An August Cybersecurity Technical Report (CTR) co-authored by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and numerous other domestic and foreign intelligence agencies provides organizations with a critical blueprint to aid them in the creation of an operational technology (OT) asset inventory.
Summary
A new NSA and CISA report highlights the urgent need for accurate, organized OT asset inventories as cyberattacks on industrial systems rise. Most organizations still lack this visibility, creating serious gaps in risk management and incident response. vTraq® by InfraShield solves this challenge by delivering a dynamic OT asset inventory directly linked to real-time vulnerability data from sources like CISA KEV and NIST NVD. It replaces manual tracking with precise, always-current insight—empowering teams to prioritize threats, reduce costs, and maintain security across legacy and modern OT environments.
The report titled “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators” is a vital roadmap for enterprises with OT exposures, particularly given the unprecedented targeting of these critical digital assets (CDAs).
The guide defines an OT asset inventory as an “organized, regularly updated list of an organization’s OT systems, hardware, and software.” Without such an inventory, “organizations do not know what they have and what should be secured and protected,” advises the guide.
According to an NSA press release, a meticulously logged OT asset inventory is an essential resource that can aid organizations in enhancing risk identification, vulnerability management, and incident response across their industrial devices and applications.
This report is particularly timely as 2024 research from the cybersecurity nonprofit Ponemon Institute found that most respondents from organizations that operate critical infrastructure, industrial control systems (ICS), and other OT systems said they lacked visibility into the CDAs that comprise these environments.
According to the survey, 73% of respondents said their organizations “lack an authoritative OT asset inventory.” The survey also found that 69% of respondents reported having “either no inventory or an inaccurate, outdated inventory.” Meanwhile, the remaining 5% were unsure about the state of their asset inventory.
Even worse, 38% of Ponemon survey respondents said their organizations maintain an OT asset inventory, but it may not be accurate or current. Concurrently, these findings dovetail with only 55% of Ponemon survey respondents reporting that their organization is “effectively or very effectively mitigating risks and security threats to the OT environment.”
These alarming findings are backdropped by a threat landscape where cyberattacks targeting OT systems are rapidly increasing. Fortinet’s 2025 State of Operational Technology and Cybersecurity Report, published in August, surveyed OT specialists, mostly with industrial plant or manufacturing-related operations, and documents concrete evidence highlighting the elevated threat environment.
Sixty percent of Fortinet survey respondents who reported an intrusion over the last year, said that the breach impacted both their IT and OT systems. Notably, this number is up 11% from 2024.
Further illuminating modern cyber-threat transformation, an analysis of 8-K filings submitted by public companies to the Securities & Exchange Commission (SEC) between December 2023 and January 2025 revealed 30 cybersecurity incidents where organizations claimed that attackers breached their OT systems.
According to Wilson Sonsini, the corporate law firm that conducted the review, that number marks 55% of all 8-K filings where a cybersecurity filing was disclosed. An 8-K filing,or "current report," is a form that companies must file with the SEC to “announce major events that shareholders should know about,” according to the regulator’s website.
The rise in attacks impacting OT systems correlates to the accelerating convergence of IT and OT systems in industrial environments. This growing trend has vastly expanded the operational attack surface and introduced unprecedented cyber-physical risks. For organizations with significant OT deployments, the NSA’s guidance couldn’t be more timely.
The Benefits of Making an OT Asset Inventory
The NSA guide notes that the development of this inventory is a “multi-step process where OT owners and operators identify, classify, and document assets.” As a best practice, the guide suggests that stakeholders develop an OT taxonomy as part of the inventory process.
An OT taxonomy is a “categorization system used to organize and prioritize OT assets to facilitate risk identification, vulnerability management, and incident response,” according to the guide.
The guide highlights the following benefits of developing an OT taxonomy:
Improved Organization & Management
- Enables effective categorization and organization of assets, processes, and data
- Makes it easier to manage and retrieve information
- Leads to more efficient operations
Enhanced Communication
- Standardizes terminology and classifications
- Ensures everyone speaks the same language
- Reduces misunderstandings and improves collaboration across teams
Better Decision Making
- Provides a clear understanding of relationships and dependencies between assets and processes
- Supports informed decision-making
- Optimizes resource allocation, planning, maintenance, and upgrades
Cost Savings
- Optimizes asset management and reduces inefficiencies
- Minimizes downtime and improves operational efficiency
- Delivers significant cost savings
Data Analytics & Insights
- Provides a clear framework for organizing and analyzing data
- Enables better data analytics and valuable insights
- Supports continuous improvement and innovation
The Five-Step Process for OT Taxonomy and Asset Inventory Creation
The NSA guide outlines a five step process for developing an OT taxonomy and asset inventory.
Step 1: Define Scope and Objectives
The first step in creating an OT taxonomy is setting the foundation. Organizations need to establish clear governance, decide who is responsible for asset management, and define the scope of the inventory. By outlining objectives upfront, teams can ensure the effort stays focused and aligned with business priorities.
Step 2: Identify Assets and Collect Attributes
Once the scope is clear, the next step is gathering a comprehensive view of OT assets. This includes not just listing systems but also capturing key attributes such as criticality, role, location, and software details. A well-rounded asset inventory makes it easier to understand dependencies and vulnerabilities across the environment.
Step 3: Create a Taxonomy to Categorize Assets
With the data collected, organizations can begin organizing assets into a structured taxonomy. This means grouping them into categories that reflect relationships, processes, and system dependencies. A consistent taxonomy provides clarity, reduces confusion, and creates a common language for teams to use.
Step 4: Manage and Collect Data
Building a taxonomy is not a one-time effort. Data needs to be validated, maintained, and updated regularly to reflect changes in the OT environment. Ongoing management ensures that the taxonomy remains accurate and continues to serve as a reliable resource for operations and security teams.
Step 5: Implement Life Cycle Management
Finally, organizations should embed taxonomy practices into long-term operations. This includes integrating asset categorization into planning, upgrades, and incident response processes. By treating the taxonomy as a living framework, teams can support continuous improvement and adapt to evolving OT systems.
Post-Inventory Best Practices
After building an OT asset inventory and taxonomy, the real work begins—securing, maintaining, monitoring, training around, and continuously refining the framework to bolster security, operational reliability, and organizational resilience. The NSA guide highlights the following focus areas for stakeholders once they have created their OT taxonomies and asset inventories:
- Enhancing OT Cybersecurity and Managing Risk
- Maintenance and Reliability
- Performance Monitoring and Reporting
- Training and Awareness
- Continuous Improvement
Enhancing OT Cybersecurity and Managing Risk
Once your OT asset inventory and taxonomy are in place, it's crucial to integrate them into your cybersecurity strategy, advises the guide. Start by pinpointing known vulnerabilities in your deployed systems, including available patches, updates, or hardening techniques. Also, make sure to cross-reference your asset list with authoritative sources—such as CISA’s Known Exploited Vulnerabilities (KEV) catalog and MITRE’s Critical Vulnerabilities & Exposures (CVE) database—to stay informed. For systems that can’t be patched immediately or nearing end-of-life status, consider compensating security controls. The NSA guide also notes that real-time monitoring and automated tools can help prioritize and manage vulnerability remediation more efficiently.
Maintaining Reliability Through Secure Asset Management
Your taxonomy should also support maintenance planning and resilience, according to the guide. Be sure to revisit maintenance schedules in light of recent vulnerability findings, and carefully weigh the cost of downtime against the investment in replacing or securing vulnerable systems.
Monitoring Performance and Reporting Effectively
A robust OT taxonomy should feed into performance insights. Implement continuous monitoring of both physical process variables (like pressure, flow, temperature) and system/network diagnostics to detect degradation or anomalies early. Thus, the guide advises OT operators to develop reporting mechanisms that track performance, maintenance, and compliance. Make sure to assign clear ownership within the team for maintaining the accuracy of inventory and asset classifications.
Building Awareness Through Training
Effective asset management relies on people as much as processes. The guide advises OT operators to train staff on how to use the asset inventory and taxonomy tools, and run awareness programs to ensure stakeholders understand why accurate asset tracking matters.
Embracing Continuous Improvement
Last, but certainly not least, your asset taxonomy should be treated as a living tool—not a static artifact, notes the guide. The guide advises operators to set up feedback loops to gather user input and identify gaps or improvements. Additionally, ensure change management processes capture asset lifecycle events—like modifications, additions, or retirements—so the inventory stays current.
How vTraq® Can Help
The NSA post-inventory development guidance explicitly advises OT-exposed organizations to use “automated vulnerability and patch management tools that automatically incorporate and flag or prioritize KEV vulnerabilities.” That’s not a nice-to-have—it’s a baseline requirement for maintaining security in modern OT environments.
The challenge, however, is that most OT environments were never designed for continuous monitoring. Legacy systems, segmented networks, and isolated assets make it impossible to rely solely on traditional scanning or alerting.
The result is the same across sectors: manual, human-dependent processes that are costly, slow, and often incomplete and inaccurate. Meanwhile, vulnerability advisories are published daily, making it nearly impossible for even well-resourced teams to keep pace without the right tools.
This is precisely the gap that vTraq® by InfraShield was built to close. vTraq® provides operators with a living OT asset inventory tied directly to authoritative vulnerability data—including CISA’s KEV catalog and the NIST National Vulnerability Database (NVD). Instead of sifting through endless advisories, operators can instantly see which vulnerabilities apply to which assets, across both modern and legacy systems, even when they are air-gapped or standalone.
With vTraq®, OT operators gain:
- Continuous mapping of vulnerabilities to every asset in the inventory
- Automated flagging and prioritization of KEVs to focus on what matters most
- Faster, more consistent analysis than manual processes ever could deliver
- A streamlined path to demonstrating compliance while reducing cost and manpower demands
Simply put, vTraq® transforms vulnerability management from a reactive, paper-driven burden into a proactive, automated capability that scales with your environment. It turns the NSA’s call for automated solutions into operational reality—providing clarity, consistency, and speed where operators need it most.
Ready to take control of your OT environment?
Building and maintaining an accurate asset inventory while staying ahead of relentless vulnerability advisories doesn’t have to be overwhelming. InfraShield’s vTraq® platform was purpose-built to simplify asset taxonomy, automate vulnerability mapping, and flag the risks that matter most—so your teams can focus on operations, not paperwork.
Contact InfraShield today to learn how vTraq™ can help your organization cut through complexity, reduce costs, and strengthen resilience with a smarter, more efficient approach to OT asset inventory curation and vulnerability management.
