In a landmark collaboration, nine leading cybersecurity and infrastructure agencies have unveiled comprehensive guidance to help operational technology (OT) owners and operators build and maintain robust asset inventories and taxonomies.
Released on August 13, 2025, the “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators” aims to fortify the defenses of energy, water, transportation, and manufacturing sectors against escalating cyber threats.
The guidance, co-authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Environmental Protection Agency (EPA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security, Germany’s Federal Office for Information Security (BSI), the Netherlands’ National Cyber Security Centre, and New Zealand’s National Cyber Security Centre, outlines a structured, five-step process for creating and sustaining an accurate OT asset inventory.
By combining detailed workflows with conceptual taxonomies tailored to oil and gas, electricity, and water sectors, the document helps operators identify, classify, and manage every device—legacy or modern—connected to their industrial control environments.
“Without a clear, up-to-date inventory of OT assets, organizations are flying blind,” said a senior official at CISA.
“This guide provides the playbook operators need to know what they have, where it is, and how critical each component is to mission continuity and safety.”
Five Steps to Secure, Structured OT Inventory
The core of the guidance is a five-step lifecycle model:
- Define Scope and Objectives
Owners and operators establish governance, assign roles, and delineate the boundaries of their asset management program. - Identify Assets and Collect Attributes
Field teams conduct physical inspections and network surveys to compile an exhaustive list of OT devices and record high-priority attributes—such as asset criticality, communication protocols, IP/MAC addresses, manufacturer, model, and physical location. - Create and Validate Taxonomy
Leveraging both function- and criticality-based classification, organizations build hierarchical taxonomies—incorporating zones and conduits drawn from the ISA/IEC 62443 standard—to visualize relationships and dependencies. - Conceptual examples for the oil and gas, electricity, and water sectors are provided in the appendices.
- Manage and Store Data
The guidance recommends centralizing asset information in a secure database or management system, enriched with integrator agreements, maintenance records, and configuration documentation. - Implement Life Cycle Management
Formal policies govern asset acquisition, deployment, maintenance, and decommissioning, ensuring any changes trigger timely inventory updates.
From Inventory to Resilience
Beyond inventory creation, the guidance maps out post-development actions to enhance security posture and operational reliability.
Operators are advised to cross-reference their inventories against vulnerability catalogs—such as CISA’s Known Exploited Vulnerabilities (KEV) list and MITRE’s CVE database—and adopt real-time monitoring and automated patch management.
The document also underscores the importance of OT-specific cybersecurity measures, including network segmentation, access controls, and continuous performance monitoring.
Maintenance best practices include analyzing spare parts inventories and scheduling remediation during maintenance windows.
For performance tracking, organizations should implement reporting mechanisms, designate inventory owners, and integrate feedback loops for continuous improvement.
Training and awareness programs are highlighted as essential to ensure all stakeholders understand the value of asset management, while regular audits keep the inventory aligned with evolving technology and operations.
This guidance represents a significant step forward in standardizing OT asset management across critical infrastructure.
By providing detailed processes, sector-specific examples, and a clear path to continuous improvement, the agencies aim to reduce the risk of disruptive cyber incidents and safeguard mission-critical services.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=Released on August 13, 2025, the “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators){kind=link}