Asset inventory in ICS environments - the foundation of OT cybersecurity
ICS/OT asset inventory - methods (manual, passive discovery, active scanning), tools, IEC 62443 and NIST requirements. How to build an OT asset register step by step.
Józef Sulwiński 
In OT environments, industrial control systems (ICS) have lifecycles measured in decades. Over that time, installations undergo upgrades, component replacements, and integrations with new systems - while documentation fails to keep up. From our experience, current knowledge of OT environment architecture and configuration often exists only in the heads of key personnel.
Asset inventory of hardware and software is the first step in any OT cybersecurity program. Without an up-to-date asset register, you cannot assess whether a published vulnerability affects devices in your installation. You cannot design network segmentation based on actual topology, nor implement remote access policies tailored to your environment. The lack of asset inventory also blocks compliance with IEC 62443 and NIS2 (the EU directive on network and information security, transposed into national law in each member state).
Why OT asset inventory is harder than in IT
In corporate networks, asset inventory is automated - Active Directory, SCCM, endpoint agents. In OT, standard IT tools do not work, and attempting to use them can disrupt the production process. Key challenges:
| Challenge | Description | Consequence |
|---|---|---|
| No agents | PLCs, RTUs, and measurement devices do not support software agents | Asset inventory software cannot be installed on OT devices |
| Proprietary protocols | Many devices communicate via serial protocols (Modbus RTU, PROFIBUS) invisible on Ethernet networks | Passive network traffic monitoring will not detect devices below the Ethernet layer |
| Sensitivity to scanning | Active scanning (e.g., Nmap) can cause older PLCs to crash | Active scanning methods require careful planning and a maintenance window |
| Long lifecycle | Devices operate for 15-25 years; documentation from installation time is outdated | Firmware versions, network configuration, and IP addresses may have changed multiple times |
| Isolated segments | Some OT subnets have no connectivity to the corporate network (air gap) | Automated tools cannot reach all segments |
Three methods of asset inventory
The choice of method depends on the inventory goal, the acceptable level of intrusiveness, and available resources. In practice, combining all three methods is the most effective approach.
Manual inventory (physical walkdown)
A physical walkdown is the only method that covers all devices - not just those connected to Ethernet, but also devices on fieldbus networks (Modbus RTU, PROFIBUS, HART), standalone devices, and components without network communication. It requires physical presence on site and familiarity with P&ID (Piping and Instrumentation Diagram) drawings.
TIP
For a physical walkdown, prepare a form with fields: device name, manufacturer, model, serial number, firmware version, network address (IP or fieldbus address), physical location (building/cabinet/slot), function in the process. Tailor the form to your installation. Supplement with photos of nameplates - the firmware version from a nameplate is more reliable than from documentation.
Advantages: completeness, no impact on the process, ability to verify physical condition. Limitations: time-consuming, requires physical access, data becomes outdated quickly.
Automatic passive discovery
Passive discovery aggregates and analyzes network traffic without initiating communication with devices. The monitoring tool connects to a mirror port (SPAN) on the switch and listens to packets. Based on header analysis, metadata, and protocols, it builds a list of devices communicating on the network.
This method can detect: IP and MAC addresses, protocols in use (including industrial ones - Modbus TCP, OPC, S7comm, EtherNet/IP), headers containing manufacturer and model information, and communication patterns between devices.
NOTE
Passive discovery only detects devices that communicated during the analysis period. Dormant devices, those communicating infrequently, or those connected to separate segments will not be detected. The listening period should cover the full operational cycle of the installation (typically 1-4 weeks).
Advantages: non-intrusive, does not require a maintenance window, simultaneously builds a communication baseline (useful for IDS). Limitations: detects only active devices, does not establish firmware versions, requires switch reconfiguration (SPAN port).
Automatic active scanning (selective)
Active scanning sends queries to individual OT devices - using interfaces and protocols intended for parameterization (the same ones used by engineering software). This yields significantly more complete information: model, serial number, firmware version, configured services, diagnostic data, logs.
WARNING
Active scanning is more intrusive than passive discovery. Before running an active scan: obtain operator approval, test on an identical device in a lab environment, schedule a maintenance window, prepare a rollback procedure, and have contact information for the controller vendor’s support team.
Advantages: complete version information (essential for vulnerability management), detects devices that do not generate traffic. Limitations: requires a maintenance window, potential impact on older devices, does not cover serial/fieldbus devices.
Method comparison
| Criterion | Manual | Passive | Active |
|---|---|---|---|
| Completeness | Full (including fieldbus) | Only active network devices | Network devices (including dormant) |
| Detail level | Depends on the form | Basic (IP, MAC, protocols) | Full (firmware, config, logs) |
| Intrusiveness | None | Minimal (SPAN port) | Moderate (queries to devices) |
| Automation | None | Continuous | Periodic |
| Requires maintenance window | No | No (but switch reconfiguration needed) | Yes |
| Use case | Baseline, physical walkdown | IDS, continuous monitoring, traffic baseline | Vulnerability management, audit |
Tools for automatic OT asset inventory
The market for OT asset inventory tools has grown significantly since 2020. Below is a comparison of leading solutions - provided as an overview of available options:
| Tool | Methods | OT protocols | Additional capabilities |
|---|---|---|---|
| Tenable OT (formerly Indegy) | Passive + selective active scanning | Modbus, S7, OPC, EtherNet/IP, PROFINET, BACnet | Vulnerability management, IEC 62443 compliance, SBOM |
| Nozomi Networks Guardian | Passive + active (Smart Polling) | 100+ OT/IoT protocols | Anomaly detection, threat intelligence, OT/IoT asset visibility |
| Claroty xDome | Passive + active (AppDB) | Modbus, S7, OPC UA, DNP3, EtherNet/IP | Risk scoring, secure remote access, SRA integration |
| Dragos Platform | Passive | Modbus, S7, OPC, DNP3, IEC 104 | Threat detection, playbooks, ICS threat intelligence |
| OTORIO RAM2 | Passive + active | Modbus, S7, OPC UA, BACnet | Risk assessment, attack graph, mitigation prioritization |
TIP
When selecting a tool, the key questions are: does it support the protocols used in your installation (e.g., PROFIBUS, BACnet for building systems), has the active scanning method been tested with devices from specific manufacturers (Siemens, Rockwell, Schneider), and does the tool integrate with your existing SIEM/SOC. Before purchasing, request a proof-of-concept in a test environment or on a small production segment.
Standards and regulatory requirements
IEC 62443
IEC 62443-2-1 requires establishing and maintaining an IACS (Industrial Automation and Control System) asset inventory as part of the cybersecurity management system. The standard requires identification of all hardware and software assets, classification of assets by criticality, and assignment of assets to security zones defined in IEC 62443-3-2.
NIST SP 800-82 Rev. 3 and CISA Asset Inventory Guidance
NIST SP 800-82 Rev. 3 identifies asset inventory as the foundation of an OT security program. In August 2025, CISA published joint guidance “Foundations for OT Cybersecurity: Asset Inventory Guidance” (co-signed by NSA, FBI, EPA, and five international agencies), defining 14 required attributes for each OT asset - including: criticality, communication protocols, firmware versions, physical location, manufacturer/model, and connections to IT networks.
NIS2
The NIS2 Directive (EU 2022/2555) requires essential and important entities to implement risk analysis policies - which is impossible without an up-to-date asset inventory. Without a current asset register, the risk analysis required by NIS2 cannot be performed. An entity that cannot demonstrate the basis for this assessment is exposed to a finding of non-compliance during an audit.
CIS Controls v8
CIS Control 1 (Inventory and Control of Enterprise Assets) is the first and highest priority control. For OT, this means: maintaining a register of all devices connected to the network, identifying unauthorized devices, and being able to block access from unknown devices (NAC).
How to build an OT asset inventory program - step by step
| Phase | Action | Outcome | Tools |
|---|---|---|---|
| 1. Physical walkdown | On-site visit, P&ID documentation review, inventory form | Baseline - list of all devices | Spreadsheet, photos, forms |
| 2. Passive discovery | Connect sensor to SPAN port, listen for 2-4 weeks | Network communication map, detected Ethernet devices | Nozomi Guardian, Tenable OT, Claroty |
| 3. Active scanning | Selective scanning during maintenance window | Complete firmware version, configuration, and vulnerability data | Tenable OT, Claroty, Nozomi Smart Polling |
| 4. Consolidation | Merge data from all 3 methods, fill gaps | Complete OT asset register | CMDB / dedicated tool |
| 5. Classification | Assign assets to IEC 62443 zones, determine criticality | Assets classified by risk | Criticality matrix |
| 6. Maintenance | Continuous passive monitoring + periodic active scans + change registration procedure | Up-to-date asset register | Automation + MOC process |
TIP
The OT asset register should contain at minimum: identifier, physical location, manufacturer/model/serial number, firmware/OS version, network address, IEC 62443 zone, criticality, date of last verification, asset owner. For fieldbus devices, add: bus address, protocol type, master/slave role. Update the register with every change (Management of Change procedure).
NIST SP 800-53 control mapping
| Action | NIST SP 800-53 control | Description |
|---|---|---|
| Hardware asset register | CM-8 | System Component Inventory |
| Software register | CM-8(3) | Automated Unauthorized Component Detection |
| Unauthorized device detection | CM-8(3), IA-3 | Device Identification and Authentication |
| Criticality classification | RA-2 | Security Categorization |
| Change management | CM-3 | Configuration Change Control |
| Vulnerability management | RA-5, SI-2 | Vulnerability Monitoring, Flaw Remediation |
| Network access control (NAC) | AC-3, IA-3 | Access Enforcement, Device I&A |
Source: NIST SP 800-53 Rev. 5.
Sources
- NIST SP 800-82 Rev. 3 “Guide to OT Security” (2023)
- IEC 62443-2-1 “Security Management System for IACS”
- NIST SP 800-53 Rev. 5
- CIS Controls v8 - Control 1: Inventory and Control of Enterprise Assets
- CISA ICS Recommended Practices