Understanding all the systems and devices that make up your organization’s network is a critical first step in establishing a cyber risk management strategy. Since you cannot defend or secure what you do not know you have, performing asset inventories to gain network visibility is critical for all organizations large and small. According to Tenable, organizations that have full network visibility “are better positioned to understand where the greatest risks are within their environment and start taking the necessary steps to mitigate risk where it matters most.”

Consequently, WaterISAC’s number one fundamental from its 15 Cybersecurity Fundamentals for Water and Wastewater Utilities is to Perform Asset Inventories. An asset inventory involves compiling a database of an organization’s devices, data, processes, personnel, and supporting infrastructure and dependencies to other systems, incorporating both OT and IT components. Conducting a physical inspection of your asset inventory is also a key requirement. Additionally, an asset inventory can help organizations identify exposed ports and services, servers, and outdated and end-of-life systems and applications. There are many resources and solutions for assisting organizations in conducting asset inventories, the CISA Cyber Essentials Toolkit 3 – Protect Critical Assets and Applications includes resources to help you learn what is on your network. Additionally, smaller utilities may wish to consider subscribing to Dragos’ new OT-CERT for free resources, including an Asset Management Toolkit to help build or refresh your asset inventory. Read more at Tenable.