Blog

Why OT Operators Must Maintain a Continuously Updated System Inventory

ics

Why OT Operators Must Maintain a Continuously Updated System Inventory

In August 2025, regulatory and cybersecurity agencies from the United States, Canada, Australia, New Zealand, the Netherlands, and Germany jointly released new guidance urging OT owners and operators to create and sustain a definitive, continually updated record of their OT architecture. A follow-on document, joined by the United Kingdom, expands upon how organizations can leverage asset inventories, software bills of materials (SBOMs), and other data sources to build this “definitive record.”

Why is this so urgent? In short: without a living, accurate map of what’s in your environment, security teams can’t reliably assess risk, detect vulnerabilities, or respond confidently to incidents. As the guidance notes:

“Establishing a definitive record … allows you to effectively assess risks and implement the proportionate security controls. Rather than focusing solely on individual assets, a holistic approach enables you to consider the broader context …”

Below, I unpack the guidance, reflect on practical implications for defenders, and offer a roadmap for how Critical Path Security clients (or prospective clients) should act.

Key Principles from the New Guidance

Define processes for establishing and maintaining the record.
Organizations must identify data sources, validate collected data, and decide how and where the definitive record will reside. The key is to stop treating inventory as a one-time project and instead embed it into ongoing operations.

Establish an OT information security management program.
The definitive record itself is a high-value target. Threat actors would love to get their hands on a map of your environment. Access management, encryption, and audit logging must protect it, and scope must be clearly defined.

Identify and categorize assets to support risk-based decisions.
Not all devices are equal. Classify by criticality, exposure, and availability impact. This prioritization helps direct limited resources to where they matter most.

Document connectivity and communication relationships.
Mapping protocols, dependencies, and architectural constraints highlights lateral movement paths that attackers could exploit. This visibility is essential for segmenting networks and enforcing controls.

Document and manage third-party risks.
External vendors and remote access points are frequent weak links. Organizations must understand trust levels, contractual obligations, and potential backdoors introduced by suppliers.

What This Means for Your OT/ICS Program

From Static Lists to Dynamic Awareness
Manually maintained spreadsheets or static inventories are outdated the moment they’re created. The new guidance makes it clear: inventories must be continually updated, preferably with automated discovery and change detection.

Tight Collaboration Between IT and OT
The guidance highlights what many organizations still struggle with — IT and OT cannot operate in silos. Shared responsibility improves visibility, accelerates incident response, and reduces blind spots.

Focus on the Highest Risks First
Trying to map everything at once is overwhelming. Start with systems that have the greatest business impact, the most exposure, or the riskiest third-party connections. Expand as maturity grows.

Protect the Inventory as a Crown Jewel
The inventory itself is a target. Protect it with access controls, encryption, segmentation, and monitoring. Treat it as a sensitive system that requires the same rigor as any other critical asset.

Turn Inventory into Action
Once a living map exists, it becomes the foundation for better defenses: segmentation, patching campaigns, threat modeling, and faster incident investigations. It transforms from a compliance exercise into an operational advantage.

A Roadmap for Building the Inventory

The journey starts with discovery. Collect data from interviews, existing CMDBs, network tools, and passive monitoring. Build a central “definitive record” with a consistent data model. Automate change detection to ensure accuracy and reduce drift. Secure the inventory system itself through access controls and auditing. Finally, operationalize it by tying the inventory to everyday security tasks such as patching, segmentation, and incident response.

This is not about perfection on day one. It’s about establishing a living system that evolves and matures over time.

How Critical Path Security Can Help

Critical Path Security brings deep experience in OT/ICS security and knows how to bridge the cultural and technical gap between operations and cybersecurity. We help clients:

  • Perform inventory audits and identify gaps.

  • Deploy automated discovery and network monitoring tools with Leargas Security.

  • Design secure architectures for “definitive record” systems.

  • Use inventories to power risk modeling, segmentation, and zero-trust approaches.

  • Anchor incident response planning in accurate, up-to-date systems knowledge.

  • Train teams across IT, OT, and operations to work from the same source of truth.

If you’re an OT/ICS organization facing regulatory requirements or simply trying to get ahead of threats, now is the time to act. Static spreadsheets are dead. The adversaries already know what they’re after — you should too.

In Summary

  • New international guidance calls for continually updated OT system inventories.

  • Five principles define the approach: process design, governance, asset categorization, connectivity mapping, and third-party risk management.

  • Moving from static lists to dynamic, protected inventories is not just compliance — it’s operational necessity.

  • Critical Path Security can help design, implement, and operationalize the inventory you need to defend your environment.