OT Cybersecurity Is Now an Asset Management Problem
Operational technology cybersecurity belongs to asset management, not just IT. Here is why the CMMS is the starting point.
Operational technology cybersecurity has been treated as an IT problem for too long. Network firewalls, intrusion detection systems, and security operations centers are necessary, but they are not sufficient. The organizations suffering OT cyber incidents in 2025 and 2026 are not failing because their firewalls are misconfigured. They are failing because they do not know what assets they have, where those assets sit in the network, and what happens when one of them is compromised.
That is an asset management problem.
The Convergence That Changed the Risk Profile
For decades, operational technology existed in isolation. PLCs, SCADA systems, and DCS controllers ran on proprietary protocols, air-gapped from corporate IT networks. That separation has eroded steadily. Condition monitoring feeds flow to cloud analytics. Maintenance teams access work orders on mobile devices sharing networks with control systems. Every connection creates an attack surface that did not exist ten years ago.
The Fortinet 2025 State of Operational Technology and Cybersecurity Report, surveying more than 550 OT professionals globally, found that half of OT organizations experienced a cyber breach in the preceding year. The attack surface is expanding faster than defences can keep up, with ransomware, credential theft, and supply chain compromises increasingly targeting the operational technology layer.
Why IT-Centric Approaches Fall Short
Traditional cybersecurity operates from a network-centric model: identify endpoints, segment traffic, monitor anomalies, respond to incidents. OT environments break that model.
- Asset diversity is extreme. A single facility may contain PLCs from three vendors, HMIs running different operating systems, safety instrumented systems with decade-old firmware, and smart sensors communicating over Modbus, OPC-UA, and proprietary protocols simultaneously.
- Patching is constrained. Patching a PLC requires planned downtime, regression testing, and coordination with operations: exactly the kind of work that maintenance teams manage through the CMMS every day.
- Asset lifecycles are measured in decades. IT refreshes hardware every three to five years. A substation relay may operate for twenty-five. Its cybersecurity posture changes continuously as new vulnerabilities are discovered in firmware that will never be updated.
An IT security team scanning the corporate network will not find the level transmitter on a tank farm. Those assets live in the OT domain, and the only comprehensive record of what they are, where they are, and what they do is the asset register in the enterprise asset management system.
The Asset Inventory as Cybersecurity Foundation
CISA published guidance in August 2025 explicitly positioning the OT asset inventory as the foundation of operational technology cybersecurity. Developed jointly with the NSA, FBI, and international partners including the UK’s NCSC and Australia’s ACSC, the document argues that without a complete, regularly maintained inventory of OT assets, organizations cannot identify what needs protecting or respond effectively to incidents.
The data required for effective OT cybersecurity (asset type, manufacturer, model, firmware version, communication protocols, network location, criticality rating, and lifecycle stage) is the same data that a well-governed EAM system already captures. The overlap is not coincidental.
Most organizations maintain these records in separate silos. The maintenance team has an asset register in the CMMS. The network security team has vulnerability scanner output. The controls engineering team has as-built drawings that may not reflect reality. The gaps between these sources are where vulnerabilities hide.
Regulatory Pressure Is Making This Urgent
Two regulatory frameworks are accelerating the convergence of cybersecurity and asset management.
The EU’s NIS2 Directive, which member states were required to transpose into national law by October 2024, expands cybersecurity obligations to a much broader set of sectors including energy, transport, water, manufacturing, and digital infrastructure. NIS2 mandates risk-based security measures, incident reporting within 24 hours, supply chain risk management, and board-level accountability for cybersecurity governance. For organizations operating in these sectors, OT cybersecurity is no longer discretionary: it is a legal obligation with enforcement mechanisms.
IEC 62443, the international standard for industrial automation and control system security, provides the technical framework. It organizes OT environments into security zones and conduits, assigns target security levels based on risk assessment, and defines requirements for asset owners, system integrators, and component manufacturers. Compliance with IEC 62443 requires, among other things, a comprehensive asset inventory organized by function and criticality. Again, this is asset management work.
Organizations that have already invested in structured asset data and EAM governance are better positioned to meet these requirements because the foundational data already exists in their systems. Those that have not face a dual remediation effort: building the cybersecurity program while simultaneously building the asset data it depends on.
What Asset Management Teams Should Own
The argument is not that maintenance teams should replace cybersecurity specialists. It is that certain capabilities sit naturally within the asset management function and should be governed there.
OT Asset Inventory
The CMMS or EAM platform is the system of record for physical assets. Extending that inventory to include cybersecurity-relevant attributes (firmware version, communication protocol, network segment, patch status) is a metadata extension, not a new system. Maintenance teams already manage asset data lifecycles. Adding cybersecurity fields to that discipline is more sustainable than building a parallel inventory in a security tool.
Vulnerability-Driven Maintenance
When a vendor publishes a firmware vulnerability for a specific PLC model, someone needs to identify every instance of that model in the facility, assess the risk, and schedule the remediation. That is a work management process. The work order should be raised, planned, and executed through the same system that manages every other maintenance intervention. Treating cybersecurity patches as a separate workflow creates gaps.
Asset Lifecycle and Obsolescence Planning
Assets that have reached end-of-support from their manufacturer are cybersecurity liabilities. They will not receive security patches. Compensating controls (network segmentation, monitoring, access restrictions) can mitigate risk, but the long-term answer is replacement. Asset lifecycle planning in the CMMS should incorporate cybersecurity obsolescence alongside mechanical and functional obsolescence.
Criticality-Based Prioritisation
Asset criticality frameworks of the kind described in our earlier analysis of criticality assessments already evaluate consequence of failure across safety, production, environmental, and compliance dimensions. Adding a cybersecurity dimension to that assessment (consequence of a cyber compromise affecting this asset) aligns security investment with operational risk, using a framework that maintenance and operations teams already understand.
The Integration Architecture Challenge
Connecting cybersecurity tools to asset management platforms is not trivial, but the practical path involves three established patterns:
- Asset enrichment: periodic synchronisation of cybersecurity attributes (firmware version, patch status, known vulnerabilities) into the EAM asset record, triggered by vulnerability disclosures or scheduled audits.
- Automated work generation: security alerts that meet defined criteria automatically generating work requests in the CMMS for triage by the maintenance planning team.
- Unified reporting: dashboards combining asset condition data from the EAM with security posture data from OT monitoring tools.
None of these require replacing existing systems. They require integration discipline and clear data ownership: the same capabilities that determine whether any enterprise integration succeeds.
The Organizational Question
Cybersecurity teams report to the CISO. Maintenance teams report to the head of engineering or operations. Bridging that gap requires deliberate governance: shared asset data standards, joint risk assessment processes, and escalation paths that cross functional boundaries.
Organizations that treat OT cybersecurity as purely an IT problem will continue to struggle with incomplete asset inventories and security programs that do not reflect operational reality. Those that recognize it as an asset management discipline, built on accurate asset data and executed through established work management processes, will build more resilient operations.
The asset register is the foundation. Everything else follows from knowing what you have.
Sources
- CISA: Foundations for OT Cybersecurity, Asset Inventory Guidance for Owners and Operators (August 2025)
- Fortinet: 2025 State of Operational Technology and Cybersecurity Report
- ISA/IEC 62443 Series of Standards (International Society of Automation)
- EU NIS2 Directive: Impact on Operational Technology (Orange Cyberdefense)