Joint guidance on creating and maintaining a definitive view of your operational technology architecture – Canadian Centre for Cyber Security
Summary
The Canadian Centre for Cyber Security, together with the UK’s NCSC and international partners (ASD’s ACSC, BSI, NCSC-NL, NCSC-NZ, CISA and the FBI), has published joint guidance to help operational technology (OT) organisations create and maintain a definitive view of their OT architecture. The publication sets out a principles-based approach to building, storing and maintaining an accurate record of OT systems.
The guidance is aimed at cyber security professionals working in OT across both greenfield and brownfield environments and provides five core principles to structure an OT record and support risk-based decisions. The full joint publication is available from the NCSC link provided in the Source section.
Key Points
- The guidance is an international, multi-agency collaboration led by the Canadian Centre for Cyber Security and NCSC-UK.
- It recommends a principles-based framework for building and maintaining a definitive OT architecture record.
- Five core principles: (1) processes for establishing/maintaining the definitive record, (2) an OT information security management programme, (3) asset identification and categorisation, (4) documenting connectivity within the OT system, and (5) understanding third-party risks.
- Target audience: cyber security professionals responsible for OT in both new (greenfield) and existing (brownfield) deployments.
- The guidance is part of a broader series highlighting the importance of cyber security in operational technology environments.
Context and Relevance
OT environments (industrial control systems, utilities, manufacturing, etc.) present unique security challenges: long lifecycles, legacy devices, complex third-party ecosystems and high-impact safety concerns. A clear, maintained architectural record is foundational for vulnerability management, incident response, supply-chain risk assessment and regulatory compliance.
This publication provides an internationally aligned, practical framework that helps organisations move from ad-hoc inventories to a reliable, auditable source of truth for OT systems – crucial as threats and regulatory scrutiny increase.
Why should I read this?
Short and blunt: if you’re responsible for OT security, this is useful. It’s a tidy checklist from multiple national centres that helps you get your estate documented, reduce surprise risks from third parties, and speed up incident response. Saves you time and gives you a common language to argue for fixes and investment.
Author note
Punchy take: this isn’t just guidance – it’s a consensus playbook from top national cyber centres. If your organisation cares about keeping OT systems safe and auditable, read the full guidance and adopt the principles.
