Cybersecurity agencies across several countries are stepping up efforts to protect critical infrastructure by releasing new guidance for operational technology (OT) organizations. The document, titled “Creating and Maintaining a Definitive View of Your OT Architecture,” outlines how operators can build a continually updated system inventory to strengthen resilience against cyber threats.
Back in August, agencies from the United States, Canada, Australia, New Zealand, the Netherlands, and Germany published initial recommendations on OT asset inventories. The United Kingdom has now joined the coalition to issue a follow-up that explains how operators can go beyond static inventories. The new framework calls for a “definitive record”—a living set of documents that offers an accurate, continually updated view of OT systems.
The agencies stress that keeping such a record enables organizations to assess risks more effectively and apply security controls proportionate to the threat. Instead of focusing on isolated assets, this approach pushes companies to view their entire environment holistically, improving awareness of critical systems and the potential impact of compromises.
Five Core Principles of the Guidance
The new recommendations are built around five key principles that OT operators should follow:
1. Establish and maintain a definitive record
Organizations are advised to define clear processes for collecting, validating, and maintaining system data. This includes identifying trusted data sources, setting validation checks, and creating workflows to keep records updated.
2. Secure OT information with a formal program
Since definitive records contain sensitive information valuable to attackers, agencies recommend setting up an OT information security management program. This means defining the scope of the program, assessing the value of OT data to adversaries, and applying safeguards to keep it secure.
3. Categorize assets for risk-based decisions
Operators should classify assets by criticality, exposure, and availability. With this insight, they can make smarter decisions about where to apply new or enhanced security controls.
4. Map connectivity and communication
The guidance urges organizations to document connectivity within OT networks. That includes identifying communication protocols, reviewing existing architectural controls, checking for possible bypasses, and noting any constraints that attackers could exploit.
5. Document third-party risks
Since external vendors often have access to OT environments, agencies advise assessing the trust level of each third party. This involves reviewing contracts, verifying equipment installations, and flagging any out-of-band access that could pose hidden risks.
Why Updated OT Records Matter
Maintaining an accurate OT system inventory is not just good practice—it’s essential for cyber resilience. Without it, security teams struggle to spot vulnerabilities, deploy controls, or respond effectively to incidents.
Joshua Roback, principal security solution architect at Swimlane, said the new guidance highlights the need for closer coordination between IT and OT teams. He explained that as ransomware groups like ShinyHunters and Scattered Spider target both environments, collaboration is critical. IT teams bring cybersecurity expertise, while OT teams understand industrial processes and operational constraints. Together, they can build stronger, more resilient architectures.
The takeaway is clear: a definitive, continually updated record of OT systems is now a foundational requirement for defending critical infrastructure in an era of increasingly sophisticated cyber threats.
