OT asset inventory guide and architecture blueprint released to secure critical infrastructure

Global cybersecurity agencies published new guidance to help OT (operational technology) owners and operators across critical infrastructure sectors create and maintain comprehensive OT asset inventories and taxonomies. The document outlines the process to create an OT asset inventory, develop a taxonomy of OT systems, and create a modern defensible architecture by providing net defenders with digestible foundational elements and best practices. This is critical as OT systems are vital to the core functionality of the nation’s critical infrastructure to safely and reliably operate by powering process automation, instrumentation, cyber-physical operations, and ICS (industrial control systems).

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (Cyber Centre), Germany’s Federal Office for Information Security (BSI), Netherlands’ National Cyber Security Centre (NCSC-NL), and New Zealand’s National Cyber Security Centre (NCSC-NZ) released the guidance on Wednesday. 

The guidance provides a systematic approach for creating and maintaining an OT asset inventory and supplemental taxonomy, primarily essential for identifying and securing critical assets, reducing the risk of cybersecurity incidents, and ensuring the continuity of the organization’s mission and services. 

Using the processes outlined, organizations are encouraged to build an asset inventory to aid in risk identification, vulnerability management, and incident response. Additionally, the CTR details steps OT owners and operators should take to best use, maintain, and improve their asset inventory to protect vital assets, enhance their overall security posture, and ensure the safety of their OT environments.

This is especially relevant in defending the operation of OT systems and services across National Security Systems (NSS), the Department of Defense (DoD), and the Defense Industrial Base (DIB). Moreover, all organizations must review the guidance to understand how to build and maintain OT asset inventories and implement the recommended actions. These practices align with the cross-sector cybersecurity performance goals and can help organizations improve their cybersecurity posture and reduce the risk of compromise in operational environments. 

“OT systems are essential to the daily lives of all Americans and to national security,” Madhu Gottumukkala, acting CISA director, said in a media statement.  “They power everything from water systems and energy grids to manufacturing and transportation networks. As cyber threats continue to evolve, CISA through this guidance provides deeper visibility into OT assets as a critical first step in reducing risk and ensuring operational resilience.” 

“Operational technology is foundational to the operations of the nation’s critical infrastructure,” said Chris Butera, acting executive assistant director for cybersecurity at CISA. “Securing operational technology and industrial control systems has been a priority for CISA for many years and remains a priority into the future. The joint asset inventory guide we published with our U.S. and international government partners is a valuable resource that helps organizations effectively identify and secure their most vital assets, reduce the risk of cybersecurity incidents, and ensure the continuity of their mission and services.” 

The authoring agencies recommend that owners and operators follow a defined set of steps to develop a comprehensive OT asset inventory and taxonomy.

Defining the scope and objectives for an OT asset inventory begins with establishing governance over asset management. This requires identifying the authority within the organization that mandates the creation of an OT asset inventory, as well as determining which offices or positions are responsible for and benefit from its establishment and maintenance. 

Roles and responsibilities must then be clearly assigned for the collection and validation of asset data. The scope should be explicitly set to define the program’s boundaries, which may include specific zones, facilities, systems, and development timelines, along with a clear definition of what qualifies as an ‘asset’ for the purposes of the inventory.

Once governance and scope are set, the next step is to identify assets and collect their attributes. This process involves both a physical inspection and a logical survey, gathering detailed digital and network-based information about system components to compile a comprehensive list of OT assets and their network infrastructure dependencies. The inventory should include all assets identified through documentation and on-site inspection. 

For each asset, high-priority attributes should be recorded, including active or supported communication protocols, asset criticality, asset number, role or type, hostname, IP address, logging capabilities, MAC address, manufacturer, model, operating system, physical location or address, ports and services, and user accounts. These fields form the core dataset that supports effective management, monitoring, and protection of OT environments.

Building a taxonomy to categorize OT assets begins with classifying them according to either criticality or function. A criticality-based classification ranks assets based on their importance to the organization’s operations, safety, and mission, with critical assets being those whose failure or compromise would cause the most significant disruption. 

In a function-based classification, assets are grouped by their roles or exposure within the OT environment, such as control systems, communication devices, monitoring tools, or engineering and maintenance systems. The functional approach provides insight into dependencies and interconnections. Once the classification is determined, organizations should categorize assets and their communications pathways. 

While there are several models available, the ISA/IEC 62443 series of standards, used by CISA to develop sector-specific taxonomies, provides a Zones and Conduits framework. Zones are groups of logical or physical assets with similar security needs, while Conduits are groupings of cyber assets dedicated to managing communications between Zones under defined security requirements. Mapping these communication pathways requires analysis of data flows, protocol identification, and network details to ensure secure and authorized traffic.

Organizing the structure and relationships of assets involves identifying process dependencies, adopting consistent naming conventions, and documenting methodologies, structures, and any deviations. Clear documentation of the roles and responsibilities of operators, technicians, vendors, and integrators is essential, with ownership defined by function rather than access credentials. Once organized, the taxonomy should be validated and visualized by cross-checking inventory data for completeness, creating diagrams such as Zone-Conduit layouts, and using tables or charts to display asset relationships. 

A periodic review and update cycle is critical to reflect changes in technology and operations, incorporating stakeholder feedback to ensure continued relevance. In parallel, organizations should manage and collect data by identifying supplementary information sources, such as vendor manuals, maintenance records, or configuration specifications, and deciding whether to integrate them into the inventory based on a cost-benefit analysis. This data should be stored in a centralized, secure database with robust cybersecurity protections. 

Finally, implementing life cycle management requires defining each stage of an asset’s life, right from acquisition and commissioning to maintenance and decommissioning, and developing policies to govern these stages. This includes change management processes that mandate inventory updates whenever assets are added, removed, or modified, even during emergency changes.

Once an OT asset inventory and taxonomy have been developed, owners and operators should focus on maintaining and securing these assets as part of an ongoing cybersecurity and risk management strategy. The first step is to identify any known vulnerabilities in vendor systems and applications, along with available patches, updates, or hardening guidance. These vulnerabilities should be cross-referenced with established databases, including CISA’s Known Exploited Vulnerabilities (KEV) Catalog, which lists actively exploited flaws, and MITRE’s Common Vulnerabilities and Exposures (CVE) database, which provides detailed reports on identified security weaknesses.

Security controls should be explored for OT vulnerabilities in systems that cannot be patched immediately or are nearing end of life. For critical assets, it is essential to develop redundancy plans and strategies for continued operation if such vulnerabilities are exploited. Real-time monitoring can help detect emerging threats and vulnerabilities, while the KEV catalog can be used as authoritative input for a vulnerability management prioritization framework. Models like the Stakeholder-Specific Vulnerability Categorization (SSVC) can assess exploitation status and guide patching priorities. Automated vulnerability and patch management tools can further streamline the process by flagging or prioritizing KEV-listed vulnerabilities.

Threat factors should be prioritized by mapping potential attack patterns to established threat intelligence sources, such as the MITRE ATT&CK Matrix for ICS and the MITRE Common Attack Pattern Enumeration and Classification (CAPEC) for ICS patterns. This mapping enables security teams to focus on the most critical risks first. Strengthening the organization’s security posture involves designing an architecture that incorporates effective measures, including network segmentation, strict access management, and continuous monitoring to safeguard OT environments against evolving threats.

To ensure reliability in OT environments, maintenance plans should be reviewed in light of recent vulnerability assessments and mitigation measures. Any necessary patching or corrective actions should be scheduled during planned maintenance windows unless the severity of a threat requires immediate intervention. The decision-making process should weigh the potential costs of downtime or degraded services against the expense of replacing vulnerable legacy systems or implementing compensating controls that reduce risk without full replacement.

When procuring new systems or developing engineering designs, it is essential to embed security from the outset by applying cyber-informed engineering principles and secure-by-design practices. Guidance such as the joint publication Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Product can help organizations make procurement choices that inherently strengthen cybersecurity. 

Furthermore, taxonomy and risk management processes should be leveraged to ensure these security decisions align with operational priorities. In addition, organizations should regularly analyze their OT spare parts inventory to confirm that critical components are sufficiently stocked, allowing for rapid replacement and continued operational reliability if an asset fails or is taken offline for remediation.

The guidance calls for asset performance and status should be monitored continuously, with priority given to process variable monitoring that focuses on real-time indicators such as temperature, pressure, or flow to detect potential issues or maintenance needs. Network and system diagnostics should also be incorporated, using continuous monitoring tools to analyze communication health, device connectivity, and process flow integrity. 

Robust reporting mechanisms should be established to track asset performance, document maintenance activities, and demonstrate compliance with policies. Clear ownership of the asset inventory must be assigned to individuals responsible for overseeing updates, validating asset classifications, and ensuring the ongoing accuracy and reliability of the inventory.

Staff should be trained in asset management practices, tools, and procedures, and awareness programs should be implemented so that all stakeholders understand the critical role asset management plays in OT security and reliability. A feedback loop should be maintained to capture lessons learned from asset management activities, identify improvement opportunities, and inform future strategies. 

Changes to OT assets, whether modifications, additions, or decommissioning, should be accurately tracked using formal change management processes. Regular reviews and audits of the inventory and the broader asset management program should be conducted to confirm its continued effectiveness and alignment with organizational goals.