The US has partnered with three other Five Eyes countries (Australia, Canada and New Zealand) as well as Germany and the Netherlands to develop a common asset inventory and taxonomy guide for operational technology (OT) and industrial control systems (ICS).
The document, Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators, was published on August 13 by nine government agencies, including four from the US.
At the core of the guidance is an organized list of systems, hardware and software that are part of – or are connected to – industrial information networks.
The document also provides additional asset taxonomies for some specific industrial sectors, such as oil and gas, electricity and water and wastewater.
Read more: Over Half of Organizations Report Serious OT Security Incidents
The document also outlines a process for OT owners and operators to create and maintain an asset inventory. This process involves defining the scope and objectives for the inventory, identifying assets, collecting attributes, creating a taxonomy, managing data and implementing asset life cycle management.
“This guidance outlines how OT owners and operators can maintain, improve and use their asset inventory to protect their most vital assets. Steps include OT cybersecurity and risk management, maintenance and reliability, performance monitoring and reporting, training and awareness and continuous improvement,” the document reads.
The aim is to help critical infrastructure operators understand their ecosystem and enhance the cybersecurity and protection of critical assets.
This document is meant to be updated regularly to keep pace with technological advances and adoption developments.
“This guide emphasizes the importance of proactive planning, collaboration between IT and OT teams and, where possible and appropriate, the integration of cutting-edge technologies to stay ahead of potential threats,” the document concludes.
The authoring agencies include the NSA, the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the US Environmental Protection Agency (EPA), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (Cyber Centre), Germany’s Federal Office for Information Security (BSI), the Netherlands’ National Cyber Security Centre (NCSC-NL) and New Zealand’s National Cyber Security Centre (NCSC-NZ).
Read now: US Federal Agencies Alert on “Unsophisticated” OT Cyber-Threats