Device Mode Transition Detected (Critical)

critical Tenable OT Security Plugin ID 503193

Synopsis

A device mode transition has been detected on the OT asset.

Description

The state of the controller code changed, regardless of the state expected by the process. When not part of scheduled maintenance, forcing can be used to introduce hard-to-detect, long-lasting changes that are harmful to operations.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

1) Check whether the transition was made as part of scheduled maintenance work and verify that the source of the operation is approved to perform this operation.

2) Verify with an OT engineer that the forced value matches the desired value.

3) If this was not part of a planned operation, check the source asset of the event to determine if it has been compromised.

Plugin Details

Severity: Critical

ID: 503193

Version: 1.1

Type: remote

Published: 5/5/2025

Updated: 5/5/2025

Supported Sensors: Tenable OT Security