The scope statement says: qualify all devices on the OT network against the approved specification. Verify firmware versions. Confirm certificate validity. Check for default credentials. Identify any unauthorised devices. Produce the Component Identification List.
The team looks at the network diagram. Four hundred devices. Twelve vendors. Six different configuration tools, each requiring different credentials and specialist knowledge. No common output format.
The Component Identification List will be assembled manually, cross-referenced against the approved specification by hand, and will take weeks to produce. And it will need repeating every time the scope changes.
Why OT network qualification is harder than it looks
Industrial OT networks were not designed with qualification in mind. They were designed for operational reliability — and in many cases, were assembled over years from devices added incrementally as production needs changed.
The result is heterogeneity. Siemens PLCs managed through TIA Portal. Rockwell controllers managed through Studio 5000. Cognex cameras accessed through In-Sight Explorer. Zebra printers with their own firmware management interface. Each vendor provides the tools to access their own devices. None of those tools were designed to produce a unified qualification record.
When the qualification scope requires screening every device against a single specification — firmware version, certificate validity, default password status, network legitimacy — the team has to visit each device category in its own tool, extract the relevant data, and then manually collate and cross-reference it against the spec. For a large-scope network, this is a project in itself — and one we cover from a different angle in every vendor brings their own tool.
The security dimension
OT network qualification is not only a commissioning or validation activity. It is increasingly a security requirement. The convergence of IT and OT networks, driven by connectivity requirements for analytics, remote access, and digital plant infrastructure, has exposed industrial control systems to security risks that were previously managed through physical isolation.
IEC 62443, the international standard for industrial cybersecurity, provides a framework for assessing the security posture of OT systems. But applying that framework across a large multi-vendor network requires the ability to extract security-relevant configuration data from every device type on the network — firmware version, certificate validity, enabled services, default credential status — in a consistent, auditable way. The change-control half of that picture lives in our IEC 62443 coverage.
Without a single access point, this assessment is fragmented, slow, and vulnerable to gaps. Devices that require specialist tools or knowledge may not be fully screened. Devices that were added to the network without formal commissioning may not be on the assessment scope at all.
The single access point model
The alternative to N tools for N vendor types is a single access point that interrogates every device type on the network and produces a unified output.
This requires a system that understands the communication protocols of each device type well enough to extract configuration data programmatically — not through the vendor's configuration tool, but directly, through the device's own communication interface.
The output of each interrogation is normalised into a common format. Parameters of interest are automatically compared against the approved specification. The Component Identification List is generated automatically — not assembled manually from vendor tool outputs.
The qualification scope does not change. But the execution time drops from weeks to hours, and the output is consistent, complete, and verifiable rather than manually assembled and subject to transcription error.
What gets screened and what gets surfaced
A comprehensive OT network qualification screen addresses several categories simultaneously. Firmware currency: are all devices running firmware versions within the approved range? Default credentials: do any devices still have factory-default passwords enabled? Certificate validity: are all certificates within their validity period and issued by the approved authority? Unauthorised devices: are there any devices on the network that are not in the approved topology?
Each of these categories has direct compliance and security relevance. Each requires data that is currently spread across multiple vendor systems and requires specialist access to extract.
Surfacing all four categories simultaneously, from a single point, in a format that directly supports the qualification package and the CIL, converts a weeks-long manual process into an automated screen that can be repeated whenever the scope changes or a new qualification cycle is required.