Tenable OT Security Lacks Cross-Vendor Fleet-Health Substrate
by Nick Clark | Published April 25, 2026
Tenable OT Security (formerly Tenable.ot, originally Indegy) is one of the strongest commercial OT-cybersecurity platforms for asset visibility, configuration tracking, and vulnerability management across industrial control systems. The architectural element it does not yet provide — a cryptographically attested, cross-vendor fleet-health substrate built on device-integrity attestation, tamper-evident seals, and PUF challenge-response — is exactly what the AQ health-monitoring primitive supplies.
Vendor and Product Reality
Tenable acquired Indegy in 2019 and rebranded the platform as Tenable.ot, then Tenable OT Security, integrating it with Tenable.io and Tenable One for a unified IT/OT exposure-management view. The product performs deep-packet inspection of industrial protocols (Modbus/TCP, EtherNet/IP, S7Comm, OPC-UA, DNP3, IEC-61850, CIP), maintains a passive asset inventory, and uses active queries — issued through PLC-aware adversarial-non-disruptive probes — to extract firmware versions, ladder-logic checksums, and backplane configurations from Siemens S7, Rockwell ControlLogix, Schneider Modicon, GE Mark VIe, and Emerson DeltaV controllers.
The platform's strengths are well documented: it integrates with Splunk, ServiceNow OT Management, and Claroty xDome for SOC workflow; it maps detected assets to MITRE ATT&CK for ICS and to NIST SP 800-82r3; and it produces compliance evidence aligned with NERC CIP, IEC 62443-2-4, and the EU NIS2 directive. Reference customers include large utilities, water authorities, oil-and-gas operators, and pharmaceutical-manufacturing GxP environments.
What Tenable OT Security delivers is observation: it watches the wire, queries the PLC, and infers state. What it does not deliver is attestation: a cryptographically signed, hardware-rooted statement from the device itself about its own integrity. That distinction is increasingly the point of contention in OT procurement, because regulators and insurers want positive evidence of device health, not merely the absence of detected anomalies. Tenable's roadmap acknowledges this gap; the primitive described here closes it.
The Architectural Gap
A passive sensor cannot distinguish a healthy PLC from a compromised PLC that has been instructed to lie about its firmware hash. Active queries help, but they rely on the integrity of the same firmware that may itself be compromised — the Stuxnet-class attack precisely exploited this. Tenable's product mitigates by cross-checking ladder-logic checksums against a baseline, but the baseline is established by an earlier observation, not by a hardware root of trust. A sufficiently patient adversary can poison the baseline.
The gap is also cross-vendor. A Siemens S7-1500 exposes a different attestation surface than a Rockwell ControlLogix 5580 or an Emerson DeltaV M-series controller. Each vendor has its own secure-boot story, its own firmware-signing chain, and its own (often absent) TPM or secure element. Tenable's platform normalizes the observable telemetry, but it does not normalize the underlying integrity claims, because the underlying claims are vendor-proprietary and frequently incomparable.
Finally, Tenable's evidence pipeline is centralized: data flows from the on-prem sensor to the Tenable management console and then to the cloud exposure-management view. This is operationally efficient but architecturally fragile — the integrity of the fleet-health view depends on the integrity of the management plane. Zero-trust device management, in the sense the NIST 800-207 architecture intends, requires that every device's integrity claim be independently verifiable without trusting any intermediary.
What the AQ Primitive Provides
The health-monitoring primitive composes three mechanisms into a single attested fleet-health substrate. Device-integrity attestation issues a cryptographically signed measurement of firmware, configuration, and runtime state from a hardware root of trust — TPM 2.0 on x86 controllers, Arm TrustZone or PSA on embedded platforms, dedicated secure elements (NXP EdgeLock, Infineon OPTIGA) on legacy retrofits. Tamper-evident seals bind the physical-enclosure state to the attestation chain, so a backplane addition or an unexpected USB insertion invalidates the next attestation. PUF (physically unclonable function) challenge-response provides a per-device unforgeable identity that survives firmware reflashing and supply-chain substitution.
Together these three produce a fleet-health observation that is cross-vendor by construction. Each device, regardless of OEM, emits a typed attestation token containing identity (PUF-rooted), integrity (measured-boot quote), and seal state. A verifier — co-located with Tenable's existing on-prem sensor or run in a separate enclave — checks the token against the device's enrollment record and against the current vendor advisory feed. The verifier output is a structured health claim that fuses identity, integrity, and physical-tamper evidence into a single decision.
Zero-trust device management falls out of this directly. A controller that fails to attest is denied authorized actuation, regardless of what the network-layer policy says. A controller whose seal is broken is quarantined even if its firmware hash matches the baseline. A controller whose PUF response no longer matches enrollment is treated as substituted hardware. The primitive does not replace Tenable's network-layer detection; it complements it with a parallel, hardware-rooted truth source that the network-layer detection can corroborate.
Composition Pathway
Integration with Tenable OT Security uses the platform's existing northbound interfaces. The attestation verifier emits health claims as Tenable.io ingestion events, mapped onto the existing asset record and onto the existing vulnerability and compliance dashboards. Tenable's exposure-management scoring is extended with an attestation-state dimension: an asset that is unpatched but currently attested cleanly to its enrollment baseline is scored differently from an asset that is patched but failing attestation.
On the device side, the primitive supplies reference attestation agents for the major controller families — a TPM-backed agent for Siemens S7-1500 advanced controllers, a TrustZone agent for Rockwell ControlLogix 5580 with the secure-element option, a PSA-rooted agent for newer Schneider EcoStruxure controllers, and a retrofit secure-element module for legacy installed base where the original silicon predates hardware roots of trust. Vendor cooperation is required for the deepest integration; absent it, the retrofit path delivers a reduced but still meaningful health claim.
Cross-vendor composition is the property that makes this commercially interesting. A refinery with mixed Emerson DeltaV, Honeywell Experion PKS, and Yokogawa CENTUM VP loops gets a single fleet-health view in Tenable OT Security, with each vendor's attestation chain normalized to a common claim schema. The verifier's evidence is independently audit-able by an insurer or a regulator without trusting either Tenable or any single OEM, which is the property NIS2 and the U.S. EPA's water-sector cybersecurity guidance increasingly require.
Commercial and Licensing Implication
For Tenable, the primitive answers a procurement question that the company currently has to deflect. When a CISO at a NIS2-regulated utility asks "how do I prove to my regulator that my PLC fleet is not lying to your sensor?", the current answer is a process narrative. With the primitive, the answer is a cryptographically signed fleet-health report whose verification does not depend on Tenable's management plane. That converts a soft objection into a closed sale and extends Tenable's defensible footprint into the integrity-attestation layer that Claroty, Dragos, and Nozomi do not occupy either.
Licensing is non-exclusive across OT-cybersecurity vendors. Adaptive Query's expectation is that Claroty xDome, Dragos Platform, and Nozomi Networks Vantage adopt the same primitive, because cross-vendor fleet-health is only meaningful if the attestation schema is shared. Tenable's competitive advantage is the depth of its existing OT-protocol coverage and its IT/OT exposure-management integration; the primitive gives that advantage a hardware-rooted substrate to stand on, rather than displacing it.
Cyber-insurance and reinsurance markets are the second commercial vector. Carriers writing OT-cyber cover at scale — Beazley, AXA XL, Munich Re, Lloyd's syndicates — already differentiate premium against demonstrable control efficacy, and attested fleet-health is precisely the kind of evidence underwriters can underwrite against. A Tenable-led customer presenting attested device integrity at policy renewal can credibly argue for rate relief, which converts the primitive from a security-team line item into a finance-team return-on-investment story. That re-framing is what moves enterprise OT-cyber procurement out of the security budget and into the operational risk budget, where it competes on demonstrably better terms.
