The Canadian Centre for Cyber Security (Cyber Centre) has joined the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the following international partners in releasing cyber security guidance on foundations for operational technology (OT) cyber security and asset inventory guidance for owners and operators:
- Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- Germany’s Federal Office for Information Security (BSI)
- Netherlands’ National Cyber Security Centre (NCSC-NL)
- New Zealand’s National Cyber Security Centre (NCSC-NZ)
- United States’ Environmental Protection Agency (EPA)
- United States’ Federal Bureau of Investigation (FBI)
- United States’ National Security Agency (NSA)
An asset inventory is an organized and updated list of an organization’s systems, hardware and software. A key part of creating an asset inventory for OT environments is developing an OT taxonomy, a categorization system that organizes and prioritizes OT assets. This system supports risk identification, vulnerability management, and incident response by classifying assets based on their function and criticality.
This joint guidance outlines the following process for OT owners and operators to create an asset inventory and OT taxonomy:
- Define scope and objectives for the inventory
- Identify assets
- Collect attributes
- Create a taxonomy
- Manage data
- Implement asset life cycle management
This joint guidance also outlines how OT owners and operators can maintain, improve and use asset inventories to protect their most vital assets. By addressing the following areas, organizations can enhance their overall security posture and ensure the reliability and safety of their OT environments:
- OT cyber security and risk management
- Maintenance and reliability
- Performance monitoring and reporting
- Training and awareness
- Continuous improvement
Read more in the joint publication Foundations for OT cybersecurity: Asset inventory guidance for owners and operators.