommendations have been proven to work in manufacturing plants, hospitals, and utility companies.

Importance: Because passive discovery via SPAN or TAP is difficult and expensive to deploy and active scanning is considered a no-go, security teams responsible for OT environments lack good asset inventory. Without proper inventory and an understanding of the true network structure, security teams can’t be proactive about their security posture and leave their networks open to attacks. All of this is because of misconceptions about active scanning that can be easily resolved.

Chris Kirsch

OT Devices

Chris Kirsch is the CEO of runZero (, a cyber asset management company he co-founded with Metasploit creator HD Moore. Chris started his career at an InfoSec startup in Germany and has since worked for PGP, nCipher, Rapid7, and Veracode. He has a passion for OSINT and Social Engineering. In 2017, he earned the Black Badge for winning the Social Engineering Capture the Flag competition at DEF CON, the world’s largest hacker conference.