What is a Rogue Device?
A rogue device is an unauthorised or unknown device that connects to a network without approval or proper configuration. It can be a deliberately placed malicious component (an attack), but also an unintentionally connected laptop, Sensor, Switch or wireless access point.
In OT networks, rogue devices pose a serious risk, because they can directly affect the reliability, availability and safety of industrial systems.
🧠 Examples of rogue devices in OT
| Device | Risk |
|---|---|
| Unauthorised laptop | Malware infection, ARP spoofing, network scans |
| Unmanaged unmanaged switch | Open access to multiple networks, lack of visibility |
| Misconfigured sensor | Disrupted measurements, faulty process actions |
| Personal Wi-Fi router | Open back door, bypassing network segmentation |
| Dev board (e.g. Raspberry Pi) | Covert packet capture or bridge to the internet |
🔐 Why are rogue devices dangerous?
- No asset management – they are not recognised by Asset Inventory systems
- No policies – no updates, no logging, no access limits
- Possible malware – malware can spread invisibly or eavesdrop
- Bypassing security – they can connect networks or zones without control
- Can be added unintentionally – for instance, by suppliers or maintenance crews
🔍 How do you detect rogue devices?
| Method | Explanation |
|---|---|
| Asset Discovery | Regularly scan the network and compare with known devices |
| MAC Binding and Port Security | Only approved devices may connect |
| Network Access Control (NAC) | Assess devices before granting network access |
| IDS / anomaly detection | Detection of unusual behaviour, new devices or scan traffic |
| SNMP monitoring | Switches report active MAC addresses per port |
Implementing a Zero Trust Architecture helps limit the impact of rogue devices.
✅ Controls
| Measure | Effect |
|---|---|
| Whitelisting MAC addresses | Only known devices can connect |
| 802.1X authentication | Access only after device or user verification |
| Segmentation via VLAN | Isolate new/unknown devices |
| Switch configuration | Limit active ports and detect new MACs |
| Physical access control | Prevent unauthorised access to switchgear or ports |
| Supplier management | Guidelines for maintenance crews on what they may and may not connect |
📌 In summary
Rogue devices are invisible intruders in OT networks — placed deliberately or accidentally — that endanger the reliability and safety of industrial processes.
It is essential to maintain visibility of all connected devices and to restrict network access by default to known, authenticated components.