The U.S. Cybersecurity and Infrastructure Security Agency (CISA), working with the Federal Bureau of Investigation, the U.K.’s National Cyber Security Centre (NCSC), and other international partners, has released joint cybersecurity guidance for OT (operational technology) environments. The document provides a definitive OT record that helps organizations conduct more comprehensive risk assessments, prioritize critical and exposed systems, and implement stronger security controls.
It also covers managing third-party risks, protecting OT information, and designing effective architectural safeguards. The guidance emphasizes closer collaboration between OT and IT teams and alignment with international standards such as IEC 62443 and ISO/IEC 27001. Organizations are urged to adopt these practices to strengthen their OT security posture and reduce risks.
Titled, ‘Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture,’ the document advises organizations that deploy or operate OT systems to build, maintain, and securely store a complete understanding of their environments. The guidance is structured around five core principles, including defining processes for establishing and maintaining the definitive record, establishing an OT information security management program, identifying and categorizing assets to support informed, risk-based decisions, identifying and documenting connectivity within the OT system, and understanding and documenting third-party risks to the OT environment.
The guidance outlines how cybersecurity professionals in OT organizations, across both greenfield and brownfield deployments, can leverage asset inventories and other data sources to establish a continually updated ‘definitive record’ of OT assets. This record allows organizations to assess risks comprehensively and implement proportionate, effective protections throughout their environments. Integrators and device manufacturers can also apply these principles to ensure that their solutions support robust asset and configuration management.
Building on the recent Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators, this guidance explains how organizations can leverage data sources, such as asset inventories and manufacturer-provided resources like SBOMs [software bill of materials], to establish and maintain an accurate, up-to-date view of their OT systems.
For the first principle on defining processes for establishing and maintaining the definitive record, the document suggests that creating a definitive record of an organization’s OT systems requires determining how information will be gathered, validated, and maintained over time. Establishing a robust change management process is essential to ensure the ongoing accuracy and relevance of this record. The process should address three core areas: collection, validation, and maintenance.
For collection, organizations must first identify the OT systems to be documented and the sources of information available. These sources may include asset inventories, which list systems, hardware, software, and supported communication protocols; existing design, process, or safety documentation developed before commissioning; and knowledge held by staff who have overseen evolving OT environments. Passive monitoring tools can also be used to map OT architectures and detect undocumented changes, which must then be validated and recorded.
Moving to configuration files from programmable logic controllers, remote terminal units, and network devices provides further visibility, while software and hardware bills of materials can highlight underlying components and potential vulnerabilities. Point-in-time active scanning may also support asset discovery, though this method must be applied carefully, given the potential risks to legacy devices. Any active scanning should rely on tested, vendor-approved methods and be coordinated with security operations teams and maintenance windows to avoid operational disruption.
Validation is a critical second step. Organizations must confirm that collected information is complete, accurate, consistent, and current. Completeness ensures that records capture sufficient detail; accuracy requires verification against the knowledge of subject matter experts; consistency demands alignment with other documentation; and timeliness considers when documents were produced in relation to business or maintenance cycles. Validation is especially important in brownfield environments, where systems may differ significantly from original designs.
Finally, maintaining the definitive record requires structured change management. A well-governed process should ensure that all modifications are systematically reviewed, approved, and documented, minimizing the risk of error. Clear roles and responsibilities must be defined, with version control mechanisms in place to provide an audit trail of system changes. Regular training ensures that staff involved in design and documentation understand both the protocols and their significance.
The second principle focuses on establishing an OT information security management programme. The definitive record consolidates various information about an organization and its OT environment, making it a high-value target for attackers. Securing this record and establishing a broader OT information security management programme is essential. Skilled threat actors seek insight into OT systems to support attack planning and capability development. As OT assets often remain operational for long periods, exposed information retains its value far longer than information in conventional IT systems.
Standards such as ISO/IEC 27001 can guide the implementation of an OT information security management system. At a minimum, such a programme should address three key areas: scope, attacker value, and security considerations.
Understanding the scope of the OT information security management programme begins with identifying and recording all information held or shared about OT systems. This may be maintained as a standalone inventory or integrated into the wider definitive record. Records should include the purpose of the information, relevant data flows, and key properties such as access permissions, retention, and data format. Standard information types, such as documents, can often be captured automatically in data repositories, while less conventional sources, including data from OT devices, may require manual recording.
The guidance identifies five primary categories of OT information. Design information provides a clear view of system structure and architecture, including network diagrams, asset inventories, and site-specific details. Business information contextualizes OT systems within organizational objectives and stakeholder relationships, encompassing service areas, supplier contracts, and customer data. Identity and authorization data encompasses credentials, personnel records, encryption keys, and access logs essential for authentication and system access.
Operational data includes real-time system control information, sensor readings, logs, alerts, and analytical outputs. Cyber and safety risk assessments capture system vulnerabilities, component weaknesses, and potential consequences, including HAZOP studies and penetration test results. IEC 62443-2-1:2024 offers additional guidance on protecting industrial automation and control system data.
Assessing the value of OT information to potential attackers is a critical step. Attackers targeting OT environments may aim to disrupt, damage, or destroy industrial systems, or to gain competitive advantage through theft of intellectual property or operational datasets. Information can inform attackers about system architecture and access points, enable targeted exploitation of specific components, and support actions that disrupt or manipulate critical processes. Aggregated information, which combines data from multiple sources, increases risk by allowing attackers to develop capabilities that would not be possible from individual data points alone. Threat modelling helps organizations identify relevant information for each scenario and assess how it could be used, enabling prioritization of protective measures.
Finally, appropriate security controls must be applied to all OT information. Policies and procedures should clearly define how each type of information is secured, considering confidentiality, integrity, and availability. Confidentiality measures ensure that only authorized users and systems can access information, using storage practices, least-privilege access, multi-factor authentication, and careful sharing agreements such as the Traffic Light Protocol.
Integrity measures maintain and validate information, regulating creation, modification, and deletion while employing cryptographic tools to confirm authenticity. Availability measures focus on ensuring that information remains accessible when needed, incorporating redundancy, backup, disaster recovery, and system health monitoring. Backups should be resistant to ransomware to maintain operational continuity.
The third principle addresses identity and categorizes assets to support informed risk-based decisions. Understanding the role of each component within an OT system is essential for implementing appropriate and proportionate security controls. While this guidance focuses on the broader process required to define system architecture, additional international guidance on asset discovery programmes is available, including IEC 62443-2-1 on industrial automation and control systems, the Industrial Control System Community of Interest Asset Management guidance, and the Joint Guide Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators.
For each asset, three factors should be defined: criticality, exposure, and availability. Criticality assesses the importance of an asset to the wider OT system, considering its impact on business, safety, and security. Business impact evaluates whether a failure would halt processes or reduce yield, while safety considers potential harm to people, equipment, or the environment. Security examines whether a failure could expose the system to unacceptable risk. Criticality should be considered in the context of overall system connectivity to understand the asset’s significance fully.
Exposure measures the discoverability and accessibility of networked devices and their susceptibility to threats, accounting for existing defence-in-depth controls. Factors to consider include time of exposure, type of connectivity, communications flow, proximity to external networks, and physical accessibility. Availability assesses the timely and reliable access to data and services for authorized users, focusing on the impact of a single asset’s unavailability on business or operational functions. Highly critical systems are often deployed with redundancy and automated failover, which can reduce availability requirements for individual assets and facilitate maintenance.
Information to capture for availability includes scheduled maintenance windows, high-availability deployments, and the asset’s ability to support rolling updates with zero downtime. Vendors should provide clear categorization of updates, including bug fixes, security patches, or feature additions, along with guidance on urgency, potential exploitation, and links to relevant security advisories and CVE records, following frameworks such as CSAF and NCSC Vulnerability Management guidance.
Criticality, exposure, and availability factors should be recorded in the definitive record to support informed, risk-based decisions when introducing new or revised security controls. For example, a safety controller is crucial for system safety, typically isolated from other network assets and designed for high availability to maintain operational protection. A firewall at the network edge, while important for secure remote access, is less critical to daily operations but more exposed to potential threats.
A regional SCADA platform deployed on a virtualisation platform connects to multiple OT systems, is critical to business operations, and may be more exposed to external services. High-availability deployments allow updates and maintenance to occur with minimal operational impact, prioritizing assets based on risk, exposure, and operational necessity.
A comprehensive risk management framework, such as the NCSC’s risk management guidance aligned with ISO 27001, should inform these decisions, incorporating techniques such as threat modelling and attack trees. IEC 62443-3-2 provides additional guidance specific to industrial automation and control systems.
The fourth principle covers identity and document connectivity within the OT system. Modern OT systems rarely operate in fully air-gapped environments. Instead, they require external connectivity to support business functions, streamline maintenance, and enable enhanced security controls. The interactions between assets are what allow the system to function as intended, making a thorough understanding of these connections essential for implementing effective and proportionate security measures.
Connectivity design must prioritize reducing vulnerability to potential attacks. Wireless communication technologies, for example, can increase risk by allowing threat actors to exploit the system without physical access. A detailed understanding of the communications required by each asset is crucial for designing and documenting network zones and conduits, as outlined in IEC 62443-3-2. Proper documentation of asset connectivity enables the implementation of robust network controls, including effective segmentation, to protect the integrity and security of the OT environment.
The fifth principle looks into understanding and documenting third-party risks to OT systems. Many OT systems are managed or maintained by third parties, including manufacturers, integrators, or managed service providers. When these external parties have access to an OT environment, they introduce additional risks, as the organization does not have direct control over the security of the systems they provide or maintain. Managing these risks requires careful assessment and ongoing oversight.
Guidance from the NCSC on supply chain security outlines effective practices for mitigating third-party risks. IEC 62443-4-1, which addresses secure product development lifecycle requirements, and IEC 62443-2-4, which defines security program requirements for IACS service providers, provide further advice specific to industrial automation and control systems. Applying these frameworks helps ensure that third-party involvement does not compromise the integrity, availability, or security of the OT environment.
Last week, the CISA and partners published a resource that helps OT system owners and operators strengthen infrastructure security by creating a clear inventory and classification of their assets. By effectively identifying, organizing, and managing OT assets, organizations can enhance cybersecurity while improving operational reliability, safety, and resilience.
link