Foundations for OT Cybersecurity: From Inventory to Impact
By Patrick Miller
CISA’s new OT asset-inventory guidance puts structure behind “know your system.” This post translates it into action: a practical, prioritized field set and taxonomy you can implement now. We’ve added a lightweight BIA overlay that links asset criticality to mission impact. We also show where to emphasize configuration baselines, change control, and logging to improve monitoring and decision quality.
Overview
On August 13, 2025, CISA with EPA, NSA, FBI, and international partners, published the document Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators (TLP:CLEAR). This guidance makes a simple promise: build a living OT asset inventory plus an OT taxonomy, and you unlock faster risk reduction, smarter monitoring, and better operational decisions. It lays out a clear process, a prioritized field set (including Logging, Ports/Services, and Criticality), and concrete next actions—then lets operators adapt it to their reality. My only hard critique: it stops short of a Business Impact Assessment (BIA) or even a simplified version of BIA-like activity. The good news is a lightweight BIA overlay slots neatly into the guide’s workflow and turns inventory into mission-driven prioritization.
If I had to pick some select high-quality sections/references from the guide… executive framing and taxonomy benefits; process steps and visualization; lifecycle updates via change management; high-priority fields including Logging and Ports/Services; KEV/CVE + SSVC and operate under compromise; maintenance cost comparisons and improvement loops.
What the Guide Gives You
The thesis is that a defensible OT architecture starts with an asset inventory and an OT taxonomy that classifies by function and/or criticality, so you can secure what matters most to mission and continuity.
The workflow (core processes, field-tested and practical):
Scope & governance (who owns it, boundaries).
Identify assets & collect attributes (physical walkdown + logical discovery).
Create the taxonomy (by criticality or function), organize by zones & conduits, visualize, review.
Manage & store data in a central system; enrich from vendor, maintenance, and ops sources.
Lifecycle discipline: require inventory updates in change management—even for emergency changes.
The Prioritized Data Model: What to Capture First
High-priority fields explicitly include:
Active/supported communication protocols
Asset criticality
Asset number
Asset role/type
Hostname
IP address
Logging
MAC address
Manufacturer
Model
Operating system (OS)
Physical location/address
Ports/services
User accounts
After the Inventory: What to Do Next
Use it to prioritize critical assets, design for operate-under-compromise, and drive real-time monitoring. Cross-reference KEV/CVE and apply SSVC-style triage to focus mitigation where it counts; weigh downtime/degraded-service costs against replacement or compensating controls.
Cyber/risk: map to KEV/CVE; consider SSVC-style prioritization; plan operate-under-compromise for critical assets; monitor in real time.
Maintenance/reliability: schedule mitigation/patches, compare downtime vs. replacement/compensating controls, apply secure-by-design/procurement.
Performance & reporting: monitor process and comms health; assign inventory owners; report on status & compliance.
People/process: train, raise awareness, add feedback loops, and audit for continuous improvement.
Note: The guide includes illustrative sector taxonomies for Oil & Gas, Electricity, and Water/Wastewater—useful patterns, not authoritative definitions.
Where the Guidance Stops Short: A BIA-shaped Hole
There’s no formal Business Impact Assessment. No RTO/RPO targets, process/service mapping, or consequence scoring. To be fair, it gets close. It’s likely an intentional scope choice (focus on asset inventory and taxonomy), but for real-world prioritization and budget justification, the absence of even a lightweight BIA overlay activity of some kind is a gap. Criticality benefits from a business/mission context that explains why an asset needs deeper monitoring, tighter change control, or N+1 redundancy. Without a BIA, criticality is often subjective and inconsistent. The fix is straightforward and dovetails with the document’s steps.
A lightweight OT-BIA overlay
Add the following fields to your inventory schema (then roll up by zone/conduit):
Process/Service Supported
Impact categories (1–5 each): Safety, Environmental, Regulatory/Legal, Operational/Continuity, Financial, Reputation
Maximum Tolerable Outage (MTO) and Target Recovery Time Objective (RTO, in hours)
Recovery Point Objective (RPO) / State Required to Restart (e.g., batch/lot, historian state)
Manual Fallback Feasible? (Y/N + constraints)
Dependencies (power, comms, upstream PLCs/servers, databases, historians, stored configs, firmware)
Redundancy Class (N, N+1, 2N, cold spare)
Tiering (defensible and simple)
Tier 1: any impact ≥4 or MTO ≤4h
Tier 2: max impact =3 or MTO ≤24h
Tier 3: everything else
How this changes decisions
Monitoring depth: Tier-1 gets continuous network/host telemetry and specific detections; Tier-3 might get periodic review.
Patch/mitigation queues: Sort by consequence and MTO, not just CVSS or KEV count.
Spares & redundancy: Align hardware strategy to impact tiers (and “operate under compromise” scenarios).
Note: if you need to show compliance linkages, see the crosswalk section below. For example, your BIA-driven criticality strengthens rationales behind configuration baselines/changes, logging/monitoring placement, and policy expectations.
A Welcome Inclusion: Operating Under Compromise
This concept, operating under compromise, is getting more airtime in key discussions with regulators, insurance firms, and executive teams. The general idea is to keep people safe and essential services running while you contain, constrain, and observe an active or suspected intrusion. Operating under compromise is not business as usual. It’s a preplanned degraded state with tight guardrails.
Core Principles
Safety first: SIS/interlocks remain authoritative; fail-safe states are preferred over performance.
Containment over convenience: reduce attack surface, privileges, and pathways.
Determinism & visibility: preserve time sync, logging, and local HMI awareness.
Reversible & auditable: clear entry/exit criteria, approvals, and evidence.
Two Common Concepts/Terms
Intelligent Islanding: deliberately segment the plant/network (zones/conduits) to sever risky external paths while sustaining local control. Predefine which conduits may be cut, which must stay up (e.g., protection, time, safety), and what whitelisted flows persist during islanded operation.
“Turtle Mode”: operate at reduced speed/authority—rate limits, clamped setpoints, disabled remote writes, engineering stations offline, maintenance accounts locked, and nonessential services stopped. Prefer local/manual control with minimal remote commands.
Triggers (Decide in Advance)
Confirmed integrity loss (unauthorized write, config drift on Tier-1 asset)
High-confidence threat activity in critical zones (e.g., LoTL on HMIs/servers)
Telemetry gaps on Tier-1 assets that raise operational risk
External dependencies (e.g., enterprise connectivity) no longer trustworthy
Runbook Essentials (by zone/function)
Minimum Control Envelope (MCE): the smallest set of assets/flows to keep process stable and safe.
Switching steps: who authorizes, how to execute, and how to verify you’re in OUC.
OUC configuration set: ACLs/allowlists, service stop list, setpoint clamps, remote-write bans, time source fallback.
Observability pack: logs to keep, local dashboards/annunciators that must remain live.
Rejoin criteria: integrity checks, baseline reconciliation, staged reopening of conduits.
Design tips
Tie OUC decisions to BIA tiers: Tier-1 services get faster islanding and deeper “turtle” constraints.
Pre-stage golden images/known-good configs; enable write-protection where vendors support it.
Validate time sync and historian behavior in islanded mode.
Exercise OUC quarterly on a small window; record outcomes and update baselines/playbooks.
Metrics that matter
Time to island / time to turtle
% Tier-1 assets with validated OUC procedures
% OUC actions captured in logs with intact clocks
Mean time to safe rejoin
How to Apply All This, Simplified
Stand up a single source of truth, load the high-priority fields, and diagram zones & conduits for one pilot area.
Add the BIA overlay, tag Tier-1/2/3, and ensure Tier-1 assets have actionable logging for detection/investigation.
Bake inventory updates into change management, define metrics and reporting, and run a tabletop on losing a Tier-1 comms server (prove you can triage and recover within RTO).
Standards & Frameworks Crosswalk Quick Reference
Use it for compliance processes, design reviews, and board reporting.
Strongest overlaps
NIST CSF 2.0 — Asset management (ID.AM), governance (GV), detection/monitoring (DE.CM), response/recovery linkage.
NIST SP 800-82 r3 (ICS Guide) — OT asset discovery, zoning/segmentation, comms mapping, monitoring patterns.
NIST SP 800-53 r5 — CM-8 (System Component Inventory), PM-5 (System Inventory), CA-7 (Continuous Monitoring), RA-5 (Vuln Mgmt), SI-4 (System Monitoring), CP/IR families; SR/SA for supply chain.
CIS Controls v8 — 1 (Enterprise Asset Inventory), 2 (Software Inventory), 4 (Secure Config), 7 (Vulns), 8 (Audit Logs), 13 (Network Monitoring), 17 (Incident Response).
ISO/IEC 27001:2022 / 27002:2022 — Asset mgmt, configuration, logging/monitoring, supplier mgmt; integrates cleanly with a CMDB.
ISO 55001 (Asset Management) — Governance and lifecycle discipline for physical assets.
DOE C2M2 v2.1 — Asset/Change/Configuration Mgmt (ACM), Risk Mgmt (RMG), Situational Awareness (SA).
COBIT 2019 — BAI09 (Manage Assets), DSS05 (Security Services), APO12 (Risk), MEA (Monitoring).
NERC CIP (power) — CIP-002 (identify/impact-rate), CIP-005 (ESP/segmentation), CIP-010 R1 (baselines & change), CIP-007 R4 (security event monitoring/logging), CIP-003 R1 (cyber policy), CIP-015 (internal network security monitoring).
MITRE ATT&CK for ICS + D3FEND — Detection use cases and defensive technique mapping.
ISO 22301 / NIST 800-34 — Continuity/BIA overlay (RTO/RPO) that dovetails with inventory tiers.
ITIL 4 (Service Configuration Mgmt) — CMDB/CI governance to keep the inventory “living.”
Sector specifics — AWWA Cyber Guidance & Tool (water), ISO/IEC 27019 (energy), TSA pipeline/rail directives, USCG MTS cyber rule.
Quick mapping cheat-sheet (by activity)
| OT inventory/taxonomy activity | Framework touchpoints |
|---|---|
| Build/maintain asset inventory (fields, owners, updates) |
|
| Classify criticality & functions (taxonomy) |
|
| Zone/conduit design & communications mapping |
|
| Configuration baselines & change control |
|
| Logging/monitoring (INSM, detection) |
|
| Incident response & recovery linkages |
|
| Supplier & firmware/SBOM context |
|
| Governance, policy, metrics |
|
Tip: For program dashboards, bind inventory fields to control families (e.g., “Ports/Services” CM-7/CIP-007; “Logging” AU-12/CIP-007 R4; “Baseline ID” CM-2/CIP-010 R1; “Owner/Role” policy under CIP-003 R1). Keep the bulk of this mapping in your audit pack, not in your daily runbooks.
Sector Examples You Can Adapt
These are conceptual, not authoritative, meant to jump-start your own taxonomy:
Oil & Gas: critical production, safety (ESD/BOP/FGS), DCS/PLCs, comms, power.
Electricity: DMZ, comms, generation, T&D, EMS, DER/storage, PACS; grouped into high/medium/low-criticality sets (e.g., transformers/relays/SCADA vs. support systems).
Water/Wastewater: collection, treatment, distribution, reuse; control systems, quality monitoring, comms infrastructure, with criticality tiers.
Boundaries & Caveats
This is voluntary guidance (not a regulation), not a safety manual, and not a complete list of OT assets; tailor to your environment.
Quick, Actionable Starter Checklist
Pick an owner and publish scope/governance.
Stand up a single source of truth (repo/CMDB) with the 14 high-priority fields.
Do a pilot walkdown in one zone; validate with a zone/conduit diagram.
Tag criticality and KEV exposure; create a frequent triage rhythm, based on your resource capacity and capability.
Bake updates into change management so the inventory stays living.
Final Thought
The best OT programs win with practical but mundane excellence: one source of truth, clear taxonomy, and disciplined updates through change. This guidance nails that foundation. Add a BIA overlay, and your monitoring depth, patch queues, spares, and playbooks snap to consequence instead of tradition. Use the crosswalk when you need it, but keep the focus on the simple loop that moves risk: enumerate, classify, observe, act, maintain. That’s how an inventory becomes operational advantage.
