Integrating Asset Purpose with Asset Identity for Commercial CPS Environments

Commercial sectors rely on diverse cyber-physical systems (CPS) to protect their on-premise and digital environments from attack. Within these systems commercial companies need to ensure that their asset identification and purpose discovery is a top priority for the most optimal security infrastructure for their company. 

In the most recent State of CPS Security: OT Exposures 2025 report from Claroty’s Team82, our researchers found that 40% of the organizations analyzed have assets with known exploitable vulnerabilities (KEV’s) insecurely connected to the internet. In the nearly 1 million assets analyzed, this included several sectors of commercial companies and buildings that were observed to have known vulnerabilities. 

Understanding the need for effective cybersecurity controls, in another recent CPS survey report, we identified the capabilities Commercial sectors believe are missing from their cybersecurity program. For Commercial Real Estate companies, having an accurate asset inventory was the most important capability they were missing that may have decreased the impact of cyberattacks their organization experienced this year (40%). Retail and Hospitality respondents selected identity and access management (33%), while Data Center respondents cited vulnerability management (43%) as the most important security capability they were missing.

In commercial environments it is necessary to take a unique approach to asset visibility and discovery. However, many organizations are still experiencing gaps in their cybersecurity programs and may be unsure of where to begin. An approach that focuses on not only the identification of commercial assets but interconnecting their purposes is key for a more secure commercial CPS ecosystem. Adopting a non-passive approach to asset discovery that incorporates asset identity with purpose will ensure greater visibility and security is achieved through dynamic discovery.

Asset Identity vs. Asset Purpose: Understanding How They Differ and Apply to Your Organization

When determining the network topology of a commercial ecosystem, it’s imperative that they need to first identify all assets. In addition to asset identification, commercial environments achieve better cybersecurity outcomes when asset identification is integrated with its purpose or use within the infrastructure. Let’s explore some common comparing and differentiating factors of asset identity vs asset purpose in commercial CPS.

What is asset identity?

Asset identity is best described as the detailed list of all asset attributes that help identify the asset, such as software and firmware versions, IP address, manufacturer, serial number and more. Asset identity allows commercial entities to have a full picture view and understanding of the types of assets in their environment and how they communicate. These assets need to be uniquely identified and include various types of equipment that are important for dynamic discovery.

For proper dynamic discovery in commercial environments, asset identity relates to the unique and complex assets that require deeper CPS visibility. These can include assets that include physical assets such as lighting, climate, HVAC systems, and physical security controls. Other key asset identifiers can also include industrial control software, firmware, IP addresses, and other technology driven assets. 

What is asset purpose?

Beyond identifying assets, understanding their asset purpose is key to accurately determining business context within your environment. Asset purpose defined relates to the role or function that an asset serves within a commercial organization's infrastructure. Once an asset’s purpose is determined, commercial environments can then categorize their assets into zones based on their critical need and confidentiality, importance for business operations, and how each contributes to certain commercial business objectives. 

For instance, modern commercial buildings depend on an array of IoT, OT, and BAS assets that control critical processes such as climate control, lighting, video surveillance, access control, fire systems, and power management. These connected devices often lack basic cybersecurity features and traditional detection methods can fall short. In turn it creates more entry points into the network and expands the attack surface.

By determining the purpose of each of these critical assets interconnected with identifying them, organizations can better inform their exposure management prioritization workflows. In addition, asset owners can group assets into zones based on their business process and criticality. This will allow organizations to successfully manage their exposure to risk and provide easier dynamic discovery. 

Asset Purpose in Practice for Commercial Environments

Commercial CPS environments often achieve a more secure infrastructure when asset purpose is integrated within asset identification. That’s because commercial buildings rely on an array of CPS assets in order to meet sustainability, safety, and efficiency goals. The unique nature of these assets makes determining asset purpose essential, because without it organizations would not be able to successfully assess and prioritize their exposure to risk.

Additionally, these connected devices often lack basic cybersecurity features, creating more entry points into the network and expanding the attack surface. Further complicating matters is their unique environmental and operational constraints, causing IT solutions to fall short in managing the attack surface of a commercial building’s connected BAS environment. 

Overall, asset purpose in practicum meets this challenge by allowing commercial environments to create asset zones that prioritize asset criticality based on business necessity. Take data centers, for example — their physical IT infrastructure processes data vital to business outcomes, but its performance relies heavily on the support of other systems. Cooling systems maintain optimal temperatures for high-density computing environments, preventing equipment failure and minimizing energy consumption.

At the same time, Building Automation Systems (BAS) help ensure operational efficiency at the facility level by managing HVAC, lighting, and energy systems. Having each of these systems segmented into asset zones based on their purpose is key to maintaining operational resilience because it helps inform CPS cybersecurity controls such as exposure management. 

Laying the Foundation for Better Commercial CPS Exposure Management through Claroty

Often the distinction between asset identity and asset purpose can become confused or overlooked when organizations begin to build out their CPS cybersecurity program. In a commercial CPS environment, moving beyond the basics of asset visibility is key to successful exposure management. By taking an unified approach to asset identity and asset purpose, organizations can quickly and easily identify the criticality and severity of the vulnerabilities within their environment to reduce risk. 

To get started on quantifying risk, it is imperative that commercial organizations partner with a CPS protection vendor that allows you to customize the risk criticality scoring for your asset zones based on your unique critical business processes. Additionally, you must be able to prioritize exposure management workflows based on which assets are most relevant to your business-critical outcomes.

At Claroty, we understand this need. That’s why we’ve built a purpose-built solution that allows users to manage, monitor, and protect their CPS within one unified platform. Looking to streamline risk management and manage your overall security posture with a comprehensive view of your CPS environment?  Schedule a demo with one of our experts today to get started!