About this program
Inventory for OT looks nothing like IT. Quick check on coverage, criticality, vendor-approved patch windows and risk-acceptance for unpatchable assets.
Risks addressed
- High Unknown assets in OT u2014 invisible CVE exposure
- High Vendor will not certify recent patches u2014 stuck on old firmware
- Critical Critical safety asset patched, breaks the certification
Controls (6)
-
Passive OT asset discovery in place
HighPassive OT asset discovery in place
How to test + evidence
Testing procedure: Tool (Claroty / Dragos / Nozomi / equivalent) passively inventories OT assets.
Evidence to collect: Tool inventory output.
-
Criticality + safety classification per asset
HighCriticality + safety classification per asset
How to test + evidence
Testing procedure: Each asset tagged: safety-critical, operations-critical, support.
Evidence to collect: Asset register.
-
Vendor patch approval workflow documented
HighVendor patch approval workflow documented
How to test + evidence
Testing procedure: Each vendor patch approval matrix on file: what they certify, what they do not.
Evidence to collect: Vendor matrix.
-
Risk acceptance for unpatchable assets
MediumRisk acceptance for unpatchable assets
How to test + evidence
Testing procedure: Compensating controls documented; risk owner signed off.
Evidence to collect: Risk register.
-
Change-window calendar with operations
HighChange-window calendar with operations
How to test + evidence
Testing procedure: Patching only during agreed maintenance windows; emergency overrides require approval.
Evidence to collect: Change calendar.
-
Backup of PLC / HMI logic with restore tested
CriticalBackup of PLC / HMI logic with restore tested
How to test + evidence
Testing procedure: Logic backups + last successful restore test on a sample device.
Evidence to collect: Backup + restore test report.