CISA Publishes Cybersecurity Asset Inventory Guide

Electric Sector Provided Input to Developers

Shutterstock

Sep 24, 2025 | Holden Mann

A new publication from CISA aims to help organizations catalog the electronic assets on their systems so they can respond quickly to cyber incidents.

With operational technology (OT) systems increasingly vulnerable to cyberattacks, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a guide to help infrastructure owners and operators map their systems and plan their defense strategies.

CISA created the Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators document through the Joint Cyber Defense Collaborative, an initiative between the private and public sectors that seeks to unify “cyber defense capabilities and actions of government and industry partners.” Entities from the water, oil and electric sectors contributed to the guide, including Duke Energy, Eversource, Pacific Gas & Electric and Southern California Edison.

OT systems have traditionally been separate from entities’ information technology (IT) and business networks. However, in today’s industrial landscape, OT is increasingly integrated with IT for business efficiencies; this creates opportunities for cyber attackers to access OT systems after gaining entry into a company’s IT network.

The guide provides assistance for entities to develop OT asset inventories, which are defined as “organized, regularly updated [lists] of an organization’s OT systems, hardware and software.” Asset inventories are “foundational to designing a modern defensible architecture,” CISA said, because they quickly give organizations insight into their networks to see what might be vulnerable when new threats are revealed.

CISA considers OT asset inventories so important that the agency added them to its list of cybersecurity performance goals, a set of best practices developed in tandem with the National Institute of Standards and Technology that are recommended for all organizations to provide a baseline level of protection.

The guide lays out multiple steps involved in developing an OT asset inventory. First, an organization should define the scope and objectives of the project. This includes defining the authority within the entity that needs the inventory and what positions will be responsible for establishing and maintaining it.

Next, the entity must inspect its system to identify the physical and digital assets and collect asset attributes. Attributes are fields that describe the asset; the guide lists items that entities should prioritize, such as active and supported communication protocols, asset criticality, IP address, manufacturer, physical location and associated user accounts.

A critical step in the process is creating a taxonomy for assets. Organizations must classify assets based on criticality for function; categorize assets and their communication pathways using an existing method or one devised by the entity itself; organize structure and relationships; cross-check and verify accuracy and completeness of the data; and periodically review and update it.

Recognizing that entities in various sectors may have differing needs, the document’s authors provided samples of taxonomies for several industries in the appendices, including electric utilities, based on exercises and discussions with sector representatives. The electric example divides assets into categories by function, such as communications; generation; transmission and distribution; physical and electronic access control or monitoring systems; energy management systems; and distributed energy resources.

Once the inventory is compiled, organizations may use it for several functions. These include cybersecurity and risk management — identifying vulnerabilities and mitigations for OT systems, prioritizing threat factors and strengthening security posture — and maintenance, which can mean assessing the cost of replacing vulnerable systems or analyzing their spare parts inventory to identify any potential gaps. Inventories can also help with performance monitoring and reporting, staff training and informing change management processes.

“More than just a technical manual, this guidance serves as a strategic enabler for cyber defense actions and operational collaboration with CISA and other key stakeholders,” CISA said in a press release. “With a precise understanding of the assets within an operator’s infrastructure, common vulnerabilities and exposures … become significantly more actionable and timely — helping operators reduce risk proactively, before incidents escalate.”

FERC & Federal