A Guide to Identifying, Prioritizing, and Protecting ICS Crown Jewel Assets

In operational technology (OT), not all assets are created equal. While every component in an Industrial Control System (ICS) has a function, a select few are indispensable. These assets are the crown jewels; the systems whose failure or compromise would trigger serious consequences for safety, production, and revenue. Protecting these assets is both a challenge and a core business imperative for owners and operators of OT systems.

The challenge, however, is growing. As OT environments converge with IT networks and embrace the Industrial Internet of Things (IIoT), their attack surfaces expand exponentially. According to the 2025 SANS Institute survey, 27% of organizations reported experiencing one or more security incidents involving their ICS/OT systems over the past year, with IT compromises and internet-exposed devices cited as leading attack vectors. This blueprint provides a clear, actionable framework for identifying, prioritizing, and protecting your most critical assets to ensure operational resilience in the face of escalating cyber threats.

Understanding the ICS Landscape and Its Unique Risks

ICS manages everything from power grids and water treatment facilities to manufacturing lines and oil pipelines. Unlike traditional IT environments, where data confidentiality is often the primary concern, the priorities in an OT environment are safety, availability, and integrity. A disruption here doesn’t just mean lost data; it can mean physical harm, environmental damage, and significant economic disruption.

OT environments face a distinctive mix of risks that make them ideal targets for opportunistic attackers. Many rely on legacy systems with decades-long lifespans that lack modern security features and run on proprietary communication protocols.  Once considered “offline,” these environments are now increasingly connected to traditional IT networks and reliant on  Internet of Things (IoT) devices for efficiency and remote monitoring, creating new pathways for attackers.

This expanded attack surface makes it incredibly difficult for organizations to maintain complete visibility and effectively monitor risk across their OT assets. According to the 2024 SANS ICS/OT Cybersecurity Report, 52% of organizations have limited or no network monitoring and anomaly detection capabilities in their ICS/OT environments. Achieving complete visibility into every device, connection, and vulnerability is the first step toward securing OT environments, but visibility alone isn’t enough. Organizations must also identify and prioritize their crown jewel assets, whose compromise would have the most severe impact on safety, operations, and revenue.

What are Crown Jewel Assets in ICS?

Crown Jewel Assets are the linchpins of industrial operations. The loss or compromise of a single crown jewel can cascade across the entire OT environment, triggering outages, safety incidents, and significant financial losses. Identifying these assets requires organizations to assign each asset a functional importance and impact on business continuity.

The criteria for defining an asset as a Crown Jewel are rooted in its criticality to operations. Key considerations include:

• Mission / Business Criticality: Does the asset control a primary production process or deliver a function essential to the organization’s core service?
• Interdependencies: Would the failure of this asset cause a domino effect, taking down other critical systems?
• Safety Implications: Could compromise lead to hazardous conditions for employees, the public, or the environment?
• Regulatory Obligations: Is the asset governed by strict compliance mandates (e.g., NERC CIP for the energy sector)?

While each industrial environment defines its own crown jewels, some common examples include:

• Supervisory Control and Data Acquisition (SCADA) systems that oversee entire operations.
• Programmable Logic Controllers (PLCs) that drive specific physical processes.
• Remote Terminal Units (RTUs) that monitor and manage remote assets.
• Safety Instrumented Systems (SIS) designed to prevent catastrophic failures.
• Specialized sensors for critical functions like leak detection.
• Networked controllers which are essential for industrial automation.

A Framework for Identifying ICS Crown Jewels

No organization can protect its crown jewel assets without robust visibility. For this reason, the first step in any robust OT security program is achieving comprehensive OT visibility across the entire attack surface. This foundational knowledge allows organizations to move from a reactive posture to a proactive, risk-based approach. A practical framework for identification involves four key stages:

1. Comprehensive Asset Discovery: The process begins with creating a complete asset inventory. This means gaining visibility into every device connected to the OT network, including IoT, IIoT, PLCs, and even transient or shadow assets that may not be officially documented. This inventory should go beyond counting devices or endpoints and include firmware versions, communication protocols, and current patch levels.
2. Map Criticality & Dependencies: The next step is to map the interdependencies between systems to trace the potential impact of a single asset failure. A crown jewel analysis helps identify which systems are most critical to safety and production, revealing the assets that support these core functions.
3. Assess Threats and Vulnerabilities: With a clear picture of your critical assets, the next step is to conduct a thorough vulnerability assessment. This allows organizations to understand and evaluate the specific attack vectors most likely to target crown jewels. The goal is to understand not just that a vulnerability exists, but how it could be exploited to compromise a high-value asset.
4. Prioritize Protections: Not all vulnerabilities can be patched immediately, especially in OT environments where uptime is paramount. Instead, organizations should take a risk-based approach and focus on applying compensating security controls or prioritizing patches for the most vulnerable devices that protect their most critical assets.

Threats to ICS Crown Jewels and Their Impact

Manufacturing and OT environments form the bedrock of critical infrastructure. A successful attack on an ICS and its Crown Jewel Assets can have devastating, cascading impacts: halting production, endangering human safety, triggering regulatory fines, and disrupting entire supply chains. As OT environments continue to become more connected, they also become more attractive targets for a wide range of adversaries.

The threats are multifaceted and constantly evolving. Common cyber threats include:

• Ransomware: Attackers are increasingly targeting critical infrastructure and industrial organizations to maximize financial leverage. According to SANS, downtime from an ICS/OT ransomware attack can cost organizations an average of $4.73 million per incident. This highlights the growing danger of operational disruption for financial gain.
• Supply Chain Compromise: Attackers can compromise trusted third-party vendors or software providers to gain a foothold within a target’s network, bypassing perimeter defenses.
• Insider Threats: Whether malicious or unintentional, insiders with privileged access can cause significant damage. A study cited by DTEX Systems found that insider security breaches cost companies an average of $15.4 million per incident.

Beyond these common threats, there are ICS-specific attack vectors that target the unique vulnerabilities of OT environments. These include targeting legacy PLCs with known exploits, exploiting weak network segmentation to move from IT to OT networks, and abusing insecure remote access protocols used by technicians and third-party vendors. An attacker who achieves privilege escalation on a critical system can move laterally within the network and gain complete control over a physical process.

Building a Holistic ICS Security Strategy

Protecting ICS crown jewels requires a holistic strategy that goes beyond one-off controls or isolated endpoint solutions. By building a defense-in-depth approach that ties every layer of security together, organizations can better safeguard their most critical assets. Here’s how to get started:

1. Start with Comprehensive Visibility

You can’t protect what you can’t see. The bedrock of any OT security program is a complete and accurate inventory of all network-accessible devices. Yet as attack surfaces expand, this becomes increasingly difficult. Many OT environments contain a mix of legacy systems and modern IIoT devices, creating blind spots for traditional IT tools.

To close this gap, organizations should leverage passive monitoring techniques to map communication flows and interdependencies without disrupting sensitive operations. An IoT/OT security platform can automate this process, continuously identifying devices and maintaining an up-to-date inventory with details such as device type, manufacturer, and firmware version. Ideally, it should also provide visibility into specialized industrial protocols (e.g., Modbus, DNP3, OPC UA).

This detailed baseline is the essential first step in pinpointing crown jewel assets and establishing a clear view of organizational risk.

2. Prioritize What Matters Most

With full visibility, organizations can begin to prioritize risk mitigation activities. Conduct a formal crown jewel analysis to identify the systems, processes, and OT assets that, if disrupted, would have the greatest safety, operational, or business impact. This analysis should inform a strategy of risk-based vulnerability management. It’s important to remember that not all risks are equal; focus limited resources on remediating vulnerabilities that directly affect the most high-impact assets and pose a credible threat to your operations. An IoT/OT security solution can help by using industry standards to identify, analyze, and rank critical vulnerabilities and provide targeted recommendations for vulnerability management by surfacing the simplest actions to reduce risk.

3. Implement Defense-in-Depth Architecture

A multi-layered defense creates friction for attackers and reduces the likelihood of a successful breach. Best practices for layered defenses include implementing network segmentation to isolate critical control systems, enforcing least-privilege access so users and systems only have the permissions necessary for their roles, and strengthening network chokepoints to block malicious traffic and unauthorized connections. But implementing and maintaining these controls consistently across complex OT environments can be challenging.

An IoT/OT security platform strengthens this architecture by mapping device behavior, validating segmentation strategies, monitoring for configuration drift, and helping enforce security policies across the Purdue Model levels. When integrated into broader security workflows, it not only reduces attacker pathways but also streamlines policy enforcement, creating a more resilient and manageable security posture.

4. Continuous Monitoring and Detection

Protection isn’t a one-time effort. Continuous monitoring is essential to detect anomalous behavior across OT and IoT environments. Early warning signals, including unusual communication patterns or unauthorized configuration changes, can help stop an attack before it escalates.

An IoT/OT security platform provides this visibility and integrates seamlessly with SIEM and SOAR solutions, enriching SOC workflows with OT-specific context. This integration is a growing challenge for many organizations: nearly 70% report difficulties aligning OT security with IT security processes and tools. By bridging this gap, organizations gain centralized visibility and faster, more accurate detection and response.

5. Integrate with Governance, Risk, and Compliance (GRC)

Your OT security practices must align with broader business objectives and regulatory OT security practices must align with broader business objectives and regulatory requirements. Frameworks such as ISA/IEC 62443, NIST CSF 2.0, and the MITRE EMB3D Framework provide structured approaches for securing OT systems. Translating these technical controls into the language of business risk is essential to win executive buy-in and sustain investment.

An IoT/OT security platform supports GRC by maintaining accurate device inventories, monitoring for configuration drift, and generating audit-ready reports. This enables teams to demonstrate compliance, reduce regulatory exposure, and align cybersecurity with organizational resilience goals.

6. Prepare for Incident Response & Recovery

Even with strong defenses, security incidents will occur, but they don’t have to escalate into full-scale disruptions. A well-defined incident response and recovery plan is essential for minimizing damage and restoring operations quickly. Develop playbooks for attacks against crown jewel assets, such as a ransomware attack on a SCADA system, and regularly conduct tabletop exercises to validate these plans and uncover gaps. Ensure that backups, system redundancies, and failover mechanisms are in place and tested regularly.

An IoT/OT security platform strengthens response by analyzing network traffic across all connected devices to detect and alert on anomalous behavior in real time. Early detection enables security teams to respond faster and contain attacks before they compromise critical operations.

7. Embrace Future-Proofing

The OT landscape is dynamic and continues to evolve as it converges with IT networks. Security strategies must be agile enough to adapt to emerging technologies and new threat vectors. Organizations should proactively account for expanding attack surfaces as IoT and IIoT devices are integrated into OT environments. Where possible, leverage AI/ML-driven analytics for predictive threat detection to identify issues before they escalate. Most importantly, treat risk management as a continuous lifecycle, regularly reassessing crown jewel assets, dependencies, and overall security posture as the operational environment changes.

How Asimily Helps Safeguard ICS Crown Jewels

ICS crown jewel assets are the keys to the kingdom: protecting them is imperative for owners and operators of OT environments—but it doesn’t have to be an insurmountable challenge. Asimily provides the only complete IoT, OT, and IoMT Risk Mitigation platform, with the breadth and depth needed to safeguard complex OT attack surfaces and deliver unique insights into every device on the network.

By combining AI-driven risk prioritization, continuous monitoring, and seamless integration with SIEM and SOAR workflows, Asimily gives organizations the visibility and control to defend their most critical assets. The platform helps reduce the OT attack surface, detect configuration drift, and align with leading frameworks such as NIST CSF 2.0, IEC 62443, and the SANS 5 Critical Controls.

Asimily is the partner of choice for organizations that need to safeguard ICS crown jewels, strengthen compliance, and achieve true cyber resilience across IT, OT, and IoT.

Discover how Asimily helps protect your most mission-critical assets.