Creating an OT cyber asset inventory is not a one week task, and it may not be the right thing for you to do at this time. This week’s task is to determine what OT cyber asset inventory you are committed to achieving and maintaining over the next year, and, at a high level, what tools and techniques you will use to create and maintain the asset inventory.
Last week you identified the current state of your OT cyber asset inventory. What will be the state of your OT cyber asset inventory at the end of 2026?
- What OT cyber assets will be in the asset inventory? I recommend at least the cyber assets in your Priority and Maintenance security patching groups. For the remainder of the OT cyber assets, what will the benefit be of having them in the asset inventory? Do you need every panel in the asset inventory? Every serial-to-ethernet gateway? Every Level 1 or Level 2 device with an Ethernet port?
- What detail will be collected and maintained for each OT cyber asset in the inventory? What are the columns in your spreadsheet or fields in your database? Again, think about how this information will be used, and remember this is a commitment. Don’t feel obligated to include every detail you can think of or see in a standard or guideline document.
Note: You may have different levels of detail for different cyber asset types. For example, you may require only IP address and physical location for OT cyber assets in the Support patching category. Or you may require more hardware details for Level 1 devices. The level of detail should be based on the cost of creating and maintaining that level of detail and the benefit of each detail.
- How will the detail for the OT cyber asset inventory be collected? Manual inspection? Network monitoring? Device scanning? A combination of these methods? When will the initial asset inventory entry you commit to be completed?
- How will the asset inventory be maintained and audited? What role(s) is responsible for this? Is it integrated into the change control process? Will you be monitoring the system for unauthorized changes?
The OT security team may lead this effort or participate in this effort. Either way Operations should be involved. There likely will be asset inventory fields that are more important to Operations and less important to OT security. Engineers and Technicians will receive as much or more benefit from having an OT cyber asset inventory than OT security. And Operations will be responsible for the changes and updates to the OT cyber asset inventory.
Your notes from this week’s questions.