Topics:
For a long time, cyber-physical systems (CPS) security has revolved around one very clear idea: asset visibility. The guiding principle around visibility was simple: see more assets, map more devices, extend coverage deeper into operational technology (OT), the internet of medical things (IoMT), and medical environments.
For years, that focus was absolutely justified. If you couldn’t see what was connected, you couldn’t begin to protect it. What’s interesting, however, is what happens after visibility is achieved.
Many organizations today have more sensors, platforms, and discovery data than ever before—and yet they feel less certain than ever about their security posture. That’s usually the moment when the conversation starts to change.
In CPS environments, especially in healthcare, it’s completely normal for the same physical asset to appear in multiple systems at the same time.
A single medical device might be:
passively observed by an IoMT or OT platform,
actively detected by a network probe,
partially described by a legacy inventory,
and indirectly referenced by a security or operational system.
None of these perspectives is wrong. Each one is simply incomplete. Problems, however, begin when those partial truths collide and asset counts don’t match, vulnerability numbers differ, and risk scores tell different stories depending on which dashboard you’re looking at.
At that point, the question that always comes up is: “Which system should we trust?” But that question is already leading CISOs and decision makers in the wrong direction.
CPS security has quietly become a multi-truth problem. Each platform is designed to observe reality from a specific angle:
network behavior
endpoint posture
device characteristics
operational context
Expecting one of them to represent the entire truth is unrealistic. Adding more tools doesn’t solve this. In fact, it often makes things worse. More data means more discrepancies, more debates, and more time spent reconciling numbers instead of managing risk. At scale, visibility without synthesis turns into noise. And noise at executive level quickly becomes operational risk.
This is where normalization is often misunderstood. It’s usually treated as a reporting concern—something you do to make dashboards line up. But in CPS environments, normalization is much more fundamental than that. Normalization is about deciding what is considered true.
To do that properly, you need a layer that can:
accept data from multiple authoritative sources,
preserve where each piece of information comes from,
resolve conflicts in a consistent and explainable way,
and keep track of how things change over time.
Once you look at it this way, normalization stops being a data hygiene task and starts behaving like a real security control.
The idea of a canonical asset is actually very simple.
Instead of treating each discovery as a separate object, you define one stable identity for every physical asset and allow multiple systems to contribute to it. The important part is how that contribution works. A canonical asset is not a blind merge; it’s a governed construct.
Each attribute—identity, operating system, vendor, exposure—is selected according to explicit rules. Those rules reflect trust, context, and risk, not convenience. Over time, this creates something many security teams have been missing: a shared, defensible understanding of what they are actually protecting.
Something interesting happens once canonical assets are in place: technical discussions reveal governance choices.
Which source is more reliable for asset identity?
Which one should define vulnerability severity?
Which signal deserves priority when information conflicts?
These aren’t purely technical questions; they’re risk decisions, whether we label them that way or not. Making those decisions explicit—and auditable—is what turns asset management into a governance activity instead of a reconciliation exercise.
With canonical assets in place, the tone of security conversations changes. Teams stop arguing about whose dashboard is correct. Executives stop questioning why numbers don’t match. Risk discussions become consistent across technical and non-technical audiences.
Instead of asking: “Why do these systems disagree?” the focus shifts to: “What does this asset actually represent in terms of risk?” That’s a much more productive place to be.
None of this is about replacing existing platforms. It’s about connecting them in a way that respects their strengths without pretending any of them can represent the whole truth. The future of cyber-physical systems protection and security isn’t defined by who sees more. It’s defined by who understands better. Visibility shows you what exists. Canonical truth helps you decide what matters.
A partner at Deloitte Italy Cyber Risk Services, Battelli has 25 years consulting experience with a specific focus on ICT/Cybersecurity where he is well-recognized trusted advisor and subject matter expert in critical infrastructure protection (CIP).
Stefano Scaramuzzino is the cybersecurity team leader and network and information systems manager, for ASL Roma 1, Italy's largest local health authority.
