News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Protect your organisation
  3. Guidance
  4. Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators

Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators

The National Cyber Security Centre (NCSC) has joined international partners to release guidance for operational technology (OT) owners and operators on creating an OT asset inventory supplemented by an OT taxonomy.

What’s happening

Systems affected

OT includes a broad set of technologies that covers process automation, instrumentation, cyber-physical operations, and industrial control systems (ICS). Many OT systems are increasingly connected to business operations and applications that rely on process data and trends analysis for operations. If not assembled and integrated securely, these connections can introduce paths for cyber actors to move between networks.

What this means

OT is vital to critical infrastructure services like energy production and distribution, as well as water and wastewater treatment, making it a prime target for malicious cyber actors seeking to disrupt or destroy systems and services or perform other nefarious activities, such as extortion. OT cyber incidents can have severe consequences for OT owners and operators, such as financial losses, operational disruptions, and compromises of environmental and health and human safety. Cyber actors can cause incidents in multiple ways, including exploiting:

  • vulnerabilities in flawed or outdated software/firmware to gain access to OT systems,
  • weak authentication mechanisms to gain unauthorized access to OT systems, 
  • insufficient network segmentation to move laterally from IT to OT environments and between OT systems,
  • insecure OT protocols to intercept communications, inject malicious commands, and disrupt or manipulate industrial processes, and 
  • insecure remote access points to gain access to OT systems, allowing for lateral movement or for command and control.

What to look for

How to tell if you’re at risk

When building a modern defensible architecture, it is essential for OT owners and operators across all critical infrastructure sectors to create an OT asset inventory supplemented by an OT taxonomy. This means organisations who do not have an OT asset inventory are at risk.

What to do 

Prevention

The NCSC encourages OT owners and operators to read this guidance and understand the responsibilities necessary to create and maintain an asset inventory.  

This guidance outlines a process for OT owners and operators to create an asset inventory and OT taxonomy. This process includes defining scope and objectives for the inventory, identifying assets, collecting attributes, creating a taxonomy, managing data, and implementing asset life cycle management. Furthermore, this guidance outlines how OT owners and operators can maintain, improve, and use their asset inventory to protect their most vital assets.

Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators | CISA website External Link

More information

If you have any questions about this guidance, contact info@ncsc.govt.nz