Module 3: Implementation Guide

Asset Inventory for OT

18 min
+50 XP

Asset Inventory for OT

Comprehensive asset inventory is the foundation of ISO 27019 implementation. You cannot protect what you don't know exists.

Why Asset Inventory is Critical

Without a complete inventory you cannot:

  • Identify which assets need protection
  • Determine which systems have which versions and vulnerabilities
  • Understand data flows and dependencies
  • Assess criticality for risk prioritization
  • Meet regulatory compliance requirements
  • Respond effectively to incidents

Unique OT Inventory Challenges

Passive-Only Discovery

Active network scanning can crash legacy OT devices:

  • Use passive network monitoring
  • Collect data over weeks to see all devices
  • Cannot force immediate discovery
  • Span ports or network taps for visibility

Undocumented Systems

Many OT installations lack current documentation:

  • Systems installed decades ago
  • Original installers may have left organization
  • Vendor documentation lost or outdated
  • Undocumented field modifications

Distributed Infrastructure

Energy assets spread across large geographic areas:

  • Hundreds of substations
  • Remote generation facilities
  • Distributed field devices
  • Difficult to physically survey all locations

Legacy and Proprietary Systems

Unique identification challenges:

  • Custom or proprietary devices
  • No standard identification methods
  • Firmware versions difficult to determine
  • Vendor-specific tools required

ISO 27019 Inventory Requirements

Asset Identification

For each asset collect:

  • Unique identifier: Asset tag, serial number
  • Asset name: Functional description
  • Type: SCADA server, PLC, RTU, IED, HMI, etc.
  • Location: Physical and network location
  • Owner: Responsible department/person

Technical Details

  • Manufacturer and model
  • Hardware version
  • Operating system and version
  • Firmware version
  • Software applications and versions
  • Communication protocols used
  • IP address and network details

Operational Context

  • Function: What process does it control/monitor?
  • Criticality: Impact if unavailable or compromised
  • Dependencies: What it connects to and relies on
  • Operational constraints: Patching windows, availability requirements
  • Maintenance schedule: Planned outages

Security Information

  • Known vulnerabilities: CVEs affecting the asset
  • Patch status: Current patch level
  • Security controls in place: AV, whitelisting, etc.
  • Network zone: Which security zone it's in
  • Access controls: Who can access

Discovery Methods

Passive Network Monitoring

Most important for OT:

  • Deploy network monitoring tools on span ports
  • Collect traffic for 2-4 weeks minimum
  • Identify devices by protocol analysis
  • Map communication patterns
  • Minimal risk to operational systems

Tools:

  • Industrial protocol analyzers
  • OT-specific asset discovery platforms
  • SIEM with OT protocol support
  • Network behavior analysis tools

Physical Site Surveys

Walk down facilities to document assets:

  • Visit control rooms, equipment rooms, substations
  • Photograph equipment and read nameplates
  • Document physical connections
  • Interview operations staff
  • Find assets passive monitoring missed

Configuration File Analysis

Review system configurations:

  • Export PLC/RTU configurations
  • Analyze SCADA server settings
  • Review firewall rules for device references
  • Check backup files for asset details

Vendor Documentation Review

Leverage existing documentation:

  • Original system architecture diagrams
  • Vendor installation records
  • Maintenance documentation
  • As-built drawings
  • Training materials

Active Scanning (Carefully)

Only when safe:

  • Test in isolated lab environment first
  • Coordinate with operations
  • During planned maintenance windows
  • Limited to specific device types known to be safe
  • Have rollback procedures ready

Asset Categorization

By Purdue Level

Organize assets by network architecture:

  • Level 0-1: Field devices (PLCs, RTUs, IEDs, sensors)
  • Level 2: Control systems (SCADA servers, DCS, HMIs)
  • Level 3: Site operations (historians, engineering workstations)
  • Level 3.5: DMZ (data exchange systems)
  • Level 4: Enterprise IT

By Criticality

Risk-based prioritization:

  • Critical: Loss causes immediate safety risk or grid instability
  • Important: Significant operational impact, can operate manually short-term
  • Non-critical: Minimal impact if unavailable

By Ownership

Responsibility assignment:

  • Generation: Power plant assets
  • Transmission: Grid control and transmission systems
  • Distribution: Local delivery systems
  • Corporate: Shared infrastructure

Inventory Maintenance

Integration with Change Control

Keep inventory current:

  • New assets added before deployment
  • Changes updated in inventory
  • Decommissioned assets removed
  • Firmware/software updates recorded

Periodic Verification

Regular reconciliation:

  • Quarterly passive network scans
  • Annual physical surveys
  • Continuous monitoring updates
  • Deviation investigation and resolution

Automated Discovery

Where possible, automate:

  • Continuous passive monitoring
  • Integration with SCADA systems
  • Configuration management database (CMDB)
  • Automatic alerts for new/changed devices

Implementation Roadmap

Phase 1: Critical Systems (Months 1-2)

  • Inventory SCADA servers and critical PLCs
  • Document control center equipment
  • Map generation control systems
  • Identify safety systems

Phase 2: Control Network (Months 3-4)

  • Complete field device inventory
  • Document all PLCs and RTUs
  • Catalog engineering workstations
  • Map network infrastructure

Phase 3: Supporting Systems (Months 5-6)

  • Inventory historians and HMIs
  • Document remote access infrastructure
  • Catalog vendor support systems
  • Complete network security devices

Phase 4: Validation and Maintenance (Ongoing)

  • Cross-reference multiple sources
  • Resolve discrepancies
  • Establish ongoing processes
  • Integrate with asset management

Documentation and Tools

Inventory Database

Key fields to maintain:

  • All identification and technical details above
  • Last updated date and by whom
  • Change history
  • Related assets (dependencies)
  • Supporting documentation links

Visualization

Create visual representations:

  • Network topology diagrams
  • Geographic asset maps
  • Purdue model layer diagrams
  • Criticality heat maps
  • Zone and conduit diagrams

Reporting

Regular reports for:

  • Management (high-level summary, trends)
  • Security team (vulnerabilities, risks)
  • Operations (asset status, maintenance due)
  • Compliance (audit evidence)

Best Practices

  1. Start with what you know - Build on existing documentation
  2. Use multiple methods - Cross-validate findings
  3. Prioritize by criticality - Critical systems first
  4. Engage operations - They know the systems best
  5. Be patient - OT discovery takes time
  6. Keep it current - Stale inventory is useless
  7. Make it accessible - Easy to search and update
  8. Link to other processes - Change control, vulnerability management

Next Lesson: Conducting risk assessments specific to process control systems.

Complete this lesson

Earn +50 XP and progress to the next lesson

Previous

Control System Security Policy

Next

Risk Assessment for Process Control