Operational Technology (OT) systems are increasingly in the cybersecurity spotlight as the potential for cyber-physical impacts grows across critical infrastructure sectors. From energy and water to transportation and advanced manufacturing, OT encompasses the technologies that keep essential operations running – process automation, instrumentation, industrial control systems (ICS) and other cyber-physical systems that bridge the digital and physical worlds.

As these systems become more interconnected – seen in everything from modern factories to airports and smart utilities – the risks expand in both scale and complexity. Recognizing this, the Cybersecurity and Infrastructure Security Agency (CISA) recently issued Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators, which elevates asset inventory from a best practice to a foundational security control.

To explore what this shift means for organizations, STV’s Danielle “DJ” Jablanski, cybersecurity consulting program lead, discusses why even sophisticated, global companies continue to face challenges in achieving full visibility across their OT assets, and how improved inventory practices can strengthen resilience.

1. We often hear that critical systems are “airgapped” or completely separate from the internet. Is that still true?

The idea that these systems are completely cut off from other networks (what we call an “airgap”) discounts the fact that today, for all kinds of practical reasons, these systems are connected. This means the traditional approach of building a secure perimeter around them isn’t enough. Instead of simply trying to keep attackers out, we need to focus on making sure that even if something goes wrong, mission-critical systems can continue to operate safely. It’s about designing architectures and implementing [MG1] controls that ensure the ability to operate under or despite compromise.

2. The assumption is that large, sophisticated organizations have this figured out. Is that true today?

When you pull the curtain back, many organizations with complex and diverse business units and operations struggle the most with asset management and centralized analysis of what they own, how its connected, its security profile and what to do to address cyber risks. Some networking software may showcase physical connectivity on a site-by-site basis, while disparate security tools may capture logical network flows elsewhere. But a comprehensive and dynamic asset inventory, taxonomy and core understanding of the criticality of systems, as well as their interdependencies and single points of failure for effective risk management, is often still lacking.

3. Where should an organization or agency begin without getting overwhelmed?

The best place to start is not with a complex standard but by borrowing from best practices. Ask yourself: What is the most important product, service or resource we provide? From there, begin to identify the equipment and software that make those functions possible and how compromise of those systems can impact your mission. The asset inventory guidance from CISA reminds owners and operators that the classification of assets can be criticality-based alone or grouped based on function – which refers to the purpose that systems or systems of systems serve. Government agencies consider this exercise when doing high-value asset assessments.

At STV, we help clients follow a clear process to secure what truly matters based on process and function: what is provided, treated, produced, fabricated, manufactured, pumped, assembled, etc. Securing missions in this way allows an organization to select the appropriate metrics for validating continuous improvement over time rather than checking security compliance boxes on a worksheet.

4. How is STV’s approach to cybersecurity different?

Many firms can inform you about digital threats in general and their potential impacts, but STV works closely with clients to understand how their systems are designed, how they operate and who is responsible for their day-to-day security and resilience. Our goal is to develop competence, capacity and capabilities that enhance clients’ security posture and risk management capabilities. Because our cybersecurity team works side by side with our engineers and does not resell technology or offer managed services, we can provide greenfield security, advisory services for upgrades to existing programs and standalone services that all leverage tacit knowledge from each sector we serve.   

5. Everyone talks about “visibility” being important. What does that actually mean on a day-to-day basis?

Visibility is a phrase that is often used to describe network awareness that considers compensating controls for the lack of security features or principles available to OT systems. Inventories provide an understanding of digital components, devices, systems and infrastructure. Analysis of connectivity between these systems allows owners and operators to investigate the integrity of systems and data. Risk assessments of known inventory and integrity impacts can provide proactive identification of misconfiguration issues and potential cybersecurity failures and incidents before they occur. The implementation of automated tools enables the dynamic analysis and alerting of data from operations that were once statically logged and reviewed.

CISA’s guide recommends several tools for maturing OT cybersecurity, including automated vulnerability and patch management tools where appropriate, as well as continuous monitoring of networked systems and process variables. STV works with clients to assess the utility of their current visibility tools and select the appropriate metrics and investments to consider next.

Achieving enhanced visibility doesn’t require new tools and solutions immediately. A step-by-step process empowers operators to transition from reacting to threat intelligence and potential incidents to anticipating and mitigating risks. STV’s cybersecurity advisory team looks forward to making communities better by partnering with clients on these incremental steps toward more secure and defensible real-world operations.