Unlike your screenplay or novel labeled “Final_V5_revisions_USETHISONE_V2,” government authorities want a clear, conclusive document from organizations hosting operational technology—the “OT” hardware and software powering physical machinery in factories, power plants, and water-treatment facilities.
On Sept. 29, the US cyberagency CISA, the FBI, and the UK National Cyber Security Centre released joint guidance for OT professionals on how to create an up-to-date asset inventory known as a “definitive record.”
Consultants and security providers who spoke with IT Brew see the move as a must-do for a sector that has lagged behind its IT counterparts. As OT environments are increasingly equipped to conduct remote monitoring, analytics, and real-time inventory management, operational-tech practitioners may require a strengthening of their security skills.
“It’s not necessarily the fault of the operators up until that point. It’s just that they haven’t had that discipline because they didn’t really need to have that discipline necessarily,” Sean Arrowsmith, director of industrials at cybersecurity consultancy NCC Group, said.
Arrowsmith has entered facilities where the OT architecture, like every puzzle at an Airbnb, has missing pieces.
“That level of asset inventory that you might see in an IT environment doesn’t necessarily exist in OT in a lot of cases,” he said, referring to practices often present in enterprise IT scenarios, like scanning for on-network devices and listing assets in a centralized configuration management database.
Some asset-istics. A Ponemon Institute survey of 1,056 global IT and security practitioners operating an OT environment, conducted in September 2023, found that 73% of respondents said their orgs “lack an authoritative OT asset inventory.”
However, OT security shows signs of improving, according to a July 2025 report from Fortinet, which found that 81% of orgs self-assessing their cybersecurity process in 2024 see their maturity level as 3 or 4 (out of a possible 4). At this level, “security activities and guidelines are documented, and at the highest level, security processes and tactics are also being improved through iterative feedback,” according to the report. The percentages are an increase from 2023 (72%) and 2022 (63%).
IT hasn’t necessarily been putting the inventory pieces together, either. A 2025 cybersecurity report, also conducted by Ponemon Institute, found that just 42% of 620 IT and cybersecurity practitioners surveyed say their organizations include an asset inventory program.
Define “definitive.” A “definitive view” of an OT architecture, according to the September guidance, includes five principles:
- Defining processes for establishing and maintaining one: For example, will you use passive monitoring tools to analyze network traffic?
- Creating an OT information security management program: Your org could use standards like ISO/IEC 27001, the NCSC wrote.
- Identifying and categorizing assets: Consider levels of criticality, exposure, and availability, the NCSC recommends.
- Identifying and documenting connectivity: What does the asset need to communicate with to perform its function? And what controls secure it?
- Documenting third-party risk: Practitioners should consider trust levels with external partners, as well as contractual obligations, according to the recent guidance.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Let’s say a vulnerability is announced on a turbine control or safety system. It helps to know if there are three or 300 of them on the factory floor. “Without a definitive record, you’re guessing,” Sean Tufts, field CTO for cyber-physical security company Claroty, told IT Brew.
A growing concern. In Q1 2025, OT cybersecurity company Dragos identified 708 global ransomware incidents impacting industrial entities—an increase from “approximately 600 incidents” documented in Q4 2024.
“The intensifying convergence of IT and OT further amplified operational impacts, causing IT disruptions to cascade into operational environments,” Dragos wrote in a May 2025 post.
As IT and OT converge on the factory floor, Arrowsmith says IT and OT teams must come together as well—perhaps by finding IT security champions within OT engineering communities and bringing them into awareness training and security programs.
Fortinet’s 2025 report revealed that 66% of respondents expect increased regulation and security compliance requirements in five years or fewer.
As OT becomes a C-suite concern, the term definitive is important, Tufts said.
“Our CEOs, our CTOs, our CIOs are going to start asking: ‘What is our definitive record?’” he told IT Brew. “It will no longer be okay to say, ‘We’ll get back to you next week.’”