The Common Sequencing Mistake
The standard entry point for an IEC 62443 programme is a risk assessment. Most organisations begin by identifying threats, assigning consequence levels, and designing security zones based on function and criticality. This is methodologically correct — and practically premature.
The problem is that risk assessments in OT environments are conducted against an asset list. That list almost always comes from documentation: P&IDs, network diagrams, SCADA tag lists, maintenance records. In brownfield industrial environments, this documentation is incomplete by default. Equipment has been added, replaced, and reconfigured faster than documentation has been updated. The gap between the documented network and the actual network is not a documentation problem — it is an operational reality.
A security architecture built on an incomplete asset inventory has structural gaps. You cannot zone what you have not found. You cannot specify conduit rules for communication paths you do not know exist. The architecture will be internally consistent but externally incorrect — valid on paper, incomplete in practice.
What You Don't Know Is Usually Network-Adjacent
In the OT asset inventories conducted during SGAMS engagements, the assets most commonly missing from existing documentation fall into three categories.
The first is legacy serial-to-Ethernet converters. These devices — often installed during incremental network upgrades years earlier — bridge older serial field buses to IP networks. They are operational infrastructure but rarely tracked as network devices. From a security perspective, they are unsecured IP endpoints sitting at the boundary between the process control layer and the communication network.
The second is engineering workstations and laptops with intermittent network presence. These appear on the network during maintenance windows, access control system databases and historian configurations, and disappear again. They are not in the asset register because they are not permanently installed. They are, however, the most common initial access vector in documented OT incidents.
The third is remote access infrastructure installed by equipment vendors. Modems, cellular gateways, and cloud-connected maintenance interfaces are routinely installed by OEM service teams with the knowledge of the maintenance team but without formal network documentation. In a population of forty industrial sites audited across five years of SGAMS engagements, thirty-one had at least one undocumented vendor remote access path.
Passive Discovery vs. Active Scanning: Getting This Wrong Is Costly
The instinctive response to an incomplete asset inventory is to run an active network scan. In IT environments, this is routine. In OT environments, it can be catastrophic.
Active scanning sends probes to every IP address in a defined range and records responses. Many OT devices — particularly older PLCs, RTUs, and protection relays — respond to unexpected network traffic by entering fault states, dropping communication sessions, or initiating protective restarts. An active scan of a live process control network can cause exactly the operational disruption it is intended to help secure against.
The correct approach for live OT networks is passive discovery: monitoring network traffic without injecting any probes. Passive discovery captures the communication patterns that actually exist on the network — every device that sends or receives a packet appears in the inventory. It does not require any device to respond to a query it was not designed to handle.
Passive discovery has one limitation: it only finds devices that are communicating during the monitoring window. Devices that are powered but silent — backup equipment, standby systems, dormant workstations — may not appear. A complete OT asset inventory therefore combines passive network monitoring with physical walk-down verification, particularly for assets in isolated segments.
What a Complete Inventory Actually Enables
The value of a complete OT asset inventory extends beyond IEC 62443 compliance. It is the prerequisite for several operational improvements that are difficult or impossible without it.
Vulnerability management in OT requires knowing what firmware versions are running on which devices. Without a complete asset inventory with firmware tracking, vulnerability advisories from ICS-CERT and equipment manufacturers cannot be systematically evaluated. Teams either apply every advisory to every device (operationally impractical) or apply none (operationally dangerous).
Incident response in OT requires knowing the normal communication baseline. Without a documented inventory of expected communication pairs, anomalous traffic — lateral movement, command-and-control beaconing, data exfiltration — cannot be identified with confidence. Every alert requires manual investigation to establish whether the observed behaviour is legitimate or anomalous.
Change management in OT requires knowing what exists before authorising changes. Configuration drift — the accumulation of undocumented changes to device firmware, network settings, and communication parameters — is one of the most common sources of both operational failures and security gaps in industrial environments. Asset inventory with configuration tracking makes drift detectable.
The Practical Sequence
The sequence that consistently produces better security programme outcomes in SGAMS engagements is straightforward, though not always followed:
First, deploy passive network monitoring across all OT network segments for a minimum of four weeks. This window should include at least one full production cycle and, where possible, one planned maintenance window. The output is a communication baseline: every device, every protocol, every communication pair observed on the network.
Second, reconcile the passive discovery output against existing documentation. The gap between them is the starting point for the physical walk-down. Every device in the discovery output that is not in the documentation requires physical identification and classification.
Third, with a verified asset inventory in hand, conduct the IEC 62443 risk assessment. Zone boundaries can now be drawn around the actual network, not the documented one. Conduit specifications can address the actual communication paths that exist, including those that were previously unknown.
This sequence adds four to six weeks to the front of a security programme. It consistently prevents the much larger cost of discovering inventory gaps during implementation — when zone boundaries must be redesigned, conduit rules must be rewritten, and the security architecture must be substantially revised.
A Note on Tooling
Passive OT network monitoring at the scale required for a complete asset inventory is not practically achievable with manual methods or general-purpose network tools. The communication protocols involved — Modbus, DNP3, IEC 60870-5, Profibus over IP, proprietary vendor protocols — require purpose-built decoders. The volume of communication data across a multi-segment OT network requires purpose-built storage and analysis infrastructure.
Dedicated OT asset visibility platforms handle this correctly. They decode OT protocols natively, build asset profiles from communication behaviour rather than active queries, and maintain firmware and configuration tracking alongside network topology. They are also designed for the operational constraint that matters most: zero-impact deployment on live process networks.