COMMENTARY: Our team considers the Cybersecurity and Infrastructure Security Agency’s (CISAs) new asset inventory guidance released Aug. 13 as one of the most actionable advisories we’ve ever seen from the agency.Over the past five years, global governments have published documentation guidance for critical infrastructure that raised awareness, but was hard to implement. While these documents succeeded in drawing attention to operational technology (OT) security challenges, they often lacked clear pathways for organizations to enact meaningful change.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]This new guidance represents a turning point because it’s genuinely actionable. It successfully integrates three important stakeholders: OT operators, cybersecurity software providers in the cyber-physical systems protection platform (CPS PP) area, and established industry standards.Rather than just suggesting additional processes or tools, this combination creates a comprehensive framework. For companies hesitant to start a dedicated OT security program, the new CISA document provides a practical, confidence-building roadmap.It connects cyber improvements to revenue protection activities such as performance monitoring, maintenance and reliability, and continuous improvement. By linking security practices to operational outcomes, CISA reframes cybersecurity not as a sunk cost, but an enabler of efficiency, safety, and resilience.The three main stakeholdersThe new CISA guidance brings together three distinct stakeholder groups: OT operators, software providers, and standards bodies.Historically, these groups have often worked in silos, which created gaps in OT security efforts. By ensuring each perspective gets represented, the guidance offers practical and balanced advice, which gives it a higher chance of broad industry acceptance. Here’s the breakdown:OT operators: The document resonates with operators by embracing the Purdue-based architecture hierarchy they already understand and trust. The tiered Purdue model gets used in industrial environments to segment and secure systems from the enterprise level down to field devices. This approach lets them integrate legacy systems into modern architectures without risking operational outages. The document speaks in operators’ language by focusing on tangible assets and defining process areas by their actual function rather than by specific automation vendor names or subnets. This vendor-neutral approach makes the guidance more universally applicable.Software providers: Regulators have been hesitant to directly engage with the CPS PP market because it’s still a relatively new category, and regulators have traditionally relied on more established standards frameworks. Despite that hesitancy, pros in the OT field view CPS PP as the future of OT cybersecurity because it offers centralized visibility, real-time asset intelligence, and integration across both IT and OT layers. While Gartner’s creation of a dedicated CPS PP category for its Magic Quadrant was a positive first step, this new CISA document goes further by directly referencing core functionality requirements for asset identification and collection attributes.Practical standards integration: The International Electromechanical Commission’s (IECs) IEC 62443 remains the most thorough standard for OT cybersecurity, but it’s often overwhelming for organizations trying to implement it fully because of the sheer volume of requirements and technical depth. This document strategically leverages the strength of 62443 while offering a practical conformance path that doesn’t require organizations to tackle every aspect simultaneously. Referencing, but not mandating, 62443 allows for meaningful progress without paralyzing complexity.Cybersecurity as a business enablerThe new CISA guidance also reframes cybersecurity as a business enabler rather than a cost center. Historically, OT security investments were viewed primarily as an expense that protected against hypothetical risks. This perception made it difficult to prioritize funding.Today, the shift toward positioning cybersecurity as a driver of efficiency, reliability, and resilience underscores why it’s increasingly recognized as a source of business value. The advisory clearly demonstrates how maturing the IT and cyber components of OT systems directly supports three critical business objectives: enhancing maintenance and reliability by improving system visibility and control, enabling performance monitoring through real-time operational insights and optimization, and advancing continuous improvement with data-driven decision-making at fleet-wide scale.The CISA guidance recognizes a fundamental truth: teams must properly secure legacy systems before organizations can safely connect them to broader internet resources and advanced data computation platforms.This point has becomde particularly critical in the current rush to adopt AI. Many organizations are eager to layer AI-driven tools on top of their operations, but without first securing legacy assets, they risk amplifying vulnerabilities and exposing critical systems to greater threats. Building cyber resilience isn’t just a security requirement, it’s the essential first step toward operational modernization and digital transformation.Here’s why these OT security issues have become urgent: Some of our recent research found that while 100% of federal agencies launched new CPS security initiatives in the past year, only 36% achieved full asset visibility—and more than two-thirds of OT leaders expect a disruptive cyber incident within the next 12 months.This stark reality underscores why actionable frameworks like CISA’s asset inventory guidance are essential. Without deep visibility, continuous monitoring, and a path to secure legacy assets, agencies and enterprises alike remain dangerously exposed.Sean Tufts, Field CTO, ClarotySC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
OT Security, Governance, Risk and Compliance
Why CISA’s new asset inventory guidance matters
(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds