Vulnerabilities within Industrial Control Systems (ICS) and Critical National Infrastructure (CNI) represent a significant safety, ecological and economical risk to owners, operators and nation states. Numerous examples from recent years are available to demonstrate that these vulnerabilities are being exploited by threat actors. One of the first steps required when securing legacy infrastructures is to obtain a complete asset (device) inventory, as is it impossible to protect a system without first understanding its content and connectivity. ICS environments offer significant challenges to the automated and safe discovery of network connected devices. Legacy ICS-based network services are often very fragile and networks are often sensitive to increased traffic, latency or interference, precluding the use of active scanning technologies. The decentralised nature of ICS traffic flows alongside the lack of capability of legacy network equipment make the use of standard passive scanning technologies difficult. This paper presents an overview and understanding of passive ICS discovery and provides the results of an experiment to show how existing passive scanning tools fare in an ICS environment in which port mirroring technologies are not ubiquitously supported.