Government agencies from the U.S., Australia, Canada, Germany, the Netherlands and New Zealand published guidance on Wednesday to help critical infrastructure organizations maintain up-to-date inventories of their operational technology.
The guidance, “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators,” lays out necessary steps for compiling an inventory, including the details necessary for each entry, the optimal ways to group assets together and the importance of tracking life-cycle data.
The Cybersecurity and Infrastructure Security Agency (CISA) partnered with the Environmental Protection Agency, the National Security Agency, and the FBI, as well as the Australian Signals Directorate’s Australian Cyber Security Centre, the Canadian Centre for Cyber Security, Germany’s Federal Office for Information Security, the Netherlands’ National Cyber Security Centre and New Zealand’s National Cyber Security Centre.
“Using these tools helps owners and operators identify which assets in their environment should be secured and protected, and structure their defenses accordingly to reduce the risk a cybersecurity incident poses to the organization’s mission and service continuity,” the agencies wrote in the document.
Critical infrastructure companies including American Water, British Petroleum, Duke Energy and Southern California Edison helped the agencies develop the guidance.
Asset management is one of the most important security measures, because it ensures that organizations know what tools they are using, how secure they are and when they will reach a vulnerable end-of-life status. Inside large, complex computer networks, system administrators rely on asset inventories to schedule security practices such as applying software patches.
Poor asset visibility — especially on critical infrastructure networks that may be physically dispersed and filled with bespoke equipment — can exacerbate the consequences of cyberattacks, according to experts.
The guidance recommends that companies take several steps after developing an asset inventory to make it more useful, including prioritizing security efforts “based on the most critical risks,” reviewing asset maintenance plans and evaluating their spare-parts inventories “to ensure operational reliability.”
Organizations should also compare the cost of replacing outdated systems with the cost of potential outages, procure systems that are secure by design and use change management processes to keep their inventories up to date, the guidance says.
Most of the 31-page document consists of four indices. One lists the fields an asset inventory should include, and the others provide examples of how companies in specific infrastructure sectors — oil and gas, electricity and water — could organize their assets in their inventories. CISA said the examples were based on eight virtual working sessions that it held with 14 organizations in those three sectors in early 2025.
