# OT Asset Integrity Register (CISA CPG 2.1) > Maintain and validate an OT Asset Integrity Register for CISA CPG 2.1: catalog ICS, PLCs, HMIs, and sensors with firmware versions and physical locations; link assets to CISA KEV and vendor advisories (Siemens, Rockwell, etc.); cross-reference inventory with network discovery to flag unauthorized devices. Tags: Compliance, Security, Critical Infrastructure, CISA, OT, ICS, Asset management ## Example Prompts - Build an OT Asset Integrity Register for our water treatment site (CPG 2.1) - Link our PLC and HMI inventory to CISA KEV and vendor advisories - Cross-check our OT inventory against the latest network discovery export and flag unmanaged devices - Validate our ICS register has firmware versions and physical locations for every asset URL: https://rakenne.app/skills/ics-firmware-monitor/index.md Try this skill: https://rakenne.app/a/?skill=ics-firmware-monitor ## Overview Maintain and validate an OT Asset Integrity Register for CISA CPG 2.1: catalog ICS, PLCs, HMIs, and sensors with firmware versions and physical locations; link assets to CISA KEV and vendor advisories (Siemens, Rockwell, etc.); cross-reference inventory with network discovery to flag unauthorized devices. The CPGs target Critical Infrastructure; evidence means a live register and proof it is used (e.g. firmware checks, reconciliation with discovery). ## Example Conversation > **You:** We need an OT Asset Integrity Register for our water treatment site (CPG 2.1). We have Siemens S7-1200 PLCs, Rockwell HMIs, and a few sensors. I have a network scan export too—can we check for devices that aren’t in the register? > **Agent:** I’ll create the register from the template and add rows for each PLC, HMI, and sensor with Vendor, Model, Firmware version, and Physical location. I’ll also need at least one network identifier (IP, hostname, or MAC) per asset so we can reconcile with your discovery export. > **Agent:** Running `ics_firmware_advisory_report` on the register... > **Agent:** The report links each asset to CISA KEV, NVD, and vendor advisories (Siemens, Rockwell). For each one, verify firmware against those sources and document findings. Now running `unmanaged_device_detector` with your inventory and the discovery file... > **Agent:** Found 2 devices in discovery not in the inventory: 198.51.100.55 and plc-backup. Investigate and either add them to the register or segment/remove if unauthorized. ## What the Tools Do **`ics_firmware_advisory_report`** links the register to vulnerability checks: - Parses the OT Asset Integrity Register (Markdown table: Asset, Type, Vendor, Model, Firmware version, Physical location, IP, Hostname, MAC) - For each asset, outputs links to CISA Known Exploited Vulnerabilities (KEV), NVD, and vendor-specific advisory pages (Siemens, Rockwell, Schneider, ABB, etc.) - Use when maintaining or auditing the register so every asset can be checked against known firmware vulnerabilities **`unmanaged_device_detector`** flags potentially unauthorized devices: - Cross-references the inventory file with a network discovery log or export (text or CSV with IPs, hostnames, or MACs) - Lists devices that appear in discovery but not in the register - Use after building or updating the inventory to identify devices that should be added or removed/segmented ## Output Excerpt Excerpt from a generated OT Asset Integrity Register: ```markdown | Asset | Type | Vendor | Model | Firmware version | Physical location | IP | Hostname | |------------|------|---------|---------------|------------------|---------------------|---------------|-----------| | PLC Zone 1 | PLC | Siemens | S7-1200 | V4.5 | Building A, Panel 1 | 198.51.100.10 | plc-zone1 | | HMI Line 2 | HMI | Rockwell| PanelView 5500| 6.001 | Building B, Line 2 | 198.51.100.20 | hmi-l2 | ``` - Include **Firmware version** and **Physical location** for CPG 2.1 evidence; use `ics_firmware_advisory_report` to drive CISA KEV and vendor advisory checks. - Include at least one of **IP**, **Hostname**, or **MAC** so `unmanaged_device_detector` can reconcile with network discovery. ## Getting Started Add your source materials (e.g. existing OT asset lists, network discovery export) to the project workspace, then activate the *OT Asset Integrity Register (CISA CPG 2.1)* skill. The agent will guide you through building the register, running the firmware advisory report, and reconciling with discovery to flag unmanaged devices. --- Back to [Skill Library](https://rakenne.app/skills/index.md)