TL;DR: CISA’s 2025 guidance frames OT asset inventory as a prerequisite for modern defensible architecture, arguing that organisations cannot protect what they cannot see and must pair discovery with taxonomy, lifecycle management, and segmentation. Elisity’s analysis shows the governance gap is now operational, not theoretical.
NHIMG editorial — based on content published by Elisity: OT Asset Inventory and CISA's 2025 guide to modern defensible architecture
Questions worth separating out
Q: What breaks when OT asset inventory is incomplete?
A: Incomplete OT asset inventory breaks segmentation, vulnerability prioritisation, and incident response because security teams cannot reliably tell which devices exist, where they are, or what they connect to.
Q: Why do OT environments need identity-based microsegmentation?
A: OT environments need identity-based microsegmentation because IP addresses and network positions change, but the policy need remains tied to the device or workload.
Q: How do security teams know if OT inventory is actually working?
A: OT inventory is working when it feeds enforcement decisions, updates segment membership, and shortens response time during incidents.
Practitioner guidance
- Define OT asset scope by process and criticality Map production systems, safety systems, control systems, and support assets before assigning security ownership.
- Collect identity-relevant OT attributes continuously Capture communication protocols, physical location, criticality, and dependency data so inventory can support segmentation and incident response.
- Build segmentation from zones and conduits Translate inventory into IEC 62443-style zones and conduits, then limit traffic between them to approved paths only.
What's in the full article
Elisity's full post covers the operational detail this post intentionally leaves for the source:
- Step-by-step OT asset inventory workflow from scope definition through lifecycle management.
- Sector-specific taxonomy examples for oil and gas, electricity, and water and wastewater environments.
- Practical microsegmentation deployment observations from manufacturing and healthcare environments.
- Detailed discussion of how inventory data supports IEC 62443 zones and conduits.
👉 Read Elisity's analysis of CISA's OT asset inventory guidance and defensible architecture →
OT asset inventory and microsegmentation: what changes for security teams?
Explore further
OT asset inventory is now an enforcement prerequisite, not a hygiene exercise. The article correctly frames inventory as the foundation for defensible architecture because segmentation, monitoring, and incident response all depend on knowing what is present. In practice, that means asset identity and operational context must be treated as security inputs, not administrative outputs. For critical infrastructure teams, the governance question is whether inventory data changes enforcement or merely decorates reports.
A question worth separating out:
Q: Who is accountable when OT segmentation fails?
A: Accountability usually sits with the teams that own operational risk, asset data quality, and network enforcement together. In practice, that includes OT engineering, security architecture, and governance leaders, because segmentation fails when any one of those functions treats the inventory as someone else’s problem.
👉 Read our full editorial: OT asset inventory is becoming the basis for defensible architecture