Dale Peterson recently argued that the OT security community has reached premature consensus on security controls without evidence they actually reduce incidents. He singles out OT asset inventory as a prime example of an unproven recommendation that the community treats as settled wisdom.
He asks three pointed questions: What evidence exists that asset inventory reduces incidents? What percentage of assets do you need? And is the cost justified compared to other investments?
I have answers to all three. Not from theory, but from establishing a global OT security programme across 40+ manufacturing sites.
Evidence: from weeks to minutes
Before our programme, we detected malware on OT assets. The only thing we knew was that the naming convention was English, so the infected devices were somewhere across our English-speaking sites. We spent weeks chasing contacts across multiple countries and time zones, trying to identify what these assets were, who owned them, and whether they were business-critical.
After we built our asset inventory, with ownership, business criticality, and location mapped, the same type of incident took minutes to resolve. Not because asset inventory prevented the malware. Because it made timely incident response possible at enterprise scale.
That distinction matters. Dale frames the question as whether asset inventory reduces the number or impact of incidents. In an enterprise with distributed teams, different scopes, and outsourced functions, the inventory doesn’t just reduce impact. It determines whether you can respond at all.
Scope: where the practical boundary sits
For our programme, routed devices defined the collection boundary. Non-routed networks were excluded, though devices at the network edge or with dual network connections were included. That was a pragmatic decision based on what was reachable and what provided the most value for incident response and vulnerability management.
Dale asks whether you need 20% or 100% of assets inventoried. The honest answer is that it depends on your network architecture, your risk scenarios, and your operational model. For us, the routed device boundary gave us coverage of the assets that mattered most for cross-team coordination and incident response.
Worth noting: when we started, the assumption was that we had tens of thousands of OT assets. After the programme completed, the actual number was in the hundreds of thousands. Without the inventory effort, we would still be making security decisions based on an order-of-magnitude underestimate of what we were protecting.
Cost: context matters
The programme cost less than 0.2% of the enterprise’s annual turnover. That budget covered asset inventory, fundamental cyber protection capabilities, and security training across all 40+ manufacturing sites. Asset inventory was one component of a broader programme, not a standalone line item.
Was it well spent? For our risk scenarios and enterprise context, yes. A single significant incident at a major manufacturing site could exceed that annual investment. The programme paid for itself by enabling coordinated response across all sites and reducing the time and cost of every incident we handled.
Dale asks whether the money would be better spent on safety components, recovery capability, or other controls. That question only has meaning within a specific risk context. For a single-site operation with a small OT footprint, the calculus might be different. For a global enterprise with dozens of manufacturing sites, distributed teams, and outsourced operations, you cannot coordinate incident response without knowing what you have and who owns it.
Network isolation: strongest control, hardest to implement
I agree with Dale that network segmentation is the strongest control the data supports. Where we differ is on the assumption that organisations can simply implement it.
Many industrial environments carry decades of technical debt. Legacy systems were designed for availability, not security. Retrofitting proper isolation into a running production environment, without disrupting operations, is expensive and slow. In some cases it is technically impossible without replacing equipment. Pointing to segmentation as the evidence-backed answer is correct in principle and often impractical in reality.
Asset inventory, by contrast, is achievable. It provides immediate operational value. And it enables better decisions about where to invest in segmentation, based on actual business criticality rather than guesswork.
The enterprise dimension
I came to OT security from an enterprise IT and security background. Through our programme, I gained deep respect for the complexity of OT environments, the variance between sites, and the operational realities OT professionals deal with every day. There is no substitute for that domain expertise.
In that enterprise, variance was the name of the game. Every site had different equipment, different maturity, different local practices. The programme’s objective was to bring all sites to a common foundational standard, not to impose a single way of working, but to ensure a baseline that made cross-site coordination and incident response possible.
Working across IT and OT reminded me that some principles are universal. I have been in this field since before we called it cyber, and certain fundamentals hold regardless of the domain: you need to know what you are protecting, who is responsible for it, and how critical it is to the business. OT asset owners are the decision makers, they own the operational consequences of any downtime, and security decisions about their assets should reflect that accountability. Those are not IT concepts imposed on OT. They are operational necessities that apply to any environment where multiple teams share responsibility for keeping the business running.
There is an elephant in the room worth addressing. When an enterprise IT security team arrives at OT’s door, the reception is not always warm. That tension is natural. OT teams have deep domain expertise and legitimate concerns about outsiders who do not understand their operational reality. IT security teams bring processes and frameworks that can feel like an imposition rather than support.
In our programme, we started with exactly that friction. Over time, it gave way to mutual respect. Some of my best professional relationships came from the OT side, people who understood their environments better than I ever would and who, once we established trust, saw that we were working toward the same goal: keeping operations running safely.
The OT security community has hard-won knowledge about what works and what does not in industrial environments. Enterprise security brings experience in scaling processes across organisational boundaries and managing risk at portfolio level. Both perspectives make the other stronger, but only when we stop treating the other side as the problem.
On AI and consensus
Dale argues that AI-generated content reinforces premature consensus through feedback loops. He is right about the mechanism, though it applies well beyond OT security.
Rather than focusing on what AI gets wrong, the more productive path is for experienced practitioners to articulate what is right for their context. Specific accounts of what worked, what failed, and why, grounded in real operations, will do more to calibrate both human understanding and AI training data than general warnings about echo chambers.
Every security professional who shares actual experience, with the messy details and contextual factors included, contributes to a more accurate body of knowledge. That helps everyone making decisions, whether they are reading articles or prompting an AI model.
Where I agree with Dale
His core instinct is sound: the OT security community should be more rigorous about evidence and less comfortable with unexamined consensus. Experienced professionals should share dissenting views. Organisations should measure outcomes, not compliance alone.
Where I push back is on the implication that controls like asset inventory are unproven experiments. In a global enterprise context, they are operational prerequisites. The evidence may not appear in published incident statistics, but it shows up every time an alert fires and the response team knows, within minutes, what is affected, who owns it, and what the business impact will be.
That is not premature consensus. That is learning from experience.