Many OT security standards and guideline documents have creating an OT cyber asset inventory as one of the first tasks that should be tackled; one of the key critical controls. As you can tell from this book, I disagree with this. An OT cyber asset inventory is not a direct risk reduction activity, and many of the most efficient risk reduction activities do not require this asset inventory. Even the vast majority of risk reduction achieved through security patching, patching the small percentage of cyber assets in the Priority category, does not require an OT cyber asset inventory.
As your OT security program matures, an OT cyber asset inventory is necessary to perform the next tasks as prioritized by efficient risk reduction.
Your task this week is not to create an OT cyber asset inventory. The task is to evaluate the current OT cyber asset inventory.
Answer the following questions:
- Is there a documented OT cyber asset inventory. If yes, what is the format of the asset inventory? (a spreadsheet, database, asset inventory tool, or something else?)
- Approximately what percentage of the OT cyber assets in each patching category (Priority, Maintenance, Support) are in the asset inventory?
- What detail is in the asset inventory for most cyber assets? (e.g. IP address, physical location, administrator name and contact info, OS, OS version, applications, application versions, hardware, …)
- How accurate is the asset inventory? (Based on a sample of between 5 and 10 OT cyber assets)