Update on CISA advice: Organizations advised to compile an inventory of operational technology assets
The Cybersecurity and Infrastructure Security Agency (CISA) has released a new guidance titled "Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators". The publication, developed in collaboration with U.S. and international government partners, aims to help organizations secure their most vital assets in operational technology (OT) environments, particularly within critical infrastructure sectors.
The guidance provides a systematic, practical approach for OT owners and operators to create and maintain comprehensive OT asset inventories and taxonomies. This foundational guidance is crucial for identifying and securing critical OT assets, reducing cybersecurity risks, and ensuring the mission continuity and resilience of OT environments.
Key aspects of the guidance include an OT Asset Inventory, an OT Taxonomy, a five-step process for developing and maintaining the inventory and taxonomy, and collaboration with various agencies and international partners.
The OT Asset Inventory captures more than just a list of connected devices. It includes the context, configuration, criticality, and lifecycle status of each OT asset, providing better decision-making across cybersecurity, operations, and compliance.
The OT Taxonomy is a structured categorization of assets based on function or criticality, such as using zones and conduits per ISA/IEC 62443 standards. This taxonomy helps prioritize security measures and manage risks effectively.
The five-step process outlines a clear path to develop and maintain the inventory and taxonomy: define scope and objectives, identify assets, collect asset attributes, create taxonomy, and manage data and implement lifecycle management.
The guidance was developed jointly with the NSA, FBI, EPA (U.S.), and international cybersecurity agencies from Australia, Canada, Germany, the Netherlands, and New Zealand, reflecting a broad consensus on OT cybersecurity best practices.
By improving asset visibility and awareness, supporting cybersecurity risk reduction, enhancing operational reliability and safety, facilitating compliance and incident response, and aligning with international standards, this framework provides a baseline for organizations to methodically improve their OT security posture.
Tatyana Bolton, executive director of the Operational Technology Cyber Coalition, stated that many sectors have not conducted an OT asset inventory. The new guidance is a critical tool that helps OT owners and operators build strong cybersecurity foundations by systematically managing knowledge of their OT assets, thereby supporting effective risk management, operational continuity, and security incident mitigation.
The focus on OT, which refers to hardware and software that monitor and control physical processes in industrial settings, is a response to growing concerns about hackers targeting OT systems, which could potentially derail or impact the operation of physical systems at industrial plants or in other critical settings.
CISA's acting executive assistant director for cybersecurity, Chris Butera, emphasized that securing operational technology and industrial control systems is a priority for CISA. The joint asset inventory guide published by CISA is intended to reduce the risk of cybersecurity incidents and ensure the continuity of mission and services in these critical sectors.
Inventorying systems is a key first step in building a "modern defensible architecture," according to CISA. The new guidance describes how to inventory OT systems across multiple sectors and categorize them using different taxonomy, depending on the sector in question.
Policymakers are increasingly concerned about the potential impact of OT system breaches on national security and daily life, powering various sectors like water systems, energy grids, manufacturing, and transportation networks. With the publication of this guidance, CISA is taking a significant step towards securing these vital systems and ensuring their resilience against cyber threats.
The new guidance, developed by the Cybersecurity and Infrastructure Security Agency (CISA) and international partners, aims to help federal workforce in critical infrastructure sectors reimagine their workforce by securing their operational technology (OT) environments. This includes industries like finance and cybersecurity, as well as others, by providing a practical approach to create and maintain OT asset inventories and taxonomies. This foundational guidance is crucial for financial institutions, for instance, to protect their most vital assets and ensure the resilience of their technology against cyber threats. The focus on OT systems, which monitor and control physical processes in industrial settings, is particularly important as hackers increasingly target these systems, potentially derailing critical operations. Policymakers welcome this effort by CISA as a significant step towards securing these vital systems and safeguarding national security and daily life.
