Contact Us
Article Header - ACET Website

Asset Discovery and Asset Management in OT: Why Visibility Alone Isn’t Enough

In Operational Technology (OT) environments, where systems such as SCADA, PLCs, DCS, and safety instrumentation control critical infrastructure, cybersecurity isn’t just about tools; it’s about strategic governance. A common misconception is mixing asset discovery with asset management. While both are essential, they serve fundamentally different roles in securing OT systems. One is reactive, the other strategic.

In an OT Cybersecurity webinar series, Mubarik Mustafa, Principal Consultant for OT/ICS cybersecurity at ACET Solutions, provided critical insights into the relationship between asset discovery and asset management within OT, emphasizing the need for robust asset management practices for effective cybersecurity.

Watch the full OT Cyber Security webinar here.

In this article, we will go into detail and explain the core differences between asset management and asset discovery.

Understanding the OT Environment: Where Change Must Be Controlled

OT systems are the backbone of industrial facilities, from refineries to power plants. Unlike IT, these environments prioritize safety, availability, and operational integrity. Here, uncontrolled changes can lead to catastrophic failures. This is why Management of Change (MOC) is essential to ensure the continuity of operations without disruption. Even a small change, like swapping a pressure transmitter, follows a comprehensive validated process:

  1. Document the change (e.g., redline the P&ID and instrument datasheet)
  2. Secure approvals from safety, operations, and engineering
  3. Implement the change only after the validation
  4. Update “as-built” documentation to reflect the new state

Mubarik Mustafa said, “In OT, you never make a change first and document it later. That’s a recipe for chaos.”

 Yet when it comes to cybersecurity, many organizations bypass this core principle and rely solely on asset discovery tools that react to changes, instead of enforcing asset management processes that control them.

Asset Discovery: Big picture, not a Strategy

Asset Discovery tools scan OT networks to identify devices (IPs, models, firmware, etc.) and generate real-time inventories. They excel at:

  1. Building baseline inventories
  2. Validating existing asset lists
  3. Quick visibility of assets on the network

While the detection capabilities of these systems are valuable, they do come with limitations, as they are reactive by design and detect changes after they occur (e.g., a new device joins the network). Sometimes it offers incomplete, inaccurate, or limited visibility due to the diverse nature of OT devices and inaccessible networks, field instruments, or segregated networks, as well as little to no insight into offline devices. In addition, it offers no control, and discovery can’t prevent unauthorized changes, as it only reports them.

“Asset discovery gives you information after the change has happened. In OT, that’s too late,” said Mubarik.

 Asset Management: Proactive Governance for OT Security

True OT resilience requires Asset Management—a framework aligned with industrial MOC principles and mandated by international cybersecurity standards (e.g., ISA/IEC 62443, NIST, NERC). This involves:

  1. Pre-approval of changes (like MOC workflows)
  2. Lifecycle tracking (e.g., flagging end-of-life devices)
  3. Compliance with standards (ISA 62443, NIST, NERC)

 

Key advantages over discovery tools:

  1. Proactive risk mitigation: Changes are vetted before implementation
  2. Holistic coverage: Includes offline assets and manual processes (e.g., field devices)
  3. Auditability: Full traceability of who changed what and why

“Asset discovery is not a replacement for asset management. You need both, but management must drive the process.” Mubarik Mustafa

For Example:

If a network scan detects an unauthorized device, Asset Management processes determine:

  • Was it approved via MOC?
  • Who installed it?
  • Is it compliant with security policies?
An infographic comparing "Asset Discovery" and "Asset Management" in a table format, with "VS" prominently displayed in the middle. The table lists several contrasting points: Occurrence: Discovery is "after the change," Management is "before the change." Control: Discovery has "No control over assets," Management has "control over assets." Approach: Discovery "Follows a re-active approach with high risk," Management "Follows a pro-active approach with low risk." Effort/Coverage: Discovery is "Less effort... for a limited coverage of network," Management is "High effort... of complete OT environment." Use Case: Discovery is for "initial inventory, validation of inventory and quick visibility," Management "Includes governance and lifecycle tracking." Mandate: Discovery is "Partially mandated by cybersecurity standards," Management is "Mandated fully by cybersecurity standards." The top right corner has the "ACET SOLUTIONS" logo.

Final Thoughts

OT environments demand proactive control, not just visibility. While asset discovery provides quick visibility and helps in building an initial inventory – an “as-is” picture after changes have occurred – of your OT assets, and can serve as a valuable tool for validating your master asset management database. However, it cannot be considered a replacement for asset management.

True Asset Management in the OT environment involves following a Management of Change (MOC) process, which includes design, documentation, approval, and implementation within the “as-built” documentation to reflect the current state before a change is made. This proactive approach mitigates significant risks associated with health, safety, environment, and operations.

To learn more about how ACET Solutions can help you with robust OT assessment and management strategies, visit here.

Related Articles

About ACET

Solutions

Explore

Instagram X-twitter Youtube Linkedin

© 2025 ACET Solutions . All Right Reserved.