Alsensio
← Blog|OT Security

Why OT Asset Inventory is Step Zero for Any Security Program

You can't protect what you can't see. Building a reliable OT asset inventory is harder than in IT — passive discovery, engineering workstations, legacy PLCs — but it's non-negotiable. Here's how we approach it.

January 8, 20266 min readAlsensio Team

Every meaningful security program starts with knowing what you have. In IT, asset management is a solved problem — Active Directory, SCCM, MDM platforms, network scanners. In OT, it's a persistent challenge that most sites underestimate.

The consequences of a poor asset inventory in OT are significant: you can't conduct a credible risk assessment without it, you can't perform IEC 62443 zone modeling without it, and you can't detect anomalies on your network if you don't know what normal looks like.

Why OT Asset Inventory Is Harder

Legacy equipment without network awareness. Serial-connected PLCs from the 1990s don't respond to network probes. Their existence may be known only to the engineer who commissioned them 15 years ago.

Active scanning is dangerous. In IT, you scan the network. In OT, active scanning can crash PLCs, corrupt memory in embedded controllers, and disrupt process operations. This rules out the standard IT toolset.

Engineering workstations contain the authoritative data. The PLC program, the DCS configuration, the SIS I/O list — these define what's in the field. But engineering workstations are often not centrally managed and may contain projects from five generations of engineers.

Vendor-managed systems. Many OT assets are maintained by the original vendor, not site staff. The site may not even know the firmware version of their safety controllers.

Undocumented modifications. Process plants change continuously. A modification in 2018 may not be fully reflected in as-built documentation.

The Four Sources of OT Asset Data

An effective OT asset inventory combines four sources:

1. Network Passive Discovery

Deploy a passive network monitoring sensor (Claroty, Dragos, Nozomi Networks, or similar) that captures traffic without transmitting. These tools can identify assets, protocols, firmware versions, and communication patterns from traffic analysis alone.

Passive discovery covers the assets that are actively communicating. It misses devices that are powered but silent.

2. Engineering Documentation

Pull asset lists from:

  • DCS / PLC configuration databases (instrument tags, module lists)
  • Safety system I/O lists and cause-and-effect diagrams
  • P&ID drawings (for field instrument inventory)
  • Electrical single-line diagrams (for MCC, VFD, and motor control inventory)
  • Instrument index / tag register

This data is often held in multiple systems and may require reconciliation. Engineering documentation gives you the designed state; passive discovery gives you the actual state. Differences between the two are security findings in themselves.

3. Physical Walkdown

For critical systems, there is no substitute for a physical walkdown with a clipboard and camera. Unnamed devices, unlabeled cables, and undocumented modifications are only visible in person.

Focus physical walkdowns on:

  • Control panels and marshalling cabinets
  • Remote I/O racks
  • Substations and switchgear
  • Areas with known modification history

4. Vendor Documentation

Collect from vendors:

  • Bill of materials for installed systems
  • Firmware and software version lists
  • CVE advisories relevant to your installed versions
  • Supported/end-of-life status for hardware and software

For critical infrastructure, this data belongs in your asset register — not just in a vendor portal you have intermittent access to.

What to Record Per Asset

Minimum attributes for each asset:

| Attribute | Why It Matters | |-----------|---------------| | Asset name / tag | Primary identifier | | Asset type | PLC, DCS, HMI, safety controller, network device, etc. | | Vendor | For CVE tracking | | Model | For firmware applicability | | Firmware / software version | Required for vulnerability assessment | | IP address (if networked) | For network diagram correlation | | Location | Panel, building, unit | | Responsible party | Vendor-managed or site-maintained | | Criticality | Safety, production critical, auxiliary | | End-of-life status | Supported, extended support, EOL | | Last modified date | Change tracking |

Connecting the Inventory to IEC 62443

Once you have an asset inventory, you can:

  1. Assign assets to zones — the inventory is the input to zone modeling (IEC 62443-3-2). Without it, zone boundaries are guesswork.
  2. Perform vulnerability assessment — cross-reference firmware versions against vendor advisories and ICS-CERT/CISA alerts.
  3. Prioritize remediation — focus patching and hardening on highest-criticality, highest-vulnerability assets first.
  4. Support incident response — when an anomaly is detected, you need to know which asset it is, who manages it, and what it's connected to.

Maintaining the Inventory

An OT asset inventory is only useful if it stays current. Build maintenance into your management of change (MOC) process:

  • Any modification to the OT network or control system must include an inventory update
  • Quarterly reconciliation: compare the passive discovery tool's asset list against the register and investigate discrepancies
  • Annual physical audit for critical systems

The inventory is a living document, not a one-time project.

Starting an OT asset inventory or integrating it with a broader IEC 62443 assessment? The Alsensio team can help.

Share:LinkedInX/Twitter
OT SecurityAsset InventoryIEC 62443OT/ICSRisk Assessment
Sebastian Schmidt

Need expert guidance?

Sebastian Schmidt — Alsensio

Our team provides hands-on consulting for IEC 62443 and IEC 61508 compliance.

Get in touch