Making Sense of Inventory and Asset Management in ICS Operations

Inventory and asset management is one of those fundamental practices every industrial environment needs, but few actually get right, at least at scale. As industrial control system (ICS) environments grow more interconnected—driven by real business needs—asset inventory transforms from a dusty spreadsheet exercise to a living, business-critical practice foundational to sound security and reliable operations.

This post deep-dives into why inventory and asset management is non-trivial in ICS settings, how key technologies and network architectures play a role, and what historically went wrong (and right). The goal is to demystify asset inventory for CISOs, IT Directors, network engineers, and plant operators keen on real progress rather than superficial compliance box-ticking.

Historical Perspective: From OT Isolation to IT/OT Complexity

Industrial environments have a long legacy of treating OT (Operational Technology) as separate from IT. Up until the 2000s, ICS networks were typically designed for isolation by means of physical segmentation—what is sometimes referred to (erroneously) as “air-gapping.” Asset inventory largely meant keeping track of PLCs, RTUs, and HMIs via manual logs or simple databases, primarily for maintenance planning.

With the arrival of TCP/IP-based protocols (e.g., Modbus TCP, DNP3 over IP, OPC UA) and business-driven IT/OT convergence, the number, type, and interconnectedness of ICS assets exploded. Suddenly, devices were accessible from enterprise networks and, with this, came new vulnerabilities and a need for comprehensive, dynamic inventories going far beyond what most OT teams had previously maintained.

ICS Networking: Why Inventory is Harder than You Think

• Heterogeneity: ICS infrastructures host a mishmash of legacy and modern devices—serial-based PLCs from the 1990s, “smart” field devices, virtualized SCADA management tools, and Windows-based HMIs, all layered with bespoke or deprecated protocols.

• Obscurity by Design: Many assets do not ‘announce’ themselves on networks. Passive network discovery tools often miss crucial devices, while aggressive scanning typical in IT networks can crash fragile OT endpoints.

• Vendor Variability: Mixes of vendor-specific diagnostics, proprietary management interfaces, and varying lifecycle support further complicate the matter.

• Lack of Centralized Management: Historically, plants evolved locally, so each line or site may have its own siloed inventory discipline (or none at all).

Key Technical Concepts and Tools

Passive vs. Active Discovery

Passive asset discovery listens to ICS network traffic to infer which devices are present, often using network taps or span ports. This approach is safer in fragile environments, but is limited by what traffic is actually seen during the monitoring period, and may miss deeply embedded or dormant assets.

Active discovery sends queries or probes (e.g., via SNMP, Modbus, or proprietary APIs) to enumerate devices and attributes. While effective in IT, this method risks disrupting operations in ICS. Thus, in sensitive networks, any active discovery must be rigorously tested and ideally run in planned maintenance windows.

Data Normalization and Correlation

The real challenge isn’t just data collection: it’s meaningful correlation at scale. Asset information flows in from multiple sources—network sniffers, Windows and Linux agents, PLC management tools, and operator walkdowns. Normalizing device identities, resolving duplicate entries, and handling ambiguous system names require much more than naive enumeration.

Cycling Between Logical and Physical Inventories

A complete inventory means more than just knowing “a Schneider Electric M340 CPU exists at IP 192.168.100.23.” It means knowing where that asset physically resides, what functions it supports, and how it’s connected logically and physically within control and safety architectures. This bi-directional mapping enables anything from root-cause analysis of failures to rapid incident response.

Industry Standards: IEC 62443 and NIST SP 800-82

IEC 62443 (previously ISA-99) and NIST SP 800-82 both require robust inventory management as a keystone of OT cybersecurity. They don’t prescribe specific tools, but mandate that asset management and identification is ongoing, documented, and accurate at all times.

Network Architecture and Design Considerations

Segmentation and Its Inventory Implication

Classic ICS reference architectures (e.g., Purdue Model, see Purdue Enterprise Reference Architecture, 1990s) segment industrial networks into zones and conduits in an attempt to limit blast radius and tightly control access. Practically, however, this segmentation often creates blind spots for inventory tools:

• Firewalled Zones: Devices buried behind DMZs, firewalls and data diodes may not be visible to network-based inventory solutions, especially if monitoring tools are not deployed per zone.

• Jump Hosts and Bastions: Admin activity and asset changes conducted via jump servers can create visibility gaps unless logs and agent reach are carefully configured.

• Legacy Serial and Proprietary Buses: Non-Ethernet field devices (e.g., HART, Profibus, Modbus RTU over RS-485) are effectively invisible to pure IP scanning techniques, necessitating walkdowns, vendor tools, or protocol-specific hardware taps.

Recommendation: For each new zone or microsegment, validate that inventory mechanisms (passive sniffers, polling hosts, walkdown schedules) cover all assets and pathways.

Bridging IT and OT – and the Human Factor

Collaboration between IT and OT is neither a new nor easily solved problem. IT security teams accustomed to rapid asset discovery and software asset management tools quickly learn that “scan and forget” approaches simply don’t fly in safety-critical ICS environments. Meanwhile, OT operators sometimes distrust automatic tools and fear network impacts.

Instead, the most successful programs:

• Blend passive monitoring with regular, human-verified walkdowns. Walkdowns aren’t just compliance theater—they catch edge devices, shadow systems, and local modifications invisible to any automated system.

• Maintain dual-registers: one centrally managed, one site-level, cross-referenced quarterly by (ideally) a team with both IT and OT stakeholders.

• Employ change management hooks: Every approved modification, installation, or decommissioning event triggers an update to the inventory.

Practical Deployment Patterns

ICS Asset Management Toolchain: Must-Have Features

• Multi-modal Discovery: Support for both passive sniffing and carefully controlled active polling. Look for protocol decoding beyond common IT (e.g., deep ICS protocol inspection for Modbus, DNP3, Siemens S7, etc.).

• Physical-Logical Mapping: Ability to associate devices with plant floor locations, control panels, rack/port data, and critical process roles.

• Lifecycle Tracking: Record not only the current asset state, but also historic changes (firmware updates, re-IPs, ownership, disposal).

• Incident Response Integration: Fast lookup and reporting, plus an ability to output to incident management playbooks.

• Non-disruptiveness: Support for safety and reliability as non-negotiable requirements during discovery.

Example Architecture: Tiered Asset Discovery

Typical best practice is a tiered asset discovery approach:

• Tier 0 (Enterprise): IT asset management solutions inventory enterprise servers and workstations—these interface with, but do not enumerate, OT edge devices.

• Tier 1 (ICS DMZ): Specially configured hosts with ICS protocol plugins operate at the DMZ; deployment of passive taps on all ingress/egress points is ideal.

• Tier 2/3 (Control/Process Network): Carefully placed protocol analyzers coupled with operator walkdowns; no aggressive network scans outside tightly controlled windows.

Additionally, many organizations now deploy “ICS-aware” asset management platforms, which sit out-of-band and correlate both live network data and periodic operator input. These tools must be validated on live systems prior to full production rollout.

Pitfalls and Lessons Learned

• Over-reliance on Automation: Automated tools miss devices with no network traffic. Manual validation—however inconvenient—remains essential.

• Underestimating Change Management: Asset inventories quickly rot if not strictly coupled to configuration change control. Ensure organizational discipline.

• Neglecting Physical Security: Rogue assets can be physically installed without IT/OT’s knowledge. Regular physical inspection is the only defense.

• Failure to Communicate: Centralized asset inventories only work if regularly communicated to both local engineering and enterprise teams. Implement regular review cycles and feedback.

Conclusion: Honest Advice for Getting It Right

True inventory and asset management in ICS environments is an iterative, collaborative, and often messy process—it’s far closer to good ops than it is to checkbox compliance. Focus on normalizing and correlating data across protocols, zones, and human boundaries. Never trust single-source asset data. Layer passive and (carefully!) active discovery with regular operator input. Above all, make the inventory matter: if it’s only produced for auditors, it will quickly become an irrelevance. If it’s used by engineers, incident responders, and process owners, it will stay current and valuable.

Key Takeaway: Embrace both tech and human procedure. In ICS, you’ll need both to build and keep the living asset inventory that modern industrial risk management—whether for reliability or security—absolutely requires.