runZero recently unveiled new capabilities designed to shatter the "segmentation illusion" by revealing hidden attack paths across IT and OT environments. Defenders can now identify segmentation failures, visualize lateral movement across network boundaries, and prioritize the exposures that pose the greatest risk to industrial uptime and business operations.
The World Economic Forum recently reported that 64 percent of organizations cited the disruption of critical infrastructure and espionage as top cybersecurity concerns amidst heightened geopolitical tensions. Despite this, many organizations operate under a "segmentation illusion," wrongly assuming OT environments are isolated or air-gapped.
In reality, industry research consistently finds that more than a third of organizations have at least one OT asset exposed to the public internet.
In a recent analysis of sample manufacturing environments runZero found that roughly 30 percent of OT assets were only one hop away from an internet-exposed device, and 90 percent within two hops.
"Segmentation is something you verify, not something you assume," said HD Moore, founder and CEO of runZero. "This release lets defenders trace the actual paths from an exposed IT asset to a PLC, including the ones that run through protocol gateways and devices nobody documented. That's the gap between knowing you have OT and knowing it's defensible."
The foundation of these new capabilities is the runZero active scan engine, which provides discovery and fingerprinting for all types of assets. This unique technology has been proven safe even in fragile OT environments in numerous customer deployments, as well as in an evaluation conducted by the U.S. Department of Energy’s National Renewable Energy Laboratory.
This release allows runZero to identify sub-assets behind industrial protocol gateways, such as Modbus, BACnet, EtherNet/IP, and KNXnet. These downstream assets are often not directly addressable on the network, making them invisible to traditional tools. By enumerating and mapping these devices, runZero provides advanced visibility into the OT attack surface, including hard-to-detect areas and field-level devices.
Additional features of the release include:
- Topology maps: Interactive maps that scale from a global overview down to individual sites and subnets. Available in 2D and 3D, as well as hybrid Layer 2 and Layer 3 views, runZero’s new network maps enable teams to quickly spot exposures even in highly complex environments with hundreds of thousands of assets.
- Anomaly detection: Flag “misplaced” items like a Windows laptop in a production zone that likely violates security policies, as well as outliers that deviate from expected parameters — and frequently pose risk.
- Interactive attack path mapping: Visualize trajectories from initial compromise to operational impact, including capabilities for:
- Path tracing: Set a specific source and target to see exactly how an attacker could move through the network, highlighting every pivot point and bridge along the way.
- Choke point identification: Easily surface a prioritized set of assets that, if compromised, could grant attackers access to high-value network zones.
- Multi-homed and bridge detection: Automatically surface devices connected to multiple networks, instantly pinpointing risky assets that bypass segmentation and firewall strategies.
- Map the unmappable: Safely enumerate OT assets across gateways and non-IP boundaries that are frequently missed by other tools. By peering behind protocol gateways, runZero unmasks the field-level devices that were previously invisible, without risking downtime.
- Identify protocol exposures: Detect critical devices accessible from the IT domain with support for an expanded library of more than 220 protocols. This includes dozens of "insecure by design" industrial protocols — such as Modbus, BACnet, EtherNet/IP, KNXnet, Siemens S7comm, and Triconex TriStation — that are commonly targeted by attackers attempting to gain control of physical operations.
- Risk prioritization: Highlight the exposures and segmentation gaps that matter most, helping teams focus remediation efforts on the assets and connections that introduce the greatest operational risk.
- Advanced fingerprinting and device classification: Precisely identify asset categories and functions, leveraging deep fingerprinting that analyzes thousands of distinct device attributes to provide definitive intelligence into each asset’s role and risk profile.
