Joint guidance on foundations for operational technology cyber security and asset inventory guidance for owners and operators – Canadian Centre for Cyber Security
Summary
The Canadian Centre for Cyber Security has joined the United States’ CISA and a group of international partners to publish joint guidance on foundations for operational technology (OT) cyber security and asset inventory for owners and operators. Partners include Australia’s ASD/ACSC, Germany’s BSI, the Netherlands’ NCSC-NL, New Zealand’s NCSC-NZ, and US agencies EPA, FBI and NSA.
The guidance defines an asset inventory as an organised and up-to-date list of systems, hardware and software, and stresses the importance of an OT taxonomy — a categorisation system that organises and prioritises OT assets by function and criticality. It sets out a six-step process for creating and maintaining an OT asset inventory and explains how inventories can be used to strengthen security, reliability and safety in OT environments.
Key Points
- Joint guidance from multiple national cyber agencies to standardise OT asset-inventory and taxonomy practices.
- An asset inventory is an organised, regularly updated register of OT systems, hardware and software; an OT taxonomy helps classify assets by role and criticality.
- The recommended six-step process: 1) define scope and objectives, 2) identify assets, 3) collect attributes, 4) create a taxonomy, 5) manage data, 6) implement asset life-cycle management.
- Asset inventories support risk identification, vulnerability management and incident response by providing clear classification and prioritisation of assets.
- Maintaining inventories bolsters OT cyber security, maintenance and reliability, performance monitoring and reporting, staff training and continuous improvement.
- Full publication available from CISA: “Foundations for OT cybersecurity: Asset inventory guidance for owners and operators”.
Why should I read this?
Short and blunt: if you manage or secure OT systems, this is worth your time. It’s a practical, agency-backed checklist that helps you work out what kit you actually have, sort it sensibly and use that information to reduce risk and speed up responses. Big agencies signed off on it — so it’s a good reference for policy, audits and making sensible security moves fast.