Agencies within the United States and international partners release recommendations on conducting inventories for operational technology assets
The collaboration between government agencies from the U.S., Australia, Canada, Germany, the Netherlands, and New Zealand has resulted in the publication of "Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators." This document provides essential recommendations for critical infrastructure organizations to maintain and improve their asset inventories.
The guidance emphasizes the importance of using change management processes to keep asset inventories up-to-date, as they are vital for system administrators in large, complex computer networks. Inside these networks, asset inventories are relied upon to schedule security practices such as applying software patches.
The key recommendations in the document include defining the scope and objectives of the OT asset inventory program, identifying assets and collecting attributes, creating a taxonomy, managing and collecting data, and implementing life cycle management.
By following these steps, organizations can build a modern defensible architecture, improving visibility of the attack surface, enabling more effective risk identification, vulnerability management, and incident response. The guidance underscores that thorough asset inventories are foundational for securing OT environments essential to critical infrastructure mission continuity and safety.
The document also provides necessary steps for compiling an operational technology asset inventory, including details for each entry, optimal grouping methods, and the importance of tracking life-cycle data. Asset management is considered one of the most important security measures, as it allows organizations to know what tools they are using, their security status, and when they will reach a vulnerable end-of-life status.
The 31-page document includes four indices, listing fields an asset inventory should include and examples of how companies in specific sectors (oil and gas, electricity, water) could organize their assets. The examples in the document were based on virtual working sessions held with 14 organizations in those sectors in early 2025.
Critical infrastructure companies such as American Water, British Petroleum, Duke Energy, and Southern California Edison contributed to the development of the guidance. The Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency, the National Security Agency, the FBI, the Australian Signals Directorate's Australian Cyber Security Centre, the Canadian Centre for Cyber Security, Germany's Federal Office for Information Security, the Netherlands' National Cyber Security Centre, and New Zealand's National Cyber Security Centre collaborated on the publication.
Organizations are advised to compare the cost of replacing outdated systems with the cost of potential outages. Additionally, they should review asset maintenance plans to ensure operational reliability. The guidance recommends prioritizing security efforts based on the most critical risks. Furthermore, securing by design systems should be procured.
In conclusion, the "Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators" is a comprehensive document that provides critical infrastructure organizations with the tools they need to maintain and improve their asset inventories, thereby enhancing their cybersecurity posture.
