Scanning IoT and OT
Can I safely scan my IoT and OT environments?
Yes. IoT and OT equipment is often sensitive to high packet rates or malformed traffic, and past experiences with aggressive scanners have led many teams to put a “don’t scan” rule in place for these networks. runZero was purpose-built to operate safely in these environments, so most organizations can confidently include their IoT and OT assets in their active inventory.
runZero discovers assets using a lightweight active scan engine called the Explorer. The Explorer can be deployed almost anywhere on your network — no SPAN or TAP ports to configure, and no agents to install on individual devices. Because discovery is performed actively from a single point on the network, you don’t have to modify the environment you’re trying to inventory.
What makes the Explorer safe for sensitive environments?
The Explorer was engineered from the ground up with fragile OT and IoT systems in mind. It is not based on nmap, masscan, or any other open source or commercial scanner. The Explorer only sends well-formed, standards-compliant traffic — it never sends malformed packets and never attempts to exploit vulnerabilities.
Safety controls built into every scan include:
- Conservative, configurable scan rates. Defaults are
1000packets per second across the entire scan and40packets per second per host. Both values are adjustable, and traffic is balanced evenly across all targets in scope. - IP and port exclusions. Critical assets, subnets, and individual TCP/UDP ports can be excluded globally or per scan.
- Per-protocol probe controls. Every UDP service probe — including each OT/IoT-specific probe — can be enabled or disabled individually.
- Connection-aware pacing. The Explorer balances SYN and ACK traffic and watches for port-exhaustion conditions on both the scanner and the target.
- Configurable max group size. Limits how many targets are probed concurrently, which directly controls the connection load placed on stateful middle boxes such as firewalls, proxies, and small routers.
- Targeted port coverage. Only TCP and UDP ports that yield actionable fingerprinting data are probed — not all 65535. The list is fully adjustable for specialized equipment using non-standard ports (see Ports scanned by runZero).
- Per-protocol behavioral tuning. Probe behavior is tailored to known-fragile services. For example, the Explorer will collect a banner from
9100/tcpon a printer but will never send active probe data that could result in printed “garbage.”
For a step-by-step rollout plan, see the Scanning OT networks playbook.
Where should I deploy the Explorer?
There are two common patterns:
- Co-locate with existing vulnerability scanners. These hosts typically already have allow-lists, network reachability, and session-table sizing that account for scan traffic, which simplifies deployment.
- Deploy dedicated Explorers at remote and OT sites. Placing an Explorer on the same network segment as the assets it scans gives the best layer-2 visibility, eliminates middle-box concerns, and lets you tune scans independently per location.
For isolated OT networks with no internet access, deploy a self-hosted runZero console or use the offline scanner so Explorers never need to leave the OT zone.
OT/ICS vendors runZero fingerprints
runZero recognizes a wide range of OT, ICS, and IoT vendors out of the box, including:
- ABB
- Allen-Bradley / Rockwell Automation
- AutomationDirect
- Beckhoff
- BARIX
- Cisco
- CODESYS
- Control Solutions
- Control Techniques
- Danfoss
- Delta Electronics
- Digi
- Emerson
- Festo
- GE
- GENEREX
- GLC Controls
- Hilscher
- Hirschmann
- HMS Networks
- Honeywell
- ifm
- Johnson Controls
- Lantronix
- Linor Koda
- Mitsubishi Electric
- Moxa
- Murrelektronik
- Omron
- Phoenix Contact
- Pilz
- Pressac
- ProSoft Technology
- Red Lion
- Rittal
- Saia-Burgess
- Schneider Electric
- SICK
- Siemens
- Turck
- WAGO
- Weidmüller
- Westermo
- Yokogawa
IoT and OT protocols
runZero ships dedicated probes for the most common industrial, building-automation, and field-bus protocols. Each probe is standards-compliant and designed to elicit only the information needed to fingerprint a device. All probes can be toggled individually in your scan templates.
| Probe | Protocol | Typical port(s) | Notes |
|---|---|---|---|
BACNET |
BACnet/IP | 47808/udp |
HVAC, lighting, building management. Enumerates routed devices and BBMD/FDT entries as sub-assets. |
ETHERNETIP |
EtherNet/IP (CIP) | 44818/tcp+udp, 2222/udp |
Rockwell / Allen-Bradley and other CIP devices. Enumerates backplane modules as sub-assets. |
MODBUS |
Modbus/TCP | 502/tcp |
Tune modbus-identification-level to match device capabilities. Enumerates connected unit IDs as sub-assets. |
S7COMM |
Siemens S7Comm | 102/tcp |
Set s7comm-request-extended-information to true for richer data. Enumerates rack/slot modules as sub-assets. |
KNXNET |
KNXnet/IP | 3671/udp |
Building automation; enumerates KNX devices behind the IP interface. |
DNP3 |
DNP3 | 20000/tcp+udp |
Some outstations only talk to one master at a time — test before broad rollout. |
PROFINET |
PROFINET | 34962-34964/udp |
Cyclic and acyclic real-time control; enumerates slot/subslot modules. |
ETHERCAT |
EtherCAT | 34980/udp |
Enumerates slaves on the EtherCAT segment. |
FINS |
Omron FINS | 9600/tcp+udp |
Omron PLCs and compatible controllers; enumerates connected units. |
MELSECQ |
Mitsubishi MELSEC-Q | 5006-5007/tcp |
Returns CPU model and type; enumerates backplane CPUs. |
HARTIP |
HART-IP | 5094/tcp |
Multiplexers in front of HART field instruments; walks Cmd 84 sub-device indices. |
IEC104 |
IEC 60870-5-104 | 2404/tcp |
SCADA telecontrol; enumerates outstation addresses. |
MMS |
IEC 61850 MMS | 102/tcp |
Substation IEDs; enumerates logical devices. |
ADS |
Beckhoff ADS | 48898/tcp |
Beckhoff TwinCAT runtime; enumerates ADS sub-devices. |
C37118 |
IEEE C37.118 Synchrophasor | 4712/tcp |
PMUs reported by Phasor Data Concentrators. |
ATG |
Veeder-Root Automatic Tank Gauge | 10001/tcp |
Fuel-tank monitoring at retail / fleet sites. |
BSAP-IP |
Emerson BSAP/IP | 1234-1235/udp |
Emerson ControlWave / Bristol RTUs in oil & gas SCADA. |
C12.22 |
ANSI C12.22 | 1153/tcp |
Electric-utility AMI head-ends and relays. |
CSPV4 |
Allen-Bradley CSPv4 / PCCC | 2222/tcp |
Legacy SLC 5/05 and MicroLogix PLCs. |
DOIP |
Diagnostics over IP | 13400/tcp+udp |
In-vehicle ECUs over Ethernet; enumerates reachable ECUs. |
FOCAS |
Fanuc FOCAS | 8193/tcp |
Fanuc CNC machine tools and robots. |
HSMS |
SEMI HSMS / SECS-GEM | 5000/tcp |
Semiconductor fab equipment (SEMI E37). |
MBUS-TCP |
M-Bus over TCP | 8888-8889/tcp |
Tunneled EN 13757 utility-meter aggregators. |
OPCUA |
OPC UA | 4840/tcp, 4843/tcp |
Vendor-neutral industrial information model and data access. |
Fifteen of these probes (BACnet, CIP, Modbus, KNXnet, S7Comm, DNP3, PROFINET, EtherCAT, Omron FINS, MELSEC-Q, HART-IP, IEC 60870-5-104, IEC 61850 MMS, Beckhoff ADS, IEEE C37.118) also enumerate downstream devices behind the gateway and report each as its own sub-asset linked back to the gateway. See Protocol gateways for how that works and how to query the resulting sub-assets.
You can find the complete list in our protocol catalog.
runZero recommends starting with the OT-specific probes disabled, validating a limited scan against a representative subset of devices, and then enabling additional protocols as your team gains confidence. See the Scanning OT networks playbook for a recommended phased rollout.