React Less. Defend More.

OT Asset Inventory

Take a more proactive approach to protect your OT assets by understanding them better.

OT Asset Discovery and Inventory Overview

“OT Asset Inventory” refers to a comprehensive list of all operational technology (OT) assets in an organisation. OT assets include physical devices and equipment, such as controllers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), and other industrial control systems (ICS) that are used to control, monitor, and manage industrial processes.

We provide a comprehensive data discovery/collection service that results in a complete listing of your OT assets and systems. We achieve this via efficient work processes including leveraging asset discovery technologies in a manner that is non-intrusive to production operations.

Having an accurate asset inventory enables effective evaluation of risk exposure and obsolescence management.

OT Cyber Security 101: “You cannot secure what you cannot see!”

Importance of Asset Inventory in an OT Environment

The importance of an OT asset inventory cannot be overstated. Here are a few reasons why:

  1. Security: OT systems are critical to the functioning of an organisation and often control processes that have safety implications. A comprehensive inventory of these systems helps organisations to identify and prioritise vulnerabilities, enabling them to implement the necessary security measures to protect against cyber attacks.
  2. Compliance: Many industries have regulations and standards that require organizations to keep an inventory of their OT assets. This helps to ensure that these systems are properly maintained and secure.
  3. Maintenance and Upgrades: Keeping an accurate inventory of OT assets enables organisations to plan for maintenance and upgrades. This helps to ensure that these systems are functioning optimally and reduces the risk of downtime or unexpected failure.
  4. Resource Management: An OT asset inventory provides organisations with a clear picture of the resources they have at their disposal, enabling them to make informed decisions about resource allocation and utilisation.
  5. Improved Decision Making: An accurate and up-to-date OT asset inventory provides organisations with the information they need to make informed decisions about future investments in technology, ensuring that they are well-positioned for growth and success.

An OT asset inventory is a crucial component of an organisation’s overall operational strategy, providing a clear understanding of their technology resources, enabling effective security, compliance, maintenance, resource management, and decision-making.

Key Benefits of an OT Asset Inventory

An asset inventory provides organisations with a comprehensive understanding of their resources, enabling them to make informed decisions about resource utilisation, improve security, meet compliance requirements, and drive efficiency and growth.

  1. Improved Asset Management: An accurate asset inventory provides organisations with a comprehensive understanding of their assets, enabling them to better manage, maintain, and utilise these resources.

  2. Increased Efficiency: By having a clear understanding of their assets, organisations can streamline processes, reduce downtime, and make more informed decisions about resource allocation.

  3. Enhanced Security: An asset inventory helps organisations identify and prioritise vulnerabilities, enabling them to implement the necessary security measures to protect against cyber attacks and other threats.

  4. Better Financial Management: An asset inventory provides organisations with the information they need to accurately track and manage their expenses, improving budgeting and financial planning.

  5. Compliance: Many industries have regulations and standards that require organisations to keep an inventory of their assets. An accurate inventory helps organisations to meet these requirements and maintain compliance.

  6. Improved Decision-making: An accurate and up-to-date asset inventory provides organisations with the information they need to make informed decisions about future investments and resource allocation, enabling them to stay ahead of the curve and remain competitive.

  7. Better Resource Utilisation: An asset inventory enables organisations to identify underutilised or obsolete assets, allowing them to repurpose or dispose of these resources, improving efficiency and reducing waste.

Deliverables from our OT Asset Inventory Service

The key deliverables of an asset inventory in an industrial network can vary depending on the specific needs and goals of the organisation, but typically include:

  • Asset List: A comprehensive list of all the assets in the industrial network, including their type, location, manufacturer, model, serial number, and other relevant information.
  • Asset Map: A visual representation of the industrial network, showing the location and interconnections of all assets, including control systems, PLCs, HMIs, and other equipment.
  • Vulnerability Assessment: A risk assessment of the industrial network, identifying vulnerabilities and potential threats, and prioritising these based on their level of risk.
  • Configuration Management: Documentation of the configuration and settings of all assets in the network, providing a baseline for future assessments and ensuring consistent operation.
  • Maintenance Plan: A plan for ongoing maintenance and upgrades of assets in the network, ensuring that these systems are functioning optimally and reducing the risk of downtime or unexpected failure.
  • Compliance Documentation: Documentation of compliance with industry regulations and standards, ensuring that the industrial network meets the required standards and minimising the risk of penalties or other penalties.
  • Training Material: Training material for operators and maintenance personnel, providing the knowledge and skills necessary to effectively manage and maintain the industrial network.

These key deliverables provide organisations with a comprehensive understanding of their industrial network, enabling them to make informed decisions about resource utilisation, improve security, meet compliance requirements, and drive efficiency and growth.

An OT asset inventory is a maintained aggregation of hardware and software data operating in industrial control system environments.

Typically only items with a TCP/IP network connection are listed with associated details relevant to cyber related run and maintain activities. For example, Operation System (OS) patch levels, backup frequency, Anti-Malware update frequency etc.

An ICS asset inventory is a maintained aggregation of hardware and software data operating in industrial control system environments.

Typically only items with a TCP/IP network connection are listed with associated details relevant to cyber related run and maintain activities. For example, Operation System (OS) patch levels, backup frequency, Anti-Malware update frequency etc.

The ability for organisations to properly and consistently identify and consistently manage data, personnel, devices, systems, and facilities based on their relative importance to provide the foundational capability to support an organizational cybersecurity program.” *

* NIST 800-82 SpecialPublication, Revision 3, Guide to Operational Technology Security , InitialPublic Draft” NIST, April 2022

In OT environments, digital assets impact the physical world. OT asset management helps ensure safety if an unintended or unauthorised change occurs in a device or system. Accurate asset data and security baselines are also the foundation of a strong cybersecurity program.

You can’t protect what you don’t know you have. Maybe that seems obvious, but if you do not have an asset inventory or your asset inventory is not managed and kept up-to-date, you run the risk of not knowing what is connected to your network.

The ability to track and audit your inventory is a baseline requirement for most security standards. These standards all have an element of risk assessment that requires an understanding of threats, vulnerabilities and of course assets.

OT asset inventory is important for several reasons. Firstly, it provides an organization with a clear understanding of its OT infrastructure, which is necessary for effective security management. Secondly, it helps an organisation identify potential security vulnerabilities and implement appropriate security controls to mitigate these risks. Finally, it enables an organisation to comply with various regulations and standards that require comprehensive inventory of OT assets.

Effective cyber security in OT requires a deep foundation of asset information.

Without comprehensive asset inventory management, organisations operate on a unsteady footing: Essentially they don’t know the true security status of their environment and are unable to conduct effective security management at scale.

Security regulations for critical systems, such as the EU NIS directive and NERC-CIP, require an asset inventory as a base for risk management.

The key steps involved in conducting an OT asset inventory include:

Identifying all assets: This involves creating a comprehensive list of all OT assets within the organisations infrastructure, including devices, systems, and networks.
Classifying assets: Once all assets have been identified, they need to be classified based on their criticality, function, and other relevant factors.
Mapping assets: Mapping the assets involves understanding how they are interconnected and how they interact with other systems and devices.
Documenting assets: All identified assets need to be documented in a central repository, which can be used for future reference.
Maintaining the inventory: The OT asset inventory needs to be regularly updated to reflect changes in the organization’s infrastructure, such as the addition or removal of devices, systems, or networks.

Some common challenges associated with conducting an OT asset inventory include:

Lack of visibility: OT assets are often dispersed across multiple locations and can be difficult to identify and locate.
Lack of standardization: OT assets can have different makes, models, and configurations, making it difficult to develop a standardized inventory.
Limited documentation: OT assets may not be fully documented, making it challenging to understand their function and interconnectivity.
Lack of expertise: Conducting an OT asset inventory requires specialized expertise in both OT and IT, which can be difficult to find within an organization.

Engaging cross-functional teams: This involves bringing together teams with expertise in both OT and IT to ensure a comprehensive inventory.
Using automated tools: Automated tools can help identify and track OT assets, making the inventory process more efficient and accurate.
Establishing clear processes: Clear processes should be established for identifying, classifying, mapping, and documenting assets, to ensure consistency and accuracy.
Regularly updating the inventory: The inventory should be regularly updated to reflect changes in the organization’s infrastructure.
Prioritising critical assets: Critical assets should be given priority in the inventory process, as they pose the greatest risk to the organization.

  1. Forescout CounterACT: Forescout is known for its network visibility and access control solutions. It’s capable of automatically discovering and classifying devices on a network.

  2. Tripwire Industrial Visibility: Tripwire‘s solution is designed specifically for OT environments. It provides asset discovery, inventory management, and vulnerability assessment.

  3. CyberX: CyberX specialized in OT security and provided tools for asset discovery and inventory management in industrial environments.

  4. Nozomi Networks: Nozomi offers solutions for OT and IoT security, including asset discovery and inventory management.

  5. Claroty: Claroty provides solutions for OT security, including asset discovery and vulnerability management.

  6. Tenable: Tenable, focused on industrial as well as IT cybersecurity, including asset inventory