The Basics Behind Building an Asset Inventory in OT Environments

Successfully implementing a project in your OT (operational technology) environment, whether it’s for security, operations, compliance, or anything in between, starts by understanding what assets you’re dealing with. Familiarity with your assets and their associated data will play a big role in understanding the scope of your project and directly impact your plan and approach.

This is where effective asset inventory management comes in. An asset inventory documents all of the devices and software across your network, along with any relevant data such as manufacturer, model, firmware, software version, patch history, etc. Beyond knowing what you’re working with, maintaining an accurate asset inventory can be one of many requirements to maintain compliance with certain regulations, such as NERC CIP.

If your organization doesn’t have an asset inventory, or the one you have is out of date, this article will provide a good starting point. We’ll go over different asset identification methods and what you need to know before launching any asset identification initiatives.

Finding Assets Across Your Network(s)

There are multiple ways to conduct asset discovery. One of the simplest (albeit probably one of the most inefficient), is to have someone or a team of people visit each location with a discrete network to physically count the machines, manually gather network data using netstat, and verify that everything matches up in any existing documentation.

This is typically as tedious, inefficient, and error-prone as it sounds. However, for a smaller organization with only a single network and a small number of assets, it might be the easiest and least complicated way to begin building an asset inventory.

Automated asset identification methods generally come in two flavors: passive and active asset identification.

Passive asset identification usually entails placing a device on your network to listen to the activity that’s already happening between devices. Passive methods pull any of the data passing through the network into a database for further analysis, storage, or any other location your team needs it.

Active asset identification typically involves sending network communications, such as a packet, to a device on the network and waiting to see what responses come back. Often, the response from the machine will have more data about the device than is normally visible across operational communications on the network.

There are pros and cons to both methods. Ultimately, neither method is better than the other. The method you choose will largely depend on the information needed and your specific environment.

Just getting started and want to get quick visibility into assets on your network? Check out EmberOT’s free OT PCAP Analyzer.

Passive? Active? Both? Neither?

When it comes to choosing either passive or active asset identification in an OT environment, ultimately, the method chosen will depend on the level of detail needed and specific area and system requirements. Cybersecurity vulnerability management, for example, requires a different set of data than the information needed to improve operational safety.

If you aren’t sure what devices exist across different networks, passive methods can reliably identify any devices that are consistently communicating on the network. Passive asset identification can also pick up on transient, one-time events such as a device connecting and then disconnecting from the network.

If you need more detailed information about an asset that you know exists solely on a network — such as what patch it’s on, or what version of the software it’s running — an active approach may be more efficient, since this information isn’t usually sent in normal network communications.

In some cases, combining both passive and asset ID methods may be best. Passive methods can identify all the assets on the network, while active methods can query specific assets for more detail.

However, some industrial machines are built so precisely for the operation they perform that an unexpected request, even if it’s sent in a known protocol, could throw off normal operations. In the most extreme cases, the surprise query may temporarily brick the machine receiving the request. That’s why any active asset identification methods should be done under the guidance of the operations team or the asset owners.

Start with a Plan, Then Find the Right Tools

Whether the team is tasked with specific compliance requirements, cybersecurity posture improvement, or operational safety, identifying and maintaining an inventory of assets is one of the key foundational steps in the process.

Productive asset identification in an OT environment starts with knowing the necessary level of detail needed to meet the objective. Then it’s a matter of coming up with an appropriate plan to obtain that information without negatively impacting the overall environment.