The Challenge of IT and OT Asset Discovery

Introduction

These days most of my engagements seem to be focused around helping my clients discover all of the IT and OT assets in their estate. And there’s lots of confusion around the challenges of doing a comprehensive asset discovery.

Every CISO understands the simple truth: you can’t protect what you don’t know you have. A comprehensive inventory of IT and OT assets – from servers and laptops to industrial controllers and IoT sensors – is the foundation of effective cybersecurity. In theory, building this asset inventory sounds straightforward. In practice, it’s one of the hardest tasks in cybersecurity today.

Many enterprises find that even identifying all their IT and OT assets is challenging. In fact, majority of security leaders admit they’ve experienced incidents due to unknown or unmanaged assets. The difficulty only multiplies when you include operational technology (OT) on factory floors and the explosion of Internet of Things (IoT) devices in offices and facilities. Despite investing millions, organizations (from global banks to critical infrastructure operators) still struggle to achieve full visibility into their asset landscape.

Why Complete Asset Inventory Is Essential

A full asset inventory isn’t just a compliance checkbox, it’s a prerequisite for almost every cybersecurity function. Virtually all security frameworks highlight asset management as a first step. For example, CIS Critical Security Control #1 is “Inventory and Control of Enterprise Assets”, covering all devices (including IoT) across physical, virtual, remote, and cloud environments.

The logic is simple: if you don’t know an asset exists, you won’t secure it with patches, monitoring, or access controls – and attackers will find those blind spots. In incident response, asset lists let you quickly identify affected systems; in vulnerability management, they tell you where a new critical CVE might apply. And looking ahead, a detailed inventory is the first step toward quantum readiness – you can’t assess which systems use vulnerable cryptography if you don’t even know all the systems you have. In short, asset visibility underpins everything: you can’t patch, protect, or upgrade what you can’t see.

Yet despite this well-understood importance, asset discovery and inventory remain elusive goals for most organizations. Enterprises often lack a real-time, unified view of their IT, OT, and cloud environments. Asset lists compiled one month are out of date the next.

The Ever-Expanding IT/OT Landscape

Modern organizations operate in an ever-expanding digital landscape that blurs the line between traditional IT and the operational world. Gone are the days when an asset inventory meant just desktops, data center servers, and network switches.

Today’s IT environment includes on-premise systems, cloud instances, containerized microservices, mobile devices, and more. Meanwhile, OT environments – found in industries like manufacturing, energy, transportation, and critical infrastructure – are full of specialized devices: programmable logic controllers (PLCs), SCADA systems, industrial sensors, and robotics. Add to that the swarm of IoT devices entering corporate networks: smart building controls, security cameras, smart TVs in conference rooms, badge readers, even things as odd as smart fish-tank thermometers or internet-connected coffee machines. In one office building assessment, we discovered over 160 distinct types of “smart” devices – many installed by facilities or other departments without IT’s knowledge.

This diversity means “every single device” really does mean everything. A proper inventory must account for the smart power strip behind a rack in your data center, the vehicle-counting sensor in the parking garage, the thermometer in the CEO’s aquarium, the smart fragrance dispenser in the bathroom, the smart forklift in the loading dock… Each of these may seem trivial, but if it connects to your network (or controls something that does), it’s part of your attack surface. And each likely uses some form of software or firmware – often with network communication and even cryptography under the hood – that needs to be secured.

The scale is staggering. A large global enterprise can literally have millions of individual assets when you count IT and OT together. For example, a major telecom operator might have everything from core network routers and data center gear to thousands of cellular base stations and customer premise devices scattered across regions. A big bank might run thousands of servers and workstations plus ATM machines, point-of-sale devices, building management systems, and trading floor appliances.

Keeping tabs on such a sprawling inventory is a monumental task, even before considering the technical nuances of discovery. It’s no surprise that many organizations struggle to maintain an accurate catalog of all their devices, applications, and systems.

The IT Asset Discovery Challenge

In traditional IT environments, one might expect asset management to be more straightforward – yet significant challenges persist. Lack of visibility is problem #1. Even in well-resourced IT departments, it’s common to find unknown devices or systems. Reasons include:

• Large, Distributed Networks: In global enterprises or those with many remote sites, assets can easily be added outside central IT’s purview. Remote offices, labs, or acquired companies may introduce hardware that isn’t recorded in the main inventory. Cloud services allow teams to spin up virtual machines or databases on-demand, often without the same oversight as physical devices, leading to “shadow IT” infrastructure.
• Shadow IT and Unmanaged Assets: Business units sometimes deploy their own IT solutions (e.g. a marketing team setting up a cloud server, or an engineer installing a rogue Wi-Fi router) without informing IT. These unauthorized or unmanaged assets create blind spots.
• Dynamic and Ephemeral Systems: Modern IT is highly dynamic. Virtual machines come and go, containers spin up or down in seconds, and serverless functions execute and vanish. Keeping a static inventory of such ephemeral assets is incredibly tough – a device that existed yesterday may not exist today (but might reappear later).
• BYOD and Remote Work: The rise of Bring Your Own Device and remote work means many endpoints accessing company data are not company-issued or constantly connected to the corporate network. Laptops that haven’t VPNed in recently might not be accounted for. Personal devices used for work (phones, tablets) could be completely off the radar.
• Tool and Data Fragmentation: Enterprises deploy numerous tools – vulnerability scanners, network monitoring, endpoint management suites, directory services – each of which knows part of the asset picture. Consolidating these into a single CMDB or dashboard is non-trivial, especially if data formats differ. If integration is poor, data silos result, and no one tool shows the “whole truth”.
• Human Processes and Data Decay: Traditional asset inventories or CMDBs often rely on manual entry or periodic audits. People forget to update records when decommissioning or repurposing a system. Over time, records drift from reality. In fact, an oft-quoted Gartner statistics (I can’t find the primary source) noted that 75% of CMDB projects fail to deliver value – largely because they can’t keep up with the volume and pace of change in modern IT. Even when initially populated, “100% accuracy is near impossible” due to constant change; organizations may achieve 95%+ accuracy at best, and that remaining few percent of unknowns can be critical gaps.

Despite these challenges, IT asset discovery at least benefits from a mature ecosystem of tools. Automated discovery scanners can sweep IP networks to identify hosts, and agent software can report detailed device info. Integration with directory services (like Active Directory) or network access control systems can detect when a new device connects.

These tools help, but they don’t solve everything – especially when credentials are missing (limiting insight into a device’s configuration), when devices are off-network, or when rogue devices block scans.

Nonetheless, IT teams typically have more experience and tooling for asset inventory compared to their OT counterparts.

The OT and IoT Asset Discovery Challenge

Discovering and tracking assets in operational technology (OT) and IoT environments is widely regarded as even more difficult than in IT. While IT systems are often homogeneous and built with manageability in mind, OT/IoT devices are heterogeneous, sometimes antiquated, and often lack any standard management interfaces. Here are some key challenges unique to OT/IoT asset discovery:

• Diverse, Specialized, and Legacy Devices: OT environments contain a mix of legacy systems and specialized devices (e.g. PLCs, RTUs, industrial controllers, sensors, meters, proprietary embedded systems). These often run old or vendor-proprietary operating systems and protocols. Many OT devices were never designed to be easily interrogated or identified over a network. A factory might have decades-old controllers still running – with minimal documentation about them available. Maintaining an accurate inventory is complex when assets range from modern smart sensors to 30-year-old PLCs.
• Proprietary and Unsupported Protocols: Unlike IT devices that use common protocols (TCP/IP, SNMP, HTTP, etc.), OT devices might communicate via protocols unfamiliar to traditional scanners (Modbus, DNP3, PROFIBUS, etc.). You can see a few dozen most commonly used IoT/OT protcols in my own database here: Internet of Things (IoT) Wireless Protocols. They may not even have IP addresses (fieldbus devices, for instance). Automated IT discovery tools often can’t “speak” OT protocols, meaning these devices remain invisible to standard scans. Specialized OT discovery tools exist, but organizations must invest in them and integrate them.
• Network Segmentation and Hidden Networks: OT networks are frequently segregated from IT for safety and reliability. This is good for security, but it means an asset scanner on the IT network won’t see into the OT segments. Some OT assets might be completely offline or standalone (e.g. not continuously connected). In critical infrastructure, it’s common to find isolated systems that are only periodically polled or even fully air-gapped. These require physical inspection or out-of-band discovery methods.
• Risk of Active Scanning: A major barrier to discovering OT devices is that traditional active scanning can be risky. Aggressive port scans or probes that are harmless on IT networks might crash or disrupt an OT device, because those systems aren’t designed with IT-style network traffic in mind. For example, scanning a PLC’s open ports could overload it or cause a fail-safe shutdown. Consequently, security teams are often forbidden from using typical scanners in production OT environments due to safety concerns. This severely limits discovery options to safer, often slower methods (like passive monitoring).
• IoT Device Constraints: IoT devices (whether part of an OT process or general enterprise IoT) pose their own issues. Many IoT gadgets are “black boxes” with minimal interfaces – they might not respond to pings or SNMP queries, for instance. They often identify poorly on the network (e.g. showing up as an obscure manufacturer MAC address with no hostname). You generally can’t install an agent on an IoT sensor or a smart camera, and many don’t support any kind of remote interrogation beyond basic network connectivity. This makes classic IT asset management agents/tooling ineffective for IoT.
• Shadow OT/IoT Deployments: Just as shadow IT plagues enterprise networks, shadow IoT and shadow OT are emerging challenges. Business units or even facilities teams might deploy internet-connected thermostats, smart lighting systems, or industrial machinery without involving IT or security. In the earlier example of the office building with 160 types of smart devices, none were under IT’s direct control. They were installed by departments like facilities or engineering. These “rogue” or undocumented devices often fly under the radar, introducing unknown assets (and potential vulnerabilities) on the network.
• Scale and Geographic Spread: In industries like energy, utilities, or telecom, OT assets can number in the tens of thousands and be geographically dispersed (think pipelines, substations, cell towers, etc.) Performing physical inventories (“truck rolls” to check devices) is extremely costly and time-consuming. Yet in many cases, some manual effort is unavoidable – organizations literally have to send personnel to sites to catalog devices because remote discovery can miss too much. It’s not uncommon for such walkdowns to reveal that 20-30% of the asset records were outdated or wrong, requiring significant updates to the inventory.
• Organizational Silos and Knowledge Gaps: Traditionally, OT systems were managed by engineering or operations teams, separate from IT. As a result, the responsibility for OT asset inventory is often unclear. The IT security team might not have access or authority in plants or factories, and plant managers might lack cybersecurity expertise to inventory devices thoroughly. This silo can cause “turf wars” or gaps – for instance, an OT team might say “we thought IT was tracking that system” while IT has never even seen it. In many cases, embarking on an OT asset discovery project becomes politically charged, uncovering internal questions like “Who is responsible for that legacy control system? Did anyone know that device was connected?”. Reaching a comprehensive inventory often requires bridging these organizational gaps and establishing clear ownership and collaboration between IT and OT teams.

Given these challenges, it’s little surprise that asset visibility in OT/IoT is a top concern. Security surveys regularly find that lack of visibility into OT and IoT is a critical issue for defenders. Without addressing these issues, organizations are effectively flying blind in parts of their network – a dangerous proposition when nation-state threats and ransomware increasingly target industrial and IoT devices.

Why Everyone Is Struggling – Common Pain Points

Bringing IT and OT asset data together into one coherent, current inventory is challenging for several overarching reasons:

• Constant Change: IT and OT environments are not static. New assets get added (often without formal processes), old ones are retired (often without records being updated), and configurations drift. An inventory is instantly out-of-date the moment it’s built unless there are continuous updates. Many organizations treat inventory as a one-time project, only to find it becomes stale within months. True asset management requires continuous discovery and lifecycle processes – which many companies lack.
• Tool Limitations and Gaps: No single tool will automatically discover 100% of assets. Automated scanners can help but have blind spots – especially for the more esoteric OT/IoT devices. Agent-based approaches miss anything that can’t run an agent. Passive network monitoring sees only what communicates and might miss dormant or isolated devices. Even modern “asset management platforms” primarily aggregate data from existing sources (and if those sources miss something, the platform will too). In practice, organizations must combine multiple methods – and accept that some manual effort (like site surveys or querying less-common data sources) will still be needed to hit the last mile of coverage.
• Data Overload vs. Data Quality: Paradoxically, organizations often have too much data yet too little useful information. They might get thousands of discovery results and network device logs, but correlating those into an accurate inventory is non-trivial. Duplicate entries, inconsistent naming, and incomplete attribute data are rampant problems. It’s common to find the same device showing up under different names in different tools (e.g. one system lists “Printer-01”, another has it by IP or MAC address). Merging these without mistakes can be like solving a giant puzzle. Data quality issues plague CMDBs – over half of companies report their asset data has significant inaccuracies or gaps. This undermines trust in the inventory.
• Lack of Governance and Process: Technology aside, many organizations don’t have strong processes ensuring asset information is maintained. For example, there may be no requirement that procurement and deployment teams log new devices into a system, or no regular audit to reconcile actual devices with inventory records. Without clear governance (roles responsible for inventory, defined processes for updating it, and management oversight), the asset list will inevitably decay. Internal silos exacerbate this – if IT operations, security, and OT engineers aren’t closely collaborating, assets will fall through the cracks. Governance also means knowing when to retire entries (so the inventory isn’t cluttered with decommissioned systems) and enforcing standards (e.g. naming conventions, mandatory fields) to keep data usable. Mature organizations often establish an asset management team or assign CMDB ownership, but many companies have no one explicitly in charge of the full cross-domain inventory.
• Scale vs. Resources: The sheer scale of the asset discovery task can overwhelm available resources. A Fortune 500 company might have tens of thousands of IP addresses in use and many more IoT devices – mapping all of them is a huge undertaking. Many security teams are already stretched thin; dedicating manpower to inventory reconciliation and continuous monitoring can be a hard sell when there are immediate fires to fight. Unfortunately, ignoring inventory is a bit like ignoring foundation cracks in a house – things might seem fine until a crisis hits and you realize too late that you have critical blind spots. Forward-thinking CISOs are increasingly pushing for investment in attack surface management and asset visibility as a proactive measure, but not all organizations have caught up.

It’s worth noting that the consequences of poor asset visibility are not theoretical. Unknown assets often mean unpatched assets, which are low-hanging fruit for attackers. This is why “unknown = unmanaged = unsafe” has become a security mantra.

Approaches to Asset Discovery: No Silver Bullet

Given the difficulty, what can organizations do? The state of practice today involves using multiple, complementary approaches to tackle asset discovery, each with strengths and limitations:

• Active Network Scanning: Tools that actively probe the network (ping sweeps, port scans, service fingerprinting) can find many devices on an IP network and identify basic properties (IP, open ports, maybe OS fingerprint). They are good for discovering IT assets that respond to network requests. However, as discussed, active scans can miss devices that are offline or blocked by firewalls, and they can’t easily identify devices that don’t communicate using standard protocols (or that have no IP). Active scans must be used carefully in OT to avoid disruption. They also tend to produce point-in-time snapshots – regular scanning is needed to catch new devices.
• Agent-Based Discovery: Installing agents on endpoints (servers, PCs, even some network gear) can provide very detailed data (serial numbers, installed software, etc.), and these agents can continuously report changes. This is excellent for managed IT assets. But it’s useless for anything that can’t host an agent – you won’t put a discovery agent on your CCTV camera or on a PLC. Agents also require maintenance and can pose performance overhead or compatibility issues.
• Passive Network Monitoring: This involves listening to network traffic (via span ports, network taps, or specialized appliances) to observe devices communicating. By analyzing traffic patterns and protocols, passive systems can infer what devices are present and some characteristics (for example, MAC addresses, protocols used, maybe device type via DPI fingerprinting). This approach is popular for OT and IoT discovery because it’s non-intrusive. Solutions from vendors like Nozomi, Armis, and Forescout leverage passive monitoring to map out IoT/OT devices. The downside: passive methods only work if the devices generate traffic. A silently connected device that isn’t actively chatting can be missed. Also, encrypted traffic or very proprietary protocols can limit insight.
• Querying Infrastructure: Sometimes existing infrastructure knows more than you realize. For instance, a centralized DHCP server or network switch MAC address table can provide lists of connected devices. Cloud management consoles can list VMs and services running. Integrating these data sources is a way to gather asset info indirectly. Many Cyber Asset Attack Surface Management (CAASM) platforms take this approach – pulling data from cloud APIs, virtualization platforms, endpoint management tools, AD, etc., to cross-assemble an inventory. This can cover a lot of ground, but it relies on the assumption that each of those systems is properly maintained. It might not catch everything (e.g. a device with static IP that never requested DHCP, or a rogue device on a switch that isn’t monitored).
• Manual Surveys and Walkarounds: When automation fails, humans fill the gap. Especially in OT, manual asset surveys (clipboard in hand, checking what equipment is physically present) are sometimes the only way to find certain things. While extremely time-consuming and prone to human error, a physical audit will uncover devices that electronic methods miss (for example, an old machine controller with no network connection might only be found by looking in the cabinet). Many organizations do an initial manual “asset sweep” to baseline the inventory, then try to monitor electronically thereafter. However, if new devices get added later without notice, it might require another physical audit to catch up. It’s a never-ending effort if processes aren’t implemented to govern new additions.
• Combining and Correlating Data: The most successful asset management efforts use a combination of the above. For example, one might use active scans to get the easy stuff, passive monitoring to catch unknowns, agents for depth on known devices, and then feed all findings into a central inventory database (CMDB). Correlation logic can match records (e.g. tie that IP from a scan to a known hostname from the agent, etc.). This layered approach is necessary because each technique will miss some percentage of assets but together they greatly improve coverage. Still, implementing this is non-trivial – it often requires custom integration or a dedicated asset management platform.

Ultimately, there is no silver bullet for asset discovery. It’s a continuous, multi-faceted discipline. Automation and even emerging AI tools can drastically reduce the effort, but they won’t magically know about a device that never announces itself. CISOs should set realistic expectations: achieving a near-complete inventory may take years of ongoing work in a large organization. But incremental gains are valuable – even moving from 50% visibility to 90% can significantly reduce risk.

Toward Better Asset Management: Strategies for CISOs

While the challenges are daunting, there are concrete steps and best practices CISOs can champion to improve asset discovery and inventory maintenance:

• Establish Asset Ownership and Governance: Define clearly who “owns” the asset inventory process. This might mean forming a dedicated hardware/software asset management function, or assigning responsibilities to existing IT and OT teams with executive sponsorship. Governance should set policies that every new asset must be recorded, and that inventory accuracy is a tracked metric (with goals like maintaining 95% accuracy). Regular audits or spot-checks can enforce this.
• Foster IT-OT Collaboration: Break down silos by bringing IT security, IT operations, and OT engineering teams together for inventory projects. Create joint processes for asset onboarding in OT environments – e.g. whenever maintenance installs a new control system, they notify a central team or enter it into a database. Collaboration is essential; otherwise, critical assets will be overlooked due to “not my department” attitudes. Some organizations are appointing IT/OT convergence roles or committees to oversee security across both domains – inventory management should be one of their key focus areas.
• Invest in the Right Tools (But Use Them Wisely): Evaluate asset discovery tools that fit your environment’s needs. In IT, ensure you leverage capabilities you may already have (like network monitoring, configuration management databases, cloud asset inventories) – many companies under-utilize tools they’ve already paid for. For OT/IoT, consider specialized asset visibility solutions that are safe for those environments (passive or knowledge-based discovery). But remember tools are only as good as their implementation: dedicate effort to properly configuring them, integrating data feeds, and tuning them to minimize noise. Automation and even AI can greatly assist by continuously scanning and correlating data   – just be wary of vendor promises of “100% discovery.” Use automation to handle the grunt work and flag anomalies (like a new device appearing on a subnet) so humans can investigate.
• Maintain a “Living” Inventory (Continuous Monitoring): Treat asset inventory as an ongoing process, not a one-time project. Implement continuous monitoring – for example, set up alerts for when a new device joins the network or when an existing device hasn’t been seen in a while. Many organizations are now incorporating Attack Surface Management practices: continuously looking for unknown assets, not just within internal networks but even externally (e.g. cloud services or forgotten internet-facing systems). The earlier Trend Micro survey noted that only ~42% of companies use proactive risk management tools and only ~58% do continuous monitoring  – meaning many still lack continuous practices. Don’t be the 58% not monitoring; strive to get to real-time or near-real-time visibility. This could be as simple as weekly network scans plus reviewing new DHCP leases, etc., depending on resources.
• Leverage Asset Data for Action: Use the inventory to drive security action. For example, integrate it with vulnerability management: when a new critical vuln is announced, quickly filter the inventory for assets of that type or running that software. If your inventory is enriched with attributes like OS, firmware version, location, owner, etc., it becomes immensely useful for prioritizing patching and incident response. When staff see real security value coming from the inventory, they’re more likely to keep it updated – it stops being just a compliance document and becomes a living security tool.
• Prepare for “Quantum Day” with Cryptography Inventory: As a forward-looking step, consider expanding asset inventory to include cryptographic assets on those devices. Post-quantum migration plans call for a cryptographic inventory – essentially knowing what crypto algorithms and libraries each asset uses. This is an even deeper level of inventory that very few organizations have tackled yet. Starting with a solid hardware/software asset inventory is the prerequisite to mapping cryptography. Encourage your team to pilot cryptographic discovery on critical systems. It will not only help with quantum readiness but often reveals hidden legacy crypto that should be fixed even in the present (e.g. outdated SSL versions lurking on a device). Think of it as future-proofing: the effort you invest in asset discovery today pays double dividends – reducing current cyber risk and preparing you for the crypto-agility needed tomorrow.
• Acknowledge the Challenge and Set Realistic Goals: Leadership should acknowledge that achieving comprehensive asset visibility is hard. When leadership recognizes this, they can allocate appropriate resources and time. Set incremental goals (e.g. “this quarter, we’ll focus on discovering all assets in these network segments” or “we aim to improve our CMDB accuracy from 80% to 95% within 6 months”). Celebrate progress as coverage improves. This is a marathon, not a sprint, especially in large organizations. By setting expectations that this is a long-term continuous effort, teams won’t feel like they failed just because a few unknowns pop up – instead, those become opportunities to refine the process.

Conclusion

For CISOs, the pursuit of a complete IT/OT asset inventory may at times feel like chasing a moving target. The landscape will only grow more complex as businesses digitally transform and connect ever more devices. However, ignoring the challenge isn’t an option – the risks of blind spots are simply too great, as evidenced by the high rate of incidents stemming from unknown assets. Achieving full visibility requires a blend of technology, process, and culture: deploying the right tools, instituting rigorous processes, and fostering a culture that values proactive asset management.

The good news is that improving asset visibility yields broad benefits. It strengthens your cyber defenses across the board – from basic hygiene (finding that unpatched server hiding in a closet) to advanced preparedness (knowing exactly which systems will need quantum-safe crypto updates in a few years). It also helps future-proof your organization. The coming transition to post-quantum cryptography will involve discovering, assessing, and upgrading every single device, application, and system – no exceptions. Those who have laid the groundwork with robust asset inventories will be far better positioned to execute such massive changes. In that sense, solving asset discovery is not just about today’s security – it’s about building the institutional knowledge and processes to tackle whatever comes next.