Walk into a plant for the first time on a vulnerability engagement, and the first thing you face is not the scanner — it is the uncomfortable truth that nobody knows exactly what is in there. The drawings are five years old, the responsible engineer has changed twice, and inside the control cabinet sits a device that appears on no diagram. Running a scanner in that state is like sprinting through a dark factory with no map. That is why every engagement begins with OT asset identification.

This is not a procedural nicety. According to the SANS Institute 2025 State of ICS/OT Security survey, more than one in five organizations experienced an ICS/OT incident, around 40% of those led to operational disruption, and nearly 20% took more than a month to recover (SANS, 2025). Attackers target precisely the areas you cannot see — and OT asset identification is the first step that brings those areas into the light. Put plainly, OT asset identification is where defensive work either gains its footing or loses it.

Why asset identification must come first

In an IT environment you can start from Active Directory or a CMDB. OT environments rarely offer a single source of truth. An RTU installed a decade ago and never documented, a field device added during a capital project with no security review, an engineering workstation still running a legacy operating system — these coexist as the norm. This is exactly why OT asset identification is both harder and more important than its IT counterpart.

The gap shows in the data. In the SANS 2025 survey, asset inventory and visibility was the single largest technology investment area in 2025 (50% of respondents) and remains the top priority for 2026–2027 (54%) (SANS, 2025). In the same survey, roughly 31% of organizations reported having no centralized — or no formal — inventory of their active ICS/OT remote-access points (SANS, 2025). That so many assets remain “unknown even as a managed object” is the clearest argument for why OT asset identification must precede scanning — and why mature programs now begin and end with OT asset identification.

The joint guide CISA published in August 2025 with the NSA, FBI, and partner agencies across eight countries — Foundations for OT Cybersecurity: Asset Inventory Guidance — reaches the same conclusion. It states that without an inventory an organization cannot know what it has or what must be protected, and it defines the asset inventory as the foundation of a modern defensible architecture and one of CISA’s Cybersecurity Performance Goals (CPGs) (CISA, 2025). In short, OT asset identification is not a “nice to have” — it is the thing without which nothing after it holds together.

Fittingly, the very first function of the NIST Cybersecurity Framework is named “Identify.” Applied to control systems, it calls for cataloguing PLCs, RTUs, HMIs, engineering workstations, historian servers, and all OT network gear, and above all for capturing the communication patterns — what talks to what, over which protocol, on which segment (NIST, 2023). This is why OT asset identification has to be defined as work that includes communication flows and dependencies, not merely a device list.

Methods and the 5-step OT asset identification process

So how is OT asset identification carried out in practice? The CISA joint guide lays out a proven five-step process (CISA, 2025). The first is defining scope and objectives: set the boundaries of which zones, facilities, and systems are included, establish governance and roles, and agree first on what counts as an “asset.” Getting this definition right is what keeps OT asset identification consistent across teams. The second is identifying assets and collecting attributes, combining physical inspection with logical survey to build the asset list and its network dependencies, capturing high-priority attributes such as criticality, type/role, end-of-life (EOL) status, hostname, IP address, and physical location.

The third step is building a taxonomy: classifying assets by function and criticality so that risk identification, vulnerability management, and incident response become tractable. CISA recommends a classification built on the zones and conduits of ISA/IEC 62443 (Industrial Defender, 2025). The fourth is data management and the fifth is lifecycle management — keeping the list alive rather than letting it die as a one-off document. Together, these five steps turn OT asset identification into a continuous process rather than a single event, and that continuity is what separates durable OT asset identification from a stale spreadsheet.

The most important field principle in methodology is: do not touch it into a stoppage. IT-style active scanning can disrupt process communications in OT and trigger PLC faults or process trips, which is why NIST SP 800-82 Revision 3 and many guides prioritize passive monitoring (NIST, 2023). So the primary technique for OT asset identification is the passive approach — observing traffic to learn what communicates with what, over which protocol, on which segment — overlaid with document review, physical walkdowns, and operator interviews to close the blind spots.

More concretely, passive monitoring copies traffic from a switch mirror (SPAN) port, placing no load on the operational network. Add configuration-based analysis — collecting configs from switches, routers, and firewalls to reverse-model the connectivity — and you can reconstruct much of the topology without any active scanning. The key is that no single method is complete on its own. Continuously cross-checking automated results against what a human verifies by eye is the most realistic way to raise the accuracy of OT asset identification.

Six surprises you will meet in the field

However well you plan, the real difficulty of OT asset identification begins on site. The most common first surprise is the ghost device absent from every drawing — a converter or gateway quietly running that nobody remembers installing. The second is a process stoppage caused by active scanning: an aging PLC can fault on a single unexpected packet, so the wrong scan at the wrong moment can halt a line. The third is serial-based, non-IP devices, invisible to network-based discovery and therefore a blind spot for OT asset identification.

The fourth is duplicate or conflicting IPs and document-versus-reality mismatches, where the address on the drawing differs from the actual device, or one IP is reused in several places. The fifth is the vendor remote-access path nobody knew about — external connectivity left open for maintenance and missing from the inventory — which lines up exactly with the SANS finding that roughly 31% of organizations lack an inventory of remote-access points (SANS, 2025). The sixth is the loss of personnel and knowledge: the person who installed the equipment has left, and its function and dependencies live in no one’s head. These are not exceptions; they are closer to the default condition of nearly every site, and anticipating all six is itself part of disciplined OT asset identification.

Preparation know-how when you start from a blank page

When you start from a blank page, OT asset identification becomes an exercise in design before discovery. In the field, the most common starting point is not a “poor” asset register but the complete absence of one. The client has never built an asset register, and you must draw the first list on a blank page. Here the first move in OT asset identification is not to power up a scanner but to define what counts as an asset and which fields the register will hold. Design the register schema first around CISA’s priority attributes — criticality, type/role, EOL status, hostname/IP address, physical location — and agree a naming convention and a unique-ID scheme up front to prevent duplication and confusion later (CISA, 2025).

No register does not mean no clues. P&IDs and as-built drawings, purchase and order history, maintenance records, vendor delivery lists, and spare-parts inventories are all seeds for the first OT asset identification. But because these were created at different times, they often diverge from reality, so treat them as hypotheses and verify everything on site. The CISA guide likewise instructs that inventory scope be derived from both documentation and physical inspection (CISA, 2025).

A first asset register — in other words, a first OT asset identification — is filled more by feet and people than by tools. Building operator and maintenance interviews into the formal process surfaces the existence and purpose of “devices not on any drawing” faster than any scanner. Add a physical walkdown — opening cabinets and photographing nameplates — and you can capture even the serial-based, non-IP assets that network discovery would never see. The ghost devices and unknown remote-access paths you uncover here are where the risk that accumulated during the register-less years all surfaces at once.

The thinner your baseline, the stricter your safety principles must be. Forbid active scanning during production, keep passive monitoring as the primary technique, and run any unavoidable active checks only within a maintenance window, with a rollback plan and backups in place; NIST SP 800-82 Revision 3 prioritizes passive methods for the same reason (NIST, 2023). Finally, run the work as IT–OT collaboration from the start, and pin down ownership and an update cadence — who refreshes and validates the register, and how often. Only then does a hard-won first OT asset identification avoid ending as a one-off report and settle into a living standard the organization can keep trusting.

Conclusion: inventory quality decides assessment quality

OT asset identification is neither glamorous nor visible. Yet the accuracy of this stage determines the credibility of the entire vulnerability assessment and risk response that follow. A device you never knew existed cannot become a scan target, and an unscanned asset becomes the very path an attacker looks for first. SANS analysis found that organizations with comprehensive asset visibility were roughly 3.7 times more likely to achieve full visibility across the ICS Cyber Kill Chain than those without it (SANS, 2025). That multiplier is the quiet leverage of getting OT asset identification right.

The essence is simple: draw the map before you pick up the tools, verify that map in the field rather than on paper, and keep the process alive rather than running it once. An OT asset identification that honors these three is the firmest possible foundation for OT security that does not wobble.

References

• CISA and partner agencies (8 countries), Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators, 2025. — cisa.gov
• SANS Institute, ICS/OT Network Visibility (based on the 2025 State of ICS/OT Security survey). — sans.org
• Dragos, SANS State of OT Security 2025: What the Data Tells Us, 2025. — dragos.com
• Industrial Cyber, SANS Institute 2025 survey finds OT cybersecurity incidents rising, 2025. — industrialcyber.co
• NIST, SP 800-82 Revision 3, Guide to Operational Technology (OT) Security, 2023. — csrc.nist.gov
• Industrial Defender, CISA and International Partners Emphasize Importance of OT Asset Inventory, 2025. — industrialdefender.com