Quantifying OT cyber risk requires empirical facts. In a compendium to WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities, industrial cybersecurity firm Verve Industrial proposes the best way to gain empirical knowledge of OT environments is through comprehensive asset inventories based on real time, multi-contextual parameters. Verve’s article aims to help separate fact from fiction and varying opinions on what components are the most important when trying to secure OT environments. Their suggestion is that nobody’s opinion is wrong, but perhaps a better solution is likely a combination of all opinions to create a comprehensive 360 degree view of our assets. Verve reminds us this robust record means combining asset details (OS, open ports, installed software, users, logins error logs etc.) with ‘tribal’ knowledge or meta data (such as system criticality, owner, location, redundancy, etc.) and third party reference (NVD, backup, whitelisting or AV status). Verve concludes, “if you want to quantify risk, you must first start with a quantifiable inventory. Only then can you have informed discussions instead of heated debates.” Read the post at Verve Industrial