The interconnected nature of organizational systems has made it more complicated to identify and protect industrial crown jewels, especially as nation-state hackers and state-sponsored adversaries attempt to breach such environments. Apart from the physical machines and production systems, these crown jewels now include legacy equipment, digital twins, remote access gateways, and cloud platforms, with the flow of data between these technologies spread widely. These systems keep industries functioning, but they are often frail, patchy, or next to impossible to take offline, so defense is a constant game of balancing acts.
Cyber-physical sabotage is on the rise, with groups like Iran’s CyberAv3ngers deploying custom malware to infiltrate water, wastewater, and oil and gas control systems globally. Syteca identified across the energy and utilities sectors that nearly 60% of cyberattacks are tied to nation-state-backed hackers. The situation is urgent, as between January 2023 and January 2024, critical infrastructure worldwide was hit by a staggering 420 million cyberattacks, marking a 30% jump from the previous year, equating to roughly 13 attacks per second.
The real fight is in identity, with many organizations only recognizing their crown jewels after an incident exposes hidden dependencies. Getting beyond this reactive model demands a proactive discipline in constantly mapping assets, testing assumptions, and knowing how and where vulnerabilities collide with operational impact.
Ideally, organizations must have a practical playbook of frameworks, visibility tools, and cross-functional collaboration to clarify what really matters. But mapping is just the beginning. They must also focus on safeguarding industrial crown jewels without shackling the business that requires defenses to build layers and reduce exposure, without disrupting operations.
When it comes to the prevailing hyper-connected, high-risk landscape, crown jewel identification cannot be a one-off exercise. It must be embedded into the organization’s risk management, treated with the same rigor as safety standards, and regularly revalidated as technologies, threats, and industrial dependencies evolve.
Protecting industrial crown jewels in hyper-connected world
As operational environments grow more connected, remotely accessible, and data-driven, Industrial Cyber asked experts whether organizations should revisit and update their definition of ‘industrial crown jewels’ in 2025.
“As the technology of the industrial landscape changes, so too do the critical assets or ‘key terrain’ that make up the core components of our industrial processes,” Mark Bristow, director of MITRE’s Cyber Infrastructure Protection Innovation Center (CIPIC), told Industrial Cyber. “Technological advances like cloud computing have already moved lots of industrial control decision elements off the factory floor and into faraway datacenters, making those datacenters and the communications pathways between them suddenly critical to industrial decision making.”
Bristow added that legacy mechanisms for conducting criticality and safety analysis need to be modernized to take this into account.
Micah Steffensen, portfolio manager at the Idaho National Laboratory (INL) Cybercore Integration Center, highlighted that the term ‘crown jewels’ will always be subjective. “What matters more than describing the ‘crown jewels’ is fundamentally understanding and documenting how an organization delivers its most critical functions. By using systems thinking, which focuses on relationships and interactions within a system, instead of simply breaking it down into parts (assets, devices, etc.), you can decompose complex processes and functions to understand what matters most.”
Ironically, Steffensen added that “this is how we build operational environments, but the security community could benefit tremendously by adopting the same approach to better protect them.”
Cristina Palomo, cybersecurity risk and compliance director at Schneider Electric, told Industrial Cyber that the risk landscape for industrial environments has changed in recent years due to OT/IT convergence, cloud technology, IIoT, remote access, and an increase in data-driven operations. “More advanced threats are now targeting data flows, including exfiltration, tampering, and supply-chain data, in addition to individual applications.”
She noted that by 2025, crown jewels in industrial settings will include not only applications but also data and critical pathways that impact safety, uptime, and business value.
“Understanding what your most important assets are is a keystone of any good cybersecurity program, and so in my opinion, this should be something that is re-evaluated on a regular basis,” Eric Knapp, product manager at Nozomi Networks, told Industrial Cyber. “That said, 2025 is an interesting time where technological advancements, communication requirements, and certainly the threat landscape have all accelerated more than is typical. It’s definitely a good time to step back and re-evaluate everything.”
Osmar Couto, senior principal consultant for OT Cyber Security at Worley, told Industrial Cyber that a modern definition of industrial crown jewels should encompass both physical and digital assets, including data, algorithms, and system configurations, alongside traditional machinery and infrastructure. “It’s crucial to consider the cyber-physical effects of IT-to-OT breaches and vice versa. Furthermore, third-party dependencies must be recognised, together with related regulatory and reputational risks, as well as possible operational downtime.”
Couto noted that traditionally, industrial crown jewels referred to vital physical assets. However, with technological advancements such as telemetry and digital twins, data is now viewed as a key asset, comparable to physical equipment. “Poor data management can lead to disruptions and erode a company’s competitive advantage. Ultimately, key assets encompass digital links, supply chain integrity, and brand reputation, rather than merely machines or safety measures.”
Proactive vs. Reactive: Ongoing struggle to identify industrial crown jewels
Many organizations only realize which assets are truly critical after an incident. The executives discuss the blind spots that continue to delay early identification and what it will take to move from reactive discovery to proactive prioritization.
Bristow identified that weaknesses in identity and access management continue to be a common theme when evaluating modern incidents. “More emphasis is needed on this aspect of zero trust principles to ensure the integrity and authorization of control systems traffic. We need to take a threat-informed, adversary view of our systems and use that to better prioritize our defenses.”
Additionally, as he added, as described in ‘Can You Detect What You Can’t Predict? Lessons from SharePoint Vulnerability CVE-2025-53770,’ approaches that are rooted in behavior and not just signatures can help – when defenders understand how adversaries think, move, exploit trust, and chain behaviors, they can actively build strategies that surface real threats, even without knowing the exploits.
“This goes back to looking at the problem from a functional delivery perspective versus approaching it from a device or asset-first perspective,” Steffensen said. “It is very hard to understand what asset is truly critical if you haven’t first done the work to understand how that asset is used (by whom, when, where, why). Understanding the relationships between elements within the systems is of much greater value than focusing on enumerating device or asset cyber vulnerabilities, for instance.”
He added that the context matters tremendously because there will inevitably be ways to manipulate digital devices. “This problem cannot be solved by cybersecurity practitioners alone. It takes the whole organization to get to the appropriate level of understanding, which seems to be a significant disconnect/barrier that needs to be addressed. There is no ‘easy button’ for this problem.”
Palomo said that persistent blind spots include incomplete visibility into OT environments and data flows; silos between IT, OT, and cybersecurity teams that prevent a unified view of risk; and asset inventories that focus on technologies but overlook capabilities and the data that flows across systems.
To move from reactive to proactive, she called upon organizations to deploy passive discovery and monitoring to see data in motion, not just static assets. They must use business impact modeling to evaluate criticality in terms of operational disruption, safety, and reputation, not just technical severity, and strengthen cross-functional collaboration, ensuring that domain experts, risk leaders, and governance bodies validate what is truly critical.
“I like to think of industrial control as an organism rather than a collection of assets, because you’re dealing with balanced systems that are highly interdependent,” Knapp said. “If an attacker gains access to a part of that system, they can manipulate the whole of the system in many cases. So, if we try to pin an incident on a specific asset, it’s always going to vary and will likely take us by surprise.”
However, he added that there are certainly things that can be done to be less reactive. “First, every control system should be evaluated for failures within the context of a cyber attack. Think about what could go wrong if someone were actively trying to make something fail. Next, focus on segmentation. It sounds overly basic, but if you have access to a system, you can manipulate it, so make it harder to access.”
“Realize that most automation systems are actually many automation systems working together as parts of an even larger system,” according to Knapp. “Keep everything separate, and know exactly how each one interconnects. If zones and conduits are implemented correctly, only specific assets will communicate between systems, and these are going to be the most useful to an attacker, so watch these closely. I often refer to them as ‘beached systems’ because the analogy really works: an attacker has to land there, so it’s the area you should fortify most heavily.”
Couto highlighted that persistent blind spots are relying on ‘legacy knowledge,’ risking losing crucial asset information when key staff leave; incomplete asset inventories that hinder system protection and understanding; and, as IT and OT risk perspectives differ, focusing on confidentiality versus safety. He added that overlooked indirect dependencies, like historian databases, are critical, and data flows, including real-time metrics, are vital as breaches can disrupt operations.
“To eliminate these persistent blind spots, asset management needs to be monitored in real time,” according to Couto. “Highlight the importance of cross-functional workshops and encourage scenario-driven risk modelling to uncover hidden vulnerabilities. Additionally, linking asset criticality to business outcomes involves considering factors such as safety and revenue impact and incorporating the assessments as part of the change management processes.”
He added that waiting for a breach or outage to reveal the crown jewels is an expensive gamble. “Proactive identification is a must for operational survival.”
Playbook for mapping and defending industrial crown jewels
Across complex OT landscapes, the executives examine which practical approaches, such as frameworks, tools, and cross-functional collaboration, are proving most effective in mapping and protecting crown jewels.
Steffensen said he is biased, “but at the highest level, I suggest using systems thinking and approach the defense of operational environments from a more holistic, functional delivery perspective. At INL, we describe this approach as Critical Function Assurance (CFA), and at a more granular level, we developed the consequence-driven cyber-informed engineering (CCE) to provide a repeatable methodology to help organizations use systems thinking and an adversarial perspective to narrow down what matters most and how to best defend against digital threats.”
He reiterated that this isn’t just a cyber practitioner issue; it takes collective participation from all elements within an organization to protect what matters most.
Palomo pointed to an approach that combines recognized standards, continuous improvement, and collaboration. This includes frameworks that align crown jewel controls with ISO 27001 and the NIST Cybersecurity Framework.
“We don’t reinvent the wheel; we adapt standards in the market to the Crown Jewel framework,” she said, adding that continuous learning is central to the process. Each year, the framework is updated based on revisions to industry standards, lessons from real incidents by asking whether the existing controls would hold if a crown jewel were impacted, insights from external incidents across the industry, and a review of regulatory requirements to ensure alignment where necessary.
Palomo also mentioned collaboration, where risk leaders, domain experts, and governance bodies review crown jewels annually, ensuring that criticality reflects both technical risks and business impacts. “This iteration, reviewing, monitoring, and learning-driven approach means our framework evolves continuously, rather than being a one-time exercise.”
“Because we’re talking complex OT landscapes, the answer is ‘the frameworks, tooling, and collaborations that are equally complex,’ Knapp said, adding that from a technology standpoint, don’t rely on tools that are prescriptive and rigid, because the types of assets will differ in different areas, and the best way to discover and map them will differ as well.
“I think the most effective method is actually cross collaboration: security teams will have amazing domain knowledge, powerful tools, and a unique perspective on threats; operators will have equally amazing but different domain knowledge, powerful tools for understanding every nuance of their process, and a different-but-equally-valuable perspective,” Knapp identified. “When I see true collaboration between IT and OT, it’s always positive. In terms of tooling, choose the tools that facilitate that cooperation.”
“Successful organisations utilise established OT frameworks, visibility tools, and cross-functional collaboration to maintain an actionable and up-to-date map of crown jewels as the operational landscape changes,” Couto said. “To ensure continuous visibility, frameworks such as the NIST Cybersecurity Framework (CSF) and NIST SP 800-82, along with the ISA/IEC Series and C2M2, work together with tools for automated asset discovery, dependency mapping, and vulnerability management.”
He added that fostering collaboration through workshops with OT, IT, and business teams to identify critical assets and their impacts. “Conduct incident response table-top exercises for high-value assets to test defences and decision-making. Train cyber champions in operations teams on basic cyber hygiene to enhance vigilance.”
Couto underscored that crown jewel mapping is a continuous process that requires regular updates to definitions and inventories to align asset criticality with risk appetite and compliance standards.
Protecting industrial crown jewels without disrupting operations
For fragile yet critical systems that can’t be easily patched or replaced, the executives address how industrial organizations balance protection with operational continuity.
Bristow identified that these ‘too critical to secure’ assets are exactly where mitigation resources should be applied. “When it’s not technically feasible to secure a system, compensating controls like tightly limiting access and validating communications should be implemented to ensure the system’s exposure is as limited as possible.”
Palomo said that in OT, operational continuity is prioritized. “However, continuity without security may lead to vulnerability. When patching is not feasible due to legacy protocols, vendor limitations, or safety requirements, and after assessing the risks involved, compensating controls are implemented to manage these risks, such as network isolation and segmentation, supported by firewalls and strict access regulations. Privileged Access Management (PAM) to restrict interaction with systems that cannot be patched. Enhanced monitoring and detection for quick identification of anomalies. Resilient processes, including secure patch distribution pipelines, to prevent the patching process from becoming a threat vector.”
She added that this approach seeks to balance both security and operations, aiming to reduce vulnerabilities while maintaining the smooth functioning of industrial processes.
“It’s easy to fixate on specific device vulnerabilities and CVEs because they’re easy to define and (somewhat) easy to measure, but it’s equally important to remember the larger context of ‘OT as an organism,’” Knapp noted. “Industrial control systems are, by definition, command and control systems. Adversaries try to exploit vulnerabilities in an attempt to gain command and control. Vulnerability has to be considered more holistically, which again points back to the basics.”
He added that the more critical a system is, the more difficult it should be to reach and the more resiliently it should be designed. “Thus, even a critical CVE can be tolerated (and carefully monitored) until the next maintenance window. Make ‘protection’ less dependent upon ‘patching.’”
Couto observed that for irreplaceable systems, security focuses on layered protections, reducing exposure, controlling access, and early detection to prevent disasters. “Virtual patching through compensating controls, such as IPSs and deep packet inspection tools, to ‘shield’ the system when changes aren’t possible. Network isolation, unidirectional gateways, and micro-segmentation can be implemented within tightly controlled network zones, which are only accessible via monitored pathways.”
He added implementing strict access controls, multi-factor authentication, and time-limited, audited sessions for vendor or contractor access. “Industrial protocols, such as Modbus, DNP3, and PROFINET, are continuously monitored. Test beds and digital twins are also recommended for the secure testing of updates, configuration adjustments, or security measures before deployment in the field. Lifecycle planning involves anticipating the end of a system’s life well before it fails, ensuring that budgets and migration strategies align with security priorities.”
Rethinking industrial crown jewel identification in current landscape
The executives explore what a mature, forward-looking approach to industrial crown jewel identification entails today, particularly in environments defined by legacy systems, remote access, and escalating industrial cyber risk.
“We have moved beyond the space where understanding your assets and processes is sufficient,” Bristow said. “You need to take advisory capability and kill chains into account and place your mitigation resources where they will have the most effect on frustrating the adversary action. Tools like MITRE’s Infrastructure Susceptibility Analysis help organizations take this more advanced, nuanced, and efficient approach to mitigation.”
“Ongoing assessment of business value and its potential impact on digital assets and critical data flows helps identify key risks and focus areas,” Palomo said. “Effective identification relies on cross-functional collaboration among business leaders, IT/OT teams, and cybersecurity experts.”
Knapp said that it is continuous and adaptive (because things change rapidly); scalable (in terms of people and process, not just technology); reliable (so as not to introduce risk of its own); and, perhaps most importantly, it is intuitive and accurate. “(And if it’s already all of those things, supplementing it with AI will be extremely useful and will improve efficiencies).”
Highlighting that adaptability is key, Couto said that core values should align with changing conditions, with a focus on future forecasting. “Continuous, intelligence-driven insights to identify key assets and ensure operational continuity and business value amid evolving technology, remote access, and increasing threats related to OT.”
He added that a forward-looking program treats the crown jewel map as a live operational artefact, not an audit deliverable, integrates with change management, and requires reassessment for new connections, asset replacements, or remote access. “It also utilises OT-specific threat feeds to identify potential high-value targets. It also embeds crown jewel awareness into incident response playbooks and tabletop drills.”
“A mature, forward-looking approach involves a unified OT/IT asset intelligence system that continuously consolidates inventories. Enriching data with metadata is essential. A risk criticality score assesses an asset based on its operational functions, exposure, safety, compliance, and data sensitivity, and is reviewed quarterly,” according to Couto. “Threat modelling addresses unpatchable or OEM-restricted systems with pre-approved control plans for fragile assets. Dependency mapping identifies interdependencies and critical assets using digital twins or flow diagrams. Cross-functional governance ensures that OT, IT, safety, and executive teams collaborate to manage and fund the asset map,” he concluded.
