top of page
Search

Claroty’s New CPS Library Takes Aim at the Most Chaotic Corner of Cybersecurity: Device Identity

In the sprawling world of cyber-physical systems—industrial controllers, medical devices, manufacturing lines, energy infrastructure—security teams have been fighting a quiet but brutal battle: no one can agree on what anything is actually called.


A single controller might report three different names depending on the protocol you ask. Another might hide its product code entirely. Vendors publish advisories full of vague model families instead of specific variants. And CVE listings often carry just enough ambiguity to leave security teams wondering whether a vulnerability actually applies to the device in front of them.


This is the naming crisis at the heart of operational technology—where attackers exploit firmware quirks, configuration variants, and unpatched modules, while defenders are stuck deciphering whether the asset is that PLC or the nearly identical one two shelves over.


Now Claroty is trying to put a hard stop to the chaos.


The First Attempt at a Universal Translator for CPS Assets


Today, the company unveiled the CPS Library, pitched as the first AI-powered, authoritative mapping engine capable of deterministically identifying CPS assets and accurately assigning vulnerabilities—even when devices report almost nothing about themselves.


This isn’t just another device inventory feature. Claroty is effectively building the Rosetta Stone for OT and IoMT hardware, backed by data and validation from major vendors including Rockwell Automation and Schneider Electric.


Under the hood is a multi-agent AI system that ingests network-level identifiers, mixed-format naming strings, vendor catalogs, firmware relationships, and advisory data, then reconciles them into a single “ground truth” product code. The CPS Library uses an expansive evidence graph—enriched with OEM-validated reference points—that helps its AI agents triangulate the actual identity of the device in the field.


Claroty calls it deterministic asset identification. Security teams might call it long-overdue sanity.


Why the Industry Needed This Yesterday


Team82, Claroty’s research arm, dropped a companion report that quantifies how broken the current state of CPS identification really is:


  • 88% of CPS assets don’t transmit an exact product code


  • 76% report inconsistent names


  • 41% don’t broadcast an OS version


  • 33% don’t broadcast an OS name


  • Three-quarters of models have multiple naming variants depending on protocol or integration


  • And wildly, mapping accuracy for one prominent OEM jumped from 4% to 83% when Claroty applied its new AI-driven reconciliation process


Those numbers don’t just reflect messy data—they reflect systemic exposure.

When the asset layer itself is blurry, everything above it weakens: CVE matching, patch validation, compensating controls, compliance, incident response… even basic risk reporting.


For many organizations, “last-mile remediation” often ends with a shrug. You can’t patch what you can’t precisely identify.


The Hidden Complexity That Breaks Vulnerability Attribution


Unlike IT assets, CPS devices are modular ecosystems. The same model number can represent hardware with different CPUs, NICs, or interface modules—each introducing separate firmware trees and their own unique vulnerabilities.


A CVE might affect a controller only when paired with a certain communication module. Another might only apply to devices shipping with a particular OS variant. But because vendors rarely include this granularity in advisories, operators are left to guess.


The CPS Library pulls in missing details that rarely appear digitally: default configurations, firmware lineage, vendor-approved patch levels, and the relationships between replaceable components. It then aligns those with real-world identifiers captured from network traffic, even when devices omit the most critical fields.


The result:


  • 25% improvement in vulnerability attribution accuracy


  • 56% of devices receiving new or updated remediation guidance


  • 29% reduction in false negatives


  • 27% reduction in false positives


That’s not marginal uplift—that’s transformational.


Inside the AI System Built for CPS Reality


Claroty’s architecture isn’t a single model but a federation of specialized agents:


  • NLP engines that parse messy, protocol-derived naming strings


  • Statistical reasoners that assign confidence to correlations


  • Domain-guided logic modules trained to understand hardware generations, replacement cycles, and firmware compatibility


  • An ensemble voting system built to suppress noise and reconcile contradictory data


  • A human-in-the-loop verification loop that continuously enriches the evidence graph and retrains models on new ground truth


Where traditional approaches rely on one imperfect signal—say, a Modbus identifier or a vendor PDF—the CPS Library triangulates hundreds.


Claroty is positioning this not as an enrichment feature, but as infrastructure: the canonical, vendor-validated reference system that other security layers plug into.


The Bigger Picture: Fixing CPS Security at the Foundation


The current vulnerability management pipeline for cyber-physical systems is effectively broken because the naming layer has never been stable. Inconsistency at the bottom creates confusion at the top—CVE authorities publish partial advisories, vendors contradict themselves across product lines, and operators waste days interpreting model families that span dozens of variant configurations.


Claroty’s CPS Library attempts to collapse all that noise into a deterministic mapping: a single product identity, a single set of vulnerabilities, a single remediation path.


If it scales—and if more OEMs participate—it could become one of the most important underlying data layers in industrial and healthcare cybersecurity.


Because until now, defenders have been securing some of the world’s most sensitive infrastructure with device identities that resemble a pile of sticky notes. And threat actors have benefitted from that ambiguity for years.


Standardizing CPS identity is more than a visibility problem. It’s the prerequisite for everything else in cyber-physical risk.

bottom of page