Tenable launches OT discovery engine for risk view

Tenable has launched an OT asset discovery engine for its exposure management products, aiming to bring cyber-physical assets into a single view of organisational risk.

The tool is available to customers of Tenable One, Tenable Vulnerability Management and Tenable Security Center. It is designed to identify operational technology, internet-connected devices and shadow IT assets without separate hardware, new agents or add-on software.

That matters for security teams whose remit now spans both traditional IT and operational environments. Cyber-physical systems now extend well beyond industrial sites into workplaces and facilities, including HVAC systems, printers and badge readers, while the attack surface associated with those assets continues to grow.

Tenable is positioning the product as a way to cut the time needed to gain visibility into assets that have often sat outside standard vulnerability management programmes. In early-access deployments across hospitality, financial services, education, food and beverage, and government, customers identified previously unknown OT and IoT assets after initial use, with most uncovering between 100 and more than 1,000 unique assets.

Some of those assets had critical vulnerabilities, according to Tenable, which did not disclose how many early-access customers were involved.

Broader Scope

The launch reflects a wider shift in cyber security, with responsibility for operational technology increasingly moving to chief information security officers and central security teams. Tenable cited industry research showing that more than half of CISOs are now responsible for OT security, while 45% of modern OT compromises originate in IT environments.

Those figures point to growing overlap between corporate networks and cyber-physical systems. For many organisations, visibility into those environments has required dedicated sensors, specialised hardware or separate software deployments, slowing roll-outs and raising concerns about disruption in live operational settings.

Tenable has integrated the new engine into its existing risk-based vulnerability management products, allowing customers to start discovery without procuring additional infrastructure. The system can surface asset and device information including vendor, model, firmware, backplane details and running state.

Compliance Push

Tenable also framed the product around compliance demands. As regulation and audit requirements for cyber-physical systems evolve, organisations are under pressure to show they have a clearer inventory of the systems connected to their networks and a better understanding of the risks associated with them.

The company argued that easier deployment could help organisations address those requirements more quickly, particularly where OT has remained a blind spot because of fragmented tools or divided ownership between IT, facilities and operational teams.

The launch also fits Tenable's broader exposure management strategy, which brings risk data from different parts of the estate into one platform. In its view, OT data should sit alongside information from AI, cloud, identity and IT systems so security teams can prioritise weaknesses in a more joined-up way.

"Cyber-physical risk can't remain a blind spot in exposure management. We're giving organisations an immediate, low-friction way to bring OT into scope, so they can gain visibility, meet compliance requirements and start reducing risk from day one, without adding new infrastructure," said Eric Doerr, chief product officer at Tenable.

He added that Tenable would continue to offer a broader OT-focused product for customers with more complex needs.

"For existing customers with more complex use cases, we offer Tenable OT Security, a comprehensive OT solution that delivers visibility, security and control for proactive risk reduction across today's rapidly converging OT/IT environment," Doerr said.

The launch adds to competition among cyber security vendors seeking to extend their reach from conventional IT asset management into industrial and cyber-physical environments, where discovery and monitoring are becoming more central to board-level risk management.