Asset Discovery makes it easier to identify active system assets. (see article Asset Discovery). This is preceded by the inventory list – the Asset Inventory – which contains much more than just “Computer 1 is on the 3rd floor in room xyz.”.
In order to operate effective IT/OTsecurity, a company must be able to make decisions quickly and effectively. If, for example, a new vulnerability becomes known, the entire environment should not have to be examined in order to determine whether the corporate or OT network is affected. In this and many other situations, an up-to-date asset inventory can help. For example, it shows us which systems are in use with which versions. The obvious benefit is that this allows a quick assessment of the situation.
How do you approach an asset inventory?
Asset Inventory can appear in many forms: Whether it is the classic Excel list that is manually maintained by hand or the latest Inventory and Asset Management Tool (IAM) – it is important that the information is up-to-date!
If you know in advance which information is absolutely necessary for an effective Asset Inventory, then you can make it a “mandatory definition” for all lists of this kind (e.g. year of construction and brand of the device, type of operating system, version of the operating system, type of other software, versions etc.).
Asset Inventory does not have to cover 100% of the systems from the very beginning. It is much more important to start with the Asset Inventory with critical systems and to collect correct / important data (this includes not only the “mandatory definitions” but also the criticality of the system and a responsible person). In addition, processes for maintaining the asset inventory should be defined (regular checking of up-to-dateness, adding, changing, removing components). If this rigorous procedure can be ensured, an important step towards IT/OT security has been taken!