Last month, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), in partnership with the Federal Bureau of Investigation (“FBI”), National Security Agency, Environmental Protection Agency, and cybersecurity authorities in Australia, Canada, Germany, Netherlands, and New Zealand, published new cybersecurity guidance (the “Guidance”) related to operational technology (“OT”), i.e., systems and devices that interact with a physical environment that are commonly used in manufacturing, utilities, oil and gas production, transportation, and other industrial operations.  The Guidance, which will be of interest to any organizations that have an OT environment, is intended to help critical infrastructure entities develop and implement an OT asset inventory and taxonomy to protect their critical assets and improve incident response preparedness.  It comes in advance of upcoming cyber incident reporting requirements for critical infrastructure in the U.S. under the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) and in the EU under the revised Network and Information Systems Directive (“NIS2 Directive”).  The Guidance is the latest in a series of joint releases from CISA, FBI and other U.S. and international partners on various security-related topics largely intended for critical infrastructure, including AI data security, product security bad practices, quantum computing cyber threats, and secure software development.

Overview

The Guidance builds upon previous CISA guidance that promulgated a set of 38 voluntary Cybersecurity Performance Goals (“CPGs”), which are intended to establish a set of fundamental cybersecurity practices for critical infrastructure owners and operators.  In particular, the first CPG (“1.A”) recommends that organizations maintain a regularly updated inventory of all IT and OT assets.  The Guidance notes that these OT assets – such as industrial control systems, process automation equipment, and other cyber-physical systems – are vital to critical infrastructure services and frequently targeted by malicious threat actors seeking to destroy, disrupt, or otherwise exploit them.  Common examples include the exploitation of:

  • Vulnerabilities in flawed or outdated software/firmware to gain access to OT systems;
  • Weak authentication mechanisms to gain unauthorized access to OT systems;
  • Insufficient network segmentation to move laterally from IT to OT environments and between OT systems;
  • Insecure OT protocols to intercept communications, inject malicious commands, and disrupt or manipulate industrial processes; and
  • Insecure remote access points to gain access to OT systems, allowing for lateral movement or for command and control.

Accordingly, the Guidance provides practical steps to implement CPG 1.A and develop an accompanying OT taxonomy that organizes and prioritizes OT assets to enhance organizations’ risk identification, vulnerability management, and incident response.  The Guidance also includes three “conceptual taxonomies” for the Oil and Gas, Electricity, and Water and Wastewater sectors to help organizations conceive and develop their own taxonomies.  Critical infrastructure owners and operators are also invited to provide feedback on the Guidance and recommendations for future guidance via CISA’s anonymous product survey.

Steps to Develop an OT Asset Inventory and Taxonomy

The Guidance highlights the inherent challenges in maintaining an updated OT asset inventory, since OT environments often contain diverse systems, such as specialized devices, sensors, and instrumentation, as well as legacy systems, which often use unique and proprietary communication protocols.  The Guidance helps owners and operators address this complexity by providing a step-by-step process to create an OT asset inventory and taxonomy.

  1. Define Scope and Objectives
    • Define governance over asset management, including offices/positions responsible for establishing and maintaining the inventory.
    • Assign roles and responsibilities for collection and validation of data necessary for inventory development and maintenance.
    • Define the scope of the program (e.g., specific zones, facilities, systems), a development timeline, and what constitutes an OT asset.
  2. Identify Assets and Collect Attributes
    • Gather detailed digital- and network-based information about system components—including by conducting a physical inspection where necessary for certain OT assets—and compile a comprehensive list of all OT assets and network infrastructure dependencies.
    • Collect asset attributes to describe each asset and prioritize the collection of high-priority attributes.  Recommendations for attributes are provided in Appendix A of the Guidance.
  3. Create a Taxonomy to Categorize Assets
    • Classify assets based on their criticality (i.e., importance to the organization’s operations, safety, and mission) or function (i.e., roles or exposure within the OT environment).
    • Categorize and organize assets and their communications pathways, for example, into “zones” that group assets with similar security requirements and “conduits” consisting of communications assets that ensure only authorized data can pass between zones.
    • Organize the overall structure of the environment and relationships between assets.
    • Validate and visualize your inventory, such as with tables and diagrams, to show asset categories (e.g., zones and conduits), relationships, and dependencies.
    • Periodically review and update the taxonomy to reflect changes and gather feedback from stakeholders
  4. Manage and Collect Data
    • Identify additional sources of data for each asset that may enhance the inventory and consider whether to include them.
    • Establish and secure a centralized asset management database/system to store and manage additional asset data.
  5. Implement Life Cycle Management
    • Define the stages of each asset’s life cycle (e.g., acquisition, deployment, commissioning, maintenance, and decommissioning).
    • Develop policies for managing asset life cycles (e.g., maintenance schedules, replacement plans, and backup strategies) in accordance with change management processes.

The Guidance also provides recommendations for owners and operators to leverage their OT asset inventory and taxonomy after following these steps, including for risk and vulnerability management, system maintenance, performance monitoring, training, and continuous improvement.

Looking Ahead

The Guidance is beneficial for any organizations that maintain OT, but it is particularly important for covered entities required to report cyber incidents under CIRCIA in the U.S. and NIS2 Directive in the EU.  Both laws require a wide range of critical infrastructure entities (or “essential” and “important” entities under the NIS2 Directive) to report “significant” cyber incidents, which can include both IT and OT incidents, even without any impact to data.  Accordingly, covered entities, even those that are already required to report data breaches, will need to prepare for new, far-reaching notification obligations that will require them to not only have visibility over their OT assets, but also the capability to determine whether a cyber incident that impacts those assets is “significant” for purposes of CIRCIA and the NIS2 Directive.  The Guidance also reinforces the importance that CISA and other cyber regulators have placed on OT and signals an emphasis on overall cybersecurity governance, including involvement from senior leaders and legal and improving overall visibility, including by eliminating information silos between IT and OT system owners.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less
Photo of Ashden Fein Ashden Fein

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel…

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel in criminal, civil, and internal investigations involving cybersecurity, insider risk, and U.S. national security issues.

Ashden regularly counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Ashden also assists clients from across industries with leading internal investigations and responding to government inquiries related to U.S. national security and insider risks. He frequently represents government contractors in False Claims Act matters involving cybersecurity and national security. Additionally, he advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

Read more about Ashden FeinEmail
Show more Show less
Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Read more about Micaela McMurroughEmail
Show more Show less
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” has “great insight into the regulators;” and “is technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 20 years of experience, Mark specializes in:

Providing practical guidance and advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services.
Handling complex regulatory investigations and enforcement actions involving data privacy regulators in the UK, EU and globally, and advising on follow-on litigation risk.
Helping clients respond to cybersecurity incidents, including ransomware, supply chain incidents, state-sponsored attacks, insider threats, personal data breaches, and IP and trade secret theft.
Advising various clients on the EU NIS2 Directive, Cyber Resilience Act (CRA), and other emerging EU, UK, and global cybersecurity laws and regulations.
Advising life sciences companies on industry-specific data privacy issues, including clinical trials, pharmacovigilance, and digital health products and services.
Advising on data privacy compliance in relation to employees and international transfers of data in connection with white collar investigations.
Providing strategic advice and advocacy on a range of UK and EU technology law reform issues relating to data privacy, cybersecurity, eIDs, and software.
Representing clients in connection with references to the Court of Justice of the EU.

Read more about Mark YoungEmail
Show more Show less
Photo of John Webster Leslie John Webster Leslie

Web Leslie advises clients on a broad range of challenges and opportunities at the intersection of technology and security, including investigations, regulatory, and transactional matters related to cybersecurity, national security, critical infrastructure, and data privacy.

In his white-collar practice, Web helps clients navigate…

Web Leslie advises clients on a broad range of challenges and opportunities at the intersection of technology and security, including investigations, regulatory, and transactional matters related to cybersecurity, national security, critical infrastructure, and data privacy.

In his white-collar practice, Web helps clients navigate both government and internal investigations. He specializes in complex civil and criminal investigations related to alleged government contracts fraud and other cybersecurity-related allegations under the False Claims Act, FTC Act, and equivalent state laws. Additionally, Web assists clients in responding to a variety of cyber incidents, ranging from intrusions and extortion by advanced persistent threats to business email compromises and large-scale data breaches. Web also helps clients investigate insider threat activity and potential noncompliance with regulatory and contractual cybersecurity requirements.

In his advisory and transactional practice, Web assists clients across a wide range of industries and critical infrastructure sectors manage risk in an evolving regulatory landscape. He regularly advises on cybersecurity compliance and best practices, information security program development, incident response preparedness, insider threat risks, third-party risk management, and international cyber regulations, among other areas. Web also advises clients on a variety of government and industry standards, including the NIST Cybersecurity Framework 2.0, NIST SP 800-53, NIST SP 800-171, FedRAMP and state equivalents (e.g., GovRAMP, TX-RAMP), CJIS, ISO/IEC standards (e.g., ISO 27001), SOC2 Type 2, and other sector-specific requirements (e.g., HIPAA Security Rule, PCI DSS, DFARS Clause 252.204-7012, NERC Critical Infrastructure Protection).

In addition to his regular practice, Web counsels pro bono clients on data breach, immigration, and criminal law matters.

Web previously served in government in different roles at the Department of Homeland Security (DHS), including at the National Protection and Programs Directorate—known today as the Cybersecurity and Infrastructure Security Agency (CISA)—where he specialized in cybersecurity and critical infrastructure protection, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.

Read more about John Webster LeslieEmail
Show more Show less