After you've identified the specific vulnerability, you can look for the criteria that makes the asset vulnerable. Some vulenabiltiies have to be on certain versions or have a specific registry value. This is the proof that it exists. You can also test them through pen testing, as well, but it's not completely necessary unless you must provide a proof of concept.
@@shozafwali5672 I haven't worked with OT, but I know there are a lot of issues with vulnerabilities. Since OT may run 24/7, I would hope there would be redundancy, and one could plan a time to test them. I hope this answers your question.