Tenable OT Security 2025 Release Notes
Tenable OT Security 4.2.33 SP (2025-04-22)
Bug Fix
| Bug Fix | Defect ID |
|---|---|
| Tenable OT Security now ensures that open ports referencing non-existent IPs no longer prevent an upgrade. | NA |
Filenames and Checksums
Filenames and MD5 or SHA-256 checksums are posted at OT Security Downloads page.
Tenable OT Security 4.2.32 (2025-04-16)
New Features
Advanced SNMP-based Network Discovery and Crawler
The SNMP Crawler enhances Layer 2 visibility, enabling security teams to gain a comprehensive understanding of OT network topology. Unlike many security vendors, OT Security leverages SNMP data to discover and map all connected devices and switches, even those that it cannot actively reach or passively monitor.
-
A new discovery engine in OT Security uses SNMP queries to discover new devices connected to a switch when SNMP credentials are available.
-
Under Related Assets, OT Security tracks assets and the devices they connect to. For example, a switch and the assets connected to it. OT Security also indicates the port to which the asset is connected.
-
You can use the Fetch Neighbors option on the SNMP query or Initial Enrichment for SNMP to obtain details from the nearby devices.
Intelligent Hardware Lifecycle Management
Manage the lifecycle of your hardware investments with a robust library of end-of-life plugins for OT/IoT devices in your environment, complementing existing software EOL tracking capabilities.
-
Extends vendor support to include Schneider and Siemens for lifecycle tracking. There are new vulnerability plugins reported on the assets for these vendors to indicate their support.
-
Includes a new device attribute filter for lifecycle in the Inventory page.
Flexible Windows-based OT Security Deployment (Beta)
The new sensor deployment option allows you to install OT Security sensors directly on Windows devices, eliminating the need for a dedicated appliance. This paves the way for future integrations, including potential Nessus compatibility.
-
An early-stage product that allows you to perform various OT queries such as discovery, identification, and backplane queries from a Windows computer to OT devices such as a PLC.
-
Provides operational visibility into segmented or isolated subnets, even in environments where only a PC is available or deploying OT Security appliances is not feasible.
Improvements to IoT Connectors
Gain deeper insights into IoT-related risks with advanced data extraction from connected IoT and Video Management Systems (VMS). Enhanced support for credentialed authentication on Windows and Ubuntu-installed IoT agents expands integration capabilities, improving asset visibility and large-scale management.
-
A significant number of performance improvements and stability fixes to the underlying IoT engine.
-
Support for VMS credentials, which effectively doubles the supported VMS matrix.
-
IoT Connectors also brings in details such as the asset names, models, and stream details.
Main Navigation Menu changes
A redesigned user experience simplifies navigation across OT Security. The latest navigation updates streamline how you access and manage critical OT Security data to speed up common workflows. Updates include a restructured main toolbar, an intuitive side panel for quick access to asset inventory, findings, and event details.
-
Includes a new Data Collection category consolidating Policies, Active Query Management, and the new Data Sources page.
-
Reorganization of Inventory pages as in-page tabs for quick access.
-
The Network Map page is now moved to the Network category for improved contextual visibility.
Improvements
Less Rebooting Operations
-
OT Security will reboot less often for various configuration changes. Whenever a system restart is necessary, OT Security will opt for an application restart instead.
Support for Microsoft Hyper-V Deployments
-
You can now deploy OT Security as a virtual machine using a .zip file on Microsoft Hyper-V.
Supporting KVM, Proxmox, Nutanix, libvirt Deployments
-
OT Security can now be deployed using qcow2 image files to enable support for KVM-based virtualization platforms.
Tenable Software Updates
The embedded Tenable applications, Nessus, and Nessus Network Monitor are now upgraded to their latest releases.
New Content
Vulnerabilities
Tenable identifies several new vulnerabilities in this release. See the complete list here.
New Tenable OT Security Device Fingerprint Engine (DFE) Coverage
| Vendor | Product |
|---|---|
| ABB | AC Series Drives |
| Automated Logic Corp |
WebCtrl Industrial Gateways WebCtrl BMS Controllers Optiflex for WebCtrl |
| Benning | Monitoring Control Unit (MCU) |
| Cisco | Small Business Switches |
| Dahua Security | Cameras and Video Recorders |
| Ingeteam | INGECON Sun Solar Inverters |
| Microhard | Cellular Modems |
| Schneider | Powerlogic HDPM |
| Schneider Electric |
ACM Power Meters PowerLogic EGX |
| Siemens | Siprotec5 Ethernet Communication Modules |
| Walchem | WMT Cooling Tower Controllers |
Bug Fixes
| Bug Fix | Defect ID |
|---|---|
| OT Security does not update the Last Seen timestamp on assets that the IoT Connector reported as Offline. | N/A |
| OT Security removed a limitation on the number of tags captured during a PLC Code Snapshot from the Rockwell ControlLogix devices. | N/A |
| Reverting to a version earlier than 4.2 no longer fails because of Tenable Core dependencies. | N/A |
| The SNMPv3 credentials now correctly fetch SNMP port state or SNMP-connected neighbors. | N/A |
| Some vulnerability plugins now show the status correctly as active or fixed for a single asset. | 482636 |
API Changelog
For more information about OT Security APIs, see the API documentation.
Enum value discontinuedDate was added to enum AggregationsAssetsField
Enum value hardwareState was added to enum AggregationsAssetsField
Enum value lifecycleStatus was added to enum AggregationsAssetsField
Enum value replacementProduct was added to enum AggregationsAssetsField
Enum value discontinuedDate was added to enum AssetField
Enum value hardwareState was added to enum AssetField
Enum value lifecycleStatus was added to enum AssetField
Enum value replacementProduct was added to enum AssetField
Enum value OtAgent was added to enum AssetSourceType
Enum value ReadOtAgents was added to enum Capability
Enum value ReadOverlappingIps was added to enum Capability
Enum value WriteOtAgents was added to enum Capability
Enum value WriteOverlappingIps was added to enum Capability
Enum value EmUpdateRequired was added to enum ErrorCategory
Enum value LicenseInactive was added to enum ErrorCategory
Enum value discontinuedDate was added to enum LinkField
Enum value hardwareState was added to enum LinkField
Enum value lifecycleStatus was added to enum LinkField
Enum value replacementProduct was added to enum LinkField
Enum value id was added to enum LogRecordField
Argument options: AgentAddOptionsParams added to field Mutation.addAgentIotConnector
Argument options: AgentEditOptionsParams added to field Mutation.editAgentIotConnector
Enum value OtAgent was added to enum OpenPortsSource
Enum value discontinuedDate was added to enum PluginsAssetsField
Enum value hardwareState was added to enum PluginsAssetsField
Enum value lifecycleStatus was added to enum PluginsAssetsField
Enum value replacementProduct was added to enum PluginsAssetsField
Argument countTimeout: Int (with default value) added to field Query.origins
Argument filter: OriginExpressionsParams added to field Query.origins
Argument search: String added to field Query.origins
Argument slowCount: Boolean added to field Query.origins
Argument sort: [OriginSortParams!] added to field Query.origins
Enum value BACnet was added to enum RelationshipType
Enum value Gateway was added to enum RelationshipType
Enum value SnmpCrawler was added to enum RelationshipType
Input field queryNeighbors of type Boolean was added to input object type SnmpOptionsParams
Enum value assetDiscontinuedDate was added to enum findingField
Enum value assetHardwareState was added to enum findingField
Enum value assetLifecycleStatus was added to enum findingField
Enum value assetReplacementProduct was added to enum findingField
Type AgentAddOptionsParams was added
Field hasVmsCredentials was added to object type AgentConnector
Field version was added to object type AgentConnector
Field vmsConnectionStatus was added to object type AgentConnector
Field vmsDbIp was added to object type AgentConnector
Field vmsDbPort was added to object type AgentConnector
Field vmsPassword was added to object type AgentConnector
Field vmsUsername was added to object type AgentConnector
Type AgentEditOptionsParams was added
Type AgentVmsConnectionStatus was added
Field discontinuedDate was added to object type Asset
Field hardwareState was added to object type Asset
Field lifecycleStatus was added to object type Asset
Field replacementProduct was added to object type Asset
Type AssetRelationshipBacnetDetails was added
Type AssetRelationshipGatewayDetails was added
Type AssetRelationshipSnmpCrawlerDetails was added
Field version was added to object type ExacqConnector
Field FlagList.graphQLToggle is deprecated
Field FlagList.graphQLToggle has deprecation reason Deprecated since 4.2, flag not used anymore
Directive deprecated was added to field FlagList.graphQLToggle
Field FlagList.initialized is deprecated
Field FlagList.initialized has deprecation reason Deprecated since 4.2, flag not used anymore
Directive deprecated was added to field FlagList.initialized
Field FlagList.ipChange is deprecated
Field FlagList.ipChange has deprecation reason Deprecated since 4.2, flag not used anymore
Directive deprecated was added to field FlagList.ipChange
Type HardwareState was added
Field version was added to interface IotConnectorInfo
Field discontinuedDate was added to object type LeanAsset
Field hardwareState was added to object type LeanAsset
Field lifecycleStatus was added to object type LeanAsset
Field replacementProduct was added to object type LeanAsset
Field version was added to object type MilestoneConnector
Field version was added to object type MobotixConnector
Field bulkEditSensors was added to object type Mutation
Directive deprecated was added toArgument location of field initSystem in type Mutation
Directive deprecated was added toArgument time of field initSystem in type Mutation
Field reloadAuthProviderAfterChange was added to object type Mutation
Field supportActive was added to object type Origin
Type OriginExpressionsParams was added
Type OriginSelectField was added
Type OriginSortParams was added
Type OriginSortParamsComplexFields was added
Type SensorsBulkAction was added
Field queryNeighbors was added to object type Snmp
Field id was added to object type SystemLog
Field SystemLog.timeStamp is deprecated
Field SystemLog.timeStamp has deprecation reason Use lowercase timestamp instead
Directive deprecated was added to field SystemLog.timeStamp
Field timestamp was added to object type SystemLogFilenames and MD5 or SHA-256 checksums are posted at OT Security Downloads page.
Tenable OT Security 4.1.45 SP (2025-03-19)
Bug Fixes
| Bug Fix | Defect ID |
|---|---|
| OT Security now ensures that assets are no longer incorrectly classified as Dahua IP Camera. | NA |
| Creating new or duplicate Network Baseline Deviation policy now works as expected. | NA |
| The Executive Report function now generates reports without any issues. | NA |
| During upgrades, OT Security ensures that the current Influx process completes loading before running more Influx setup scripts. | NA |
| OT Security ensures that BACnet assets with missing instance IDs now display them as expected. | NA |
Tenable OT Security 4.1.38 (2025-02-20)
New Features
Overlapping IP Address Support
-
In networks that reuse the same IP address ranges, OT Security prevents unintended asset merging by using sensors to differentiate them.
-
Each instance of a network reusing IP ranges requires a dedicated sensor. For example, three production lines with identical IP configurations would need three separate sensors to ensure asset distinction for each process line.
For more information, see Duplicated Internal Networks.
IEC Substation Visibility
-
You can now import substation configuration data to enhance the asset inventory, enabling OT Security to deliver critical security insights into substation misconfigurations. For more information, see SCD Files.
Improved Nessus VM Scan Controls
Tenable now introduces the following new configuration options for user-defined Nessus Scans in OT Security. When creating a scan, you can adjust its speed, verbosity, and intensity. For more information, see Nessus Plugin Scans.
-
Thorough Tests
-
When performing a scan, Nessus can run additional in-depth checks on the system. Enabling this option enhances the thoroughness of the scan but also increases its duration.
-
Periodic use of Thorough scans benefits the "AI Aware" functionality in OT Security.
-
-
Higher Verbosity
-
Some plugins can produce a more data-rich output during a scan. However, you must enable this setting for the plugin to include the additional data in their plugin output.
-
When you select this option, the scan output includes the informational plugins: 56310, 64582, and 58651.
-
-
Scan Performance
-
Tenable now enables administrators to customize individual Nessus scan performance. These settings include the number of plugins evaluated against a target at the same time, concurrent scan target count, and timeout in seconds.
-
Lowering the max checks and max hosts values can reduce the impact of a scan. However, it can also increase the scan duration.
-
AI Aware Detections
Tenable's new AI detection features help you monitor your artificial intelligence applications and services. OT Security obtains data from your credentialed scans and then shows them on the Findings or Vulnerabilities workbenches.
Compliance Dashboard: NERC-CIP support
The Compliance dashboard now supports mapping controls within NERC CIP that are detectable with OT Security.
Enterprise Manager — Centralized Updates
Starting with the OT Security EM 4.1 release, system administrators can remotely upgrade their paired ICPs (running version 4.0 or later) to the same version as the EM. For more information, see ICP Updates.
This feature was added in OT Security 4.0 but functional from version 4.1.
Improvements
CVSSv3 Scores on Findings — The Findings and Vulnerabilities tables now includes an additional column for CVSSv3.
Inventory "Select All" — The Select All checkbox is reinstated to the Inventory page for easier multiple selection.
Sensor Active Queries— Bulk Configuration —You can now bulk select and enable or disable the sensor active query behavior.
Network Ports Configuration — Configure network ports through the Tenable Core Cockpit interface on port 8000. You can now review and configure the roles of each network interface outside the application. For example: enabling split ports.
New Content
Vulnerabilities
Tenable identifies several new vulnerabilities in this release. See the complete list here.
New Tenable OT Security Device Fingerprint Engine (DFE) Coverage
| Vendor | Product |
|---|---|
| Moxa | MGate 5000 Series |
| Sprecher Automation | RTU |
| Elspec | G5 Digital Fault Recorder |
| Wiesemann & Theis | ComServer |
| Honeywell | Experion C300PM, C300OM |
| Wago | Controllers 750, PFC |
API Changelog
For more information about OT Security APIs, see the API documentation.
Field ntpChange was removed from object type FlagList
Field ntpFault was removed from object type FlagList
Field ntpServersUnreachable was removed from object type FlagList
Field emSetSystemTime was removed from object type Mutation
Argument keepNetworkConfig: Boolean! was removed from field Mutation.factoryReset
Field setSystemTime was removed from object type Mutation
Input field origins of type [String!] was added to input object type AssetDiscoveryOptionsParams
Enum value Scd was added to enum AssetSourceType
Enum value AlreadyExists was added to enum ErrorCategory
Enum value ContentTooBig was added to enum ErrorCategory
Enum value FailedToAllocateOverlapping was added to enum ErrorCategory
Enum value NotContainingAnyAssets was added to enum ErrorCategory
Enum value OverlappingNetsAlreadyInOrigin was added to enum ErrorCategory
Enum value Processing was added to enum ErrorCategory
Member IEC61850SubscribeFailure was added to Union type EventDetails
Member IEC61850UnauthorizedWrite was added to Union type EventDetails
Enum value IEC61850 was added to enum ExclusionType
Enum value IEC61850SubscriptionFailure was added to enum IDSSrcDstEvent
Enum value IEC61850UnauthorizedWrite was added to enum IDSSrcDstEvent
Enum value awaitingFirstUse was added to enum IcpSensorField
Enum value origin was added to enum IcpSensorField
Argument origins: [String!] added to field Mutation.editNessusUserScan
Argument settings: NessusUserScanSettingsArgs added to field Mutation.editNessusUserScan
Argument origin: ID added to field Mutation.editSensor
Argument origins: [String!] added to field Mutation.newNessusUserScan
Argument settings: NessusUserScanSettingsArgs added to field Mutation.newNessusUserScan
Argument origin: String added to field Mutation.testAdHocBasicCredentials
Argument origin: String added to field Mutation.testAdHocPasswordOnlyCredentials
Argument origin: String added to field Mutation.testAdHocSnmpV2Credentials
Argument origin: String added to field Mutation.testAdHocSnmpV3Credentials
Argument origin: String added to field Mutation.testCredentials
Enum value cvss3Score was added to enum PluginField
Enum value cvss3Score was added to enum PluginsAssetsField
Enum value IEC61850SubscriptionFailure was added to enum PolicyEventType
Enum value IEC61850UnauthorizedWrite was added to enum PolicyEventType
Argument origins: [String!] added to field Query.getDiscoveryEstimation
Argument dbOnly: Boolean added to field Query.nessusUserScan
Argument dbOnly: Boolean added to field Query.nessusUserScans
Enum value SensorAwaitingFirstUse was added to enum RemovableFlags
Enum value pluginCvss3Score was added to enum findingField
Field origins was added to object type AssetDiscovery
Field scdSubscriptionsRecoByIedCsvIsRunning was added to object type FlagList
Field scdSubscriptionsRecoCsvIsRunning was added to object type FlagList
Field sensorAwaitingFirstUse was added to object type FlagList
Type IEC61850Exclusion was added
Type IEC61850SubscribeFailure was added
Type IEC61850UnauthorizedWrite was added
Type IcpUpdateStatus was added
Type IecReportClient was added
Type IecReportClientConnection was added
Type IecReportClientEdge was added
Field bulkEditSensorActive was added to object type Mutation
Field createOrigin was added to object type Mutation
Field deleteOrigin was added to object type Mutation
Field deleteOverlappingNetworks was added to object type Mutation
Field newIEC61850Exclusion was added to object type Mutation
Field scdMisconfigRecommendationByIedCsv was added to object type Mutation
Field scdMisconfigRecommendationCsv was added to object type Mutation
Field scdSubscriptionsRecommendationByIedCsv was added to object type Mutation
Field scdSubscriptionsRecommendationCsv was added to object type Mutation
Field updateOverlappingNetworks was added to object type Mutation
Field updateOverlappingPool was added to object type Mutation
Field origins was added to object type NessusUserScan
Field settings was added to object type NessusUserScan
Type NessusUserScanSettings was added
Type NessusUserScanSettingsArgs was added
Type NetworkUpdateInput was added
Type Origin was added
Type OriginConnection was added
Type OriginEdge was added
Field cvss3Score was added to object type Plugin
Field iecCanUploadScd was added to object type Query
Field iecReportsByAssetId was added to object type Query
Field iecScdsInfo was added to object type Query
Field isAssetIec was added to object type Query
Field origin was added to object type Query
Field origins was added to object type Query
Field overlappingPool was added to object type Query
Field scdRecommendationsCount was added to object type Query
Field scdRecommendationsCountByIed was added to object type Query
Field itemsCount was added to object type RuleGroup
Type ScdInfo was added
Type ScdInfoConnection was added
Type ScdInfoEdge was added
Type ScdRecommendations was added
Type SensorActiveAction was added
Field origin was added to object type SensorDetails
Field updateStatus was added to object type Update
Type thoroughTestsType was added
Type verbosityType was addedFilenames and MD5 or SHA-256 checksums are posted at OT Security Downloads page.