Operational technology (OT) and IoT devices are among the most attractive targets in any network — and the hardest to monitor. You cannot install an endpoint agent on a PLC, a building controller, a medical imaging device, or a factory sensor. This guide explains how to gain security visibility using a SIEM with agentless network monitoring.
Traditional IT security assumes you can deploy an agent on every endpoint. OT and IoT break this assumption: devices run proprietary or minimal operating systems that cannot host monitoring software; many are fragile by design and an intrusive scan can crash a controller running a physical process; industrial equipment stays in service 15 to 20 years with legacy protocols; and OT networks were historically flat and unsegmented.
The visibility gap
If your monitoring depends entirely on endpoint agents, your OT and IoT estate is a blind spot. The Stuxnet, Triton, and Industroyer attacks all targeted OT precisely because it is so poorly monitored.
Since you cannot put software on the devices, you monitor the network they communicate over. Every device talks to something — a controller, a historian, a cloud endpoint. That traffic is observable from the network layer without touching the devices. nPro NRTG complements the SIEM through three mechanisms:
A network tap or SPAN port mirrors traffic to nPro, which analyses it without injecting packets — completely non-intrusive. nPro parses industrial protocols (Modbus, DNP3, OPC-UA, BACnet, S7) to understand what devices are doing.
OT networks are highly predictable. nPro learns the baseline, then alerts on deviations: a device talking to a new destination, an unexpected protocol, or command traffic outside normal patterns.
Managed switches, gateways, and newer IoT devices often support SNMP or syslog. nPro polls these for device health and event logs, adding visibility on top of passive analysis.
OT security is built around the Purdue Model, organising industrial networks into hierarchical zones. The most important control is monitoring the boundaries between zones. A SIEM with network monitoring verifies that cross-boundary traffic follows policy and alerts when something crosses a boundary it should not.
OT environments frequently operate air-gapped or network-restricted, where cloud SIEM is impossible or prohibited. A self-hosted SIEM runs entirely within the OT boundary, needs no outbound internet, and keeps sensitive operational data under your control. See our deployment guide.
nPro combines SIEM and agentless network monitoring in one self-hosted platform.
Related: What is a SIEM? · Detecting Ransomware · SIEM for Healthcare