Gaining visibility into OT and IIoT assets is necessary - but it is not sufficient. Without categorizing those assets by safety criticality and business impact, without mapping the context of how they communicate and what would happen if they failed, and without embedding the right governance and people processes around the technology, a visibility program remains a list rather than a foundation for security.

The EY OT Germany practice presents a structured, end-to-end risk management approach that moves from asset discovery through categorization, control selection and continuous monitoring.

In this insightful discussion, Stephanie Carstensen, Frédéric Auburger and Thomas Klotz discuss:

• How passive, active and hybrid discovery methods surface different categories of OT and IIoT exposure;
• Why asset criticality requires process context - not just network data - to be actionable;
• How embedding risk management into governance structures and people processes sustains protection over time.