Bottom line: NSA, CISA, EPA, FBI, and allied cyber agencies just published prescriptive guidance for building and maintaining an OT asset inventory and taxonomy—the foundation for a modern, defensible OT architecture. If you already run RedSeal, you can fulfill most of the guidance quickly by modeling your hybrid networks, auto-grouping assets into OT zones, validating segmentation, and continuously monitoring drift. If you don’t have RedSeal, you can still make rapid progress with a pragmatic, manual-first playbook and a tight operating cadence.
What’s new and why it matters
On August 13, 2025, CISA—joined by NSA, EPA, FBI, and peer agencies from Australia, Canada, Germany, the Netherlands, and New Zealand—released Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators. The goal: give OT owners/operators a systematic way to build an asset inventory plus a supplemental taxonomy that clarifies criticality, function, and dependencies so you can prioritize defenses and keep operations safe. CISA
NSA’s companion press note underscores the risk frame: OT systems are prime targets for disruption and extortion; the new process is meant to drive a modern defensible architecture by turning inventory and taxonomy into daily-operational tools for risk ID, vuln management, and incident response. NSA
What the guidance actually asks you to do
The document lays out a practical, repeatable sequence you can implement sector-by-sector or site-by-site:
- Define scope & objectives and establish governance for asset management.
- Identify assets across systems, hardware, and software (expect legacy protocols and walkdowns in plants).
- Collect attributes that matter for OT (function, location, firmware, network addressing, vendor, safety impact, etc.).
- Create an OT taxonomy that groups assets by function and criticality to support prioritization and reporting.
- Manage the data: normalize, de-duplicate, and choose a system of record.
- Implement lifecycle management so the inventory stays accurate as things change.
- Post-inventory actions: use the inventory for risk management, maintenance, KPIs/metrics, training, and continuous improvement.
- Sector examples (oil & gas, electricity, water/wastewater) are included as conceptual taxonomies to copy/adapt—not mandates.
How RedSeal helps you meet (and keep) the guidance
Translate the guidance into workflows you can run:
- Asset discovery via configuration modeling (not intrusive scanning). RedSeal ingests device configs (routers, switches, firewalls, cloud constructs) to build a live model of reachable networks, subnets, and routes—including “dark” or unscanned subnets you didn’t know to ask for. That accelerates the “identify assets + collect attributes” steps without touching fragile OT endpoints.
- Taxonomy & zoning you can defend. Use RedSeal to define OT zones (Level 0–3/3.5/DMZ), plants, safety systems, remote access enclaves, and vendor gateways; tag assets and subnets accordingly; and validate that traffic paths actually enforce those zones. This operationalizes the taxonomy requirement into policy you can measure.
- Segmentation & path analysis. Instantly check which external sources (or IT enclaves) can reach specific PLC networks and over which ports/protocols; flag rules and devices enabling that access; and document required paths (e.g., historian to DMZ to IT) vs. prohibited paths. That directly supports the guide’s “use the inventory for risk management and incident response.”
- Secure configuration baselines—maintained for you. RedSeal ships and maintains secure-config checks, so you’re not hand-authoring rules for every platform—closing the gap the guide calls out on governance and lifecycle.
- Prioritization with context (Risk Radius). Combine model-based reachability with vuln data to focus on exploitable exposures that matter to operations and safety; quantify blast radius if a device is compromised to drive maintenance windows and remediation.
- Continuous assurance. Schedule config pulls and policy checks to keep the inventory current and produce monthly KPIs (coverage, drift, # of prohibited paths removed, % of assets with required attributes, etc.) to satisfy the guidance’s “performance monitoring and reporting.”
Outcome: With RedSeal, most of the guidance becomes configuration-driven and repeatable, no fragile probes into Level 0/1, fewer site walkdowns, faster time to a defendable taxonomy, and continuous evidence for regulators, boards, and plant leadership.
Don’t have RedSeal? A pragmatic playbook you can start today
You can still execute the guidance with a manual-first approach and low risk to operations:
- Scope & governance (Week 0–1)
- Name a single inventory owner; define change-control hooks.
- Pick a system of record: a spreadsheet today; migrate to CMDB later.
- Adopt a simple taxonomy starter: Site → Zone (L0–L3.5/DMZ) → Function (Safety, Control, Historians, Engineering Workstations) → Criticality (High/Med/Low).
- Collect the first 80% (Weeks 1–4) — no intrusive scanning
- Export firewall rulebases and NATs; pull router/switch route tables, ARP, MAC, CDP/LLDP neighbors; harvest VLAN–subnet maps; gather DHCP scopes.
- Pull vendor asset lists from maintenance systems and spare-parts logs.
- Walk the floor once for safety-critical panels and “stranded” devices, using photos + serials.
- Normalize names; assign each asset to Site/Zone/Function/Criticality; record minimum attributes (model, firmware, IP/subnet, last-seen source).
- Make it useful (Weeks 4–6)
- From firewall exports, generate your first “Allow List to OT”: all sources, ports, protocols allowed into OT; which rules/devices enable them; and which OT zones they terminate in. Use it to remove obvious over-permissive rules.
- Produce top 10 prohibited paths discovered (e.g., IT laptops → L2 networks).
- Stand up monthly KPIs: % assets with required attributes; # of unknown subnets; # of over-permissive rules removed; % of OT zones with validated inter-zone policy.
- Sustain & improve (Months 2–6)
- Establish a cadence: weekly delta-captures from firewalls/routers/switches; monthly plant review; quarterly taxonomy tune-up.
- Map inventory to incident response playbooks (what to isolate, and how) and to maintenance windows.
- Align with NIST SP 800-82 and CISA CPGs to show maturity progress to auditors and execs.
Tip: If you later adopt RedSeal, you can ingest the same config sources to automate the steps you were doing by hand—turning your spreadsheet into a live model with policy validation and continuous drift detection.
Example deliverables your board and plant managers will understand
- One-page OT Taxonomy for your organization (zones, functions, criticality definitions, naming standards).
- OT Allow-Into Report: “All IPs allowed into OT, by port/protocol, rule, device, and destination zone,” with owner and remediation recommendation.
- Segmentation Scorecard: % of required inter-zone policies enforced; # of prohibited paths eliminated this month.
- Risk & Maintenance Heatmap: assets by criticality × firmware currency × reachable-from-IT.
Where to start this week
- Adopt the official steps. Use the new guide to define scope, attributes, and your taxonomy; copy a sector example if it fits your environment. CISA
- Pick a discovery approach. RedSeal for model-based automation and continuous assurance; or a manual, low-impact sweep using configs and plant walkdowns.
- Publish the first “Allow-Into OT” list and remove one risky rule this week.
- Set KPIs and a 30/60/90 plan so progress is visible.
Sources
- CISA: Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators (published Aug. 13, 2025), including partner list and purpose. CISA
- Guidance PDF: steps for inventory, taxonomy, sector examples, and post-inventory actions. CISA
- NSA press release: context on threats and emphasis on defensible architecture/use of inventory. NSA
- NIST SP 800-82r3: broader OT security control practices. NIST Publications
- CISA Cybersecurity Performance Goals (CPGs): implementation and tracking framework. CISA
