Browse Skills

OT Asset Integrity Register (CISA CPG 2.1)

    Compliance Security Critical Infrastructure CISA OT ICS Asset management
    Get Started with This Skill

    Overview

    Maintain and validate an OT Asset Integrity Register for CISA CPG 2.1: catalog ICS, PLCs, HMIs, and sensors with firmware versions and physical locations; link assets to CISA KEV and vendor advisories (Siemens, Rockwell, etc.); cross-reference inventory with network discovery to flag unauthorized devices. The CPGs target Critical Infrastructure; evidence means a live register and proof it is used (e.g. firmware checks, reconciliation with discovery).

    Example Conversation

    You: We need an OT Asset Integrity Register for our water treatment site (CPG 2.1). We have Siemens S7-1200 PLCs, Rockwell HMIs, and a few sensors. I have a network scan export too—can we check for devices that aren’t in the register?

    Agent: I’ll create the register from the template and add rows for each PLC, HMI, and sensor with Vendor, Model, Firmware version, and Physical location. I’ll also need at least one network identifier (IP, hostname, or MAC) per asset so we can reconcile with your discovery export.

    Agent: Running ics_firmware_advisory_report on the register…

    Agent: The report links each asset to CISA KEV, NVD, and vendor advisories (Siemens, Rockwell). For each one, verify firmware against those sources and document findings. Now running unmanaged_device_detector with your inventory and the discovery file…

    Agent: Found 2 devices in discovery not in the inventory: 192.168.10.55 and plc-backup. Investigate and either add them to the register or segment/remove if unauthorized.

    What the Tools Do

    ics_firmware_advisory_report links the register to vulnerability checks:

    • Parses the OT Asset Integrity Register (Markdown table: Asset, Type, Vendor, Model, Firmware version, Physical location, IP, Hostname, MAC)
    • For each asset, outputs links to CISA Known Exploited Vulnerabilities (KEV), NVD, and vendor-specific advisory pages (Siemens, Rockwell, Schneider, ABB, etc.)
    • Use when maintaining or auditing the register so every asset can be checked against known firmware vulnerabilities

    unmanaged_device_detector flags potentially unauthorized devices:

    • Cross-references the inventory file with a network discovery log or export (text or CSV with IPs, hostnames, or MACs)
    • Lists devices that appear in discovery but not in the register
    • Use after building or updating the inventory to identify devices that should be added or removed/segmented

    Output Excerpt

    Excerpt from a generated OT Asset Integrity Register:

    | Asset      | Type | Vendor  | Model         | Firmware version | Physical location   | IP            | Hostname  |
|------------|------|---------|---------------|------------------|---------------------|---------------|-----------|
| PLC Zone 1 | PLC  | Siemens | S7-1200       | V4.5             | Building A, Panel 1 | 192.168.10.10 | plc-zone1 |
| HMI Line 2 | HMI  | Rockwell| PanelView 5500| 6.001            | Building B, Line 2   | 192.168.10.20 | hmi-l2    |
    • Include Firmware version and Physical location for CPG 2.1 evidence; use ics_firmware_advisory_report to drive CISA KEV and vendor advisory checks.
    • Include at least one of IP, Hostname, or MAC so unmanaged_device_detector can reconcile with network discovery.

    Getting Started

    Add your source materials (e.g. existing OT asset lists, network discovery export) to the project workspace, then activate the OT Asset Integrity Register (CISA CPG 2.1) skill. The agent will guide you through building the register, running the firmware advisory report, and reconciling with discovery to flag unmanaged devices.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started