One Destination, Multiple Paths: The 4 Data Collection Methods Needed for True OT Asset Management

October 25, 2022

You’ve heard the same idea, probably a dozen different ways.

You can’t manage/secure/control/measure what you can’t see.

It’s a simple idea that is fundamental to any cybersecurity program but one that is still problematic within OT today. The first step in optimizing any system is to understand its parts and interconnections by making the system components visible. Only when the system components have become visible, can they start to be managed.

For IT and OT environments alike, asset management is comprised of collecting data, enriching data, providing context and connecting it to decision-making. Asset management enables the transparency required for system monitoring, vulnerability management, threat detection and incident response.

But when it comes to how assets get monitored and what data is collected, OT asset management (OTAM) and IT asset management (ITAM) requirements begin to diverge. We’ll look at some of these nuances first, then their impact on security decision-making.

ITAM vs OTAM: A Deceptive Similarity

While big picture principles of asset management persist across IT and OT environments, ultimately OT environments are more unique, teams get built differently, and organizational priorities diverge.

Higher risks bring different rules and realities

There are possibly disastrous consequences to mismanaging an OT environment that don’t exist on the other side of the perimeter. Disruption or downtime isn’t just costly to resolve and rebuild, but it also can have a significant impact on operations, production, brand name, and even safety.

Remember the classic CIA Triad? While IT security prioritizes confidentiality, OT security optimizes for safety via availability. Suddenly, that “time to repair” KPI takes on new urgency.

OT environments are wilder, but also more fragile

While predictability is core to IT modernization, OT environments are often built with less consistency and greater hardware and software complexity. These environments are also often more distributed and less connected than IT instances.

OT environmental performance is very sensitive to traditional IT security tactics, including anything that potentially disrupts or diminishes performance, such as continuous scanning.

OT information needs are richer

IT asset management is largely about determining network presence, capturing location, system health, and a limited level of depth of detail around system configuration and software.

Successful OT asset management requires a much richer level of data to be effective. And it’s not simply a case of more operational data, which is always good, but foundational asset information that security and compliance teams can’t get any other way.

  • OT assets are often purchased outside traditional channels, which means organizations know less about them from the start. This makes visibility more difficult from day one.
  • OT assets are often built around SKUs and components that can be several generations old, or even past EOL, making them especially challenging for IT tools to track and monitor. This makes manageability harder and puts easy automation out of reach.

And OT orgs are doing more with less

Mature IT environments are typically supported by a dedicated team, including security specialists. OT environments are often built and managed by smaller, scrappier teams with professionals filling multiple roles at once. Their focus is operational continuity, and they don’t have the time or training to become an OTAM specialist, and they certainly don’t have access to the modern orchestration and automation tools their IT peers use every day.

Add all these differences up, and we can begin to see why OTAM is so different and difficult. We see teams facing the same complex threats, determined enemies, and regulatory pressure as their IT peers. But they’re also responding inside environments and organizations built for different priorities.

That’s the bad news. The good news is that the right mix of people, process and technology can level the playing field for OT security teams and give them the ability to create a single source of OTAM built on granular customization around environmental specifics.

Getting OTAM Right: Stacking Tactics, Simplifying Tools

The unique requirements of OT asset management mean teams need more information and more ways to get at it. They also need to be able to quickly and effectively use this data to automate decision-making and generate compliance documentation, as required.

When it comes to monitoring methods, more is better

To capture as much OTAM data as possible, organizations typically use one or more collection methods in combination. In fact, our recent global OT survey found that organizations rely on passive, active, and manual data collection methods about equally.

They’re seeking what might be called a single source of OT truth to serve as an input to other key benefits, including broader visibility into the environment, faster remediation of tickets, and a better understanding of risk.

So, where IT organizations might standardize around one single method, optimizing for consistency in OTAM is less effective. Each approach is useful, but no single tactic is sufficient on its own to establish that single source of truth.

  1. Passive monitoring relies on network-facing devices to monitor traffic data from connected devices. While this captures a large portion of information needed for asset management, it:
    • Only captures devices that are already known and currently online
    • Doesn’t capture deep enough information (e.g., which version of Windows?)
  2. Manual entry relies on staff to manually collect/update information that’s inaccessible any other way. It ensures a certain completeness of information, but only after considerable time and attention from OT staff.
  3. Configuration analysis builds a config baseline and then captures (and compares) changes going forward, building a historical view of an asset over time. It’s essential data that gets more useful with additional context.
  4. Active discovery/intelligent interrogation uses software or sensors to proactively ping/seek devices. It can find hidden or invisible assets passive monitoring misses but requires more careful management.

But many-to-one simplification helps teams get more done

While multiple, overlapping monitoring methods give security teams an information-rich, context-informed view of OT assets, it creates its own challenges.

  • Multiple methods can require multiple tools and workflows
  • Reporting across disparate solutions can be equally difficult
  • The lack of a consolidated view raises the risk of important information getting missed

As it turns out, that consistency prioritized by IT can play a big role in making OTAM better. The more methods we can aggregate, the better this information can be collated and standardized, the more precise our ability to detect and respond gets.

Getting Started with OTAM

OT experts know their environments best, which is why they deserve tools built by people who have faced those same choices and challenges. Industrial Defender helps OT security and operations teams aggregate all four collection methods into a single source of OTAM truth, giving them the visibility and control they need. Benefits of our solution include:

  • Bring speed and simplicity to complex OT environments
  • Enrich your passive monitoring data
  • Build 100% asset coverage across all four collection methods
  • Onboard, manage, and decommission assets with prebuilt workflows
  • Link, organize, query assets via a customizable database
  • Generate compliance reports with a few clicks
Industrial Defender’s OT Asset Management Platform
Industrial Defender’s OT Asset Management Platform

No matter where you are on your OTAM modernization journey, we’re ready to help you take the next right step. Learn more about our OTAM solution here: