New Joint Guide on Creating “Definitive View” of OT Architecture: Why It Matters, What’s Strong, and How to Put It to Work

by | Oct 29, 2025 | Blog

CISA[1] recently released guidance focused on creating an Operational Technology (OT) asset inventory and taxonomy. That guidance was arguably the clearest public playbook for building an OT asset inventory that drives risk reduction in critical infrastructure organizations. Now there’s a follow-up: a joint guide on creating and maintaining a definitive view of your OT architecture, this time led by the United Kingdom’s National Cyber Security Centre. It defines a principles-based approach to build, maintain, and store your system understanding across both greenfield and brownfield deployments.

If the inventory guidance told you what to track, this new document tells you how to keep the whole picture true over time. That may be an even more difficult challenge, as it involves change control, operations personnel, third-party dependencies, and governance. Think of it as the connective tissue between asset intelligence and a defensible, living architecture. Importantly, this guidance is not a step-by-step guide of activities to perform, but rather ideas to consider when building and maintaining your operational programs.

So What Is This Guidance?

The introduction calls out what most of us feel daily: OT environments are more connected than ever (enterprise IT, vendors, cloud), threat actors are targeting them, and many organizations still lack a holistic view, making selecting and designing security controls difficult. The guide uses the idea of a definitive record: a continually updated, accurate, authoritative view of the system that evolves with every change. 

The Guidance focuses on having a holistic view of your OT operations and assets, and to enable assessing risk and implementing security goals with an accurate focus on the criticality and impacts of the systems you are managing. The definitive record will not be a single document. It will require having a collection of multiple documents, while knowing how they are maintained and accuracy is ensured.

What’s Inside (and How it’s Organized)

The guide is intentionally concise and organized around five key principles.

“A definitive record describes a continually updated, accurate and up-to-date view of the system (or element of a system). [It] will change over time with all system changes recorded to maintain its accuracy and authority.”

Introduction

The introduction defines what a definitive record is and, since building a comprehensive definitive record of all OT systems can be difficult and requires a structured approach to accomplish, gives three ways to prioritize systems when building the definitive record. 

  1. Impact
  2. Third-Party Connections
  3. Exposure of the System

The Introduction ends with a glossary of terms used in the document. 

Principle 1: Define Processes for Establishing and Maintaining the Definitive Record

The first principle focuses on creating (or improving) a change management process. In designing the change management process, it focuses on three key questions to focus on.

  1. How will information be collected?

The guidance provides a sample of possible information sources but does not attempt to be comprehensive. The importance of a documented, systematic approach to information collection is emphasized.

  1. How will information be validated?

Similarly, a documented, systematic approach to validating information must also be documented. The goal is to ensure a complete and accurate source of truth that matches the “as is” state of the OT systems. 

  1. How will the definitive record be maintained?

There should be a change management process in place that ensures systematic review, approval, and documentation of changes. The need for training personnel on the change management processes is also highlighted. 

Principle 2: Establish an OT Information Security Management Program[2]

This principle focuses not on the OT cybersecurity program itself but draws attention to the wealth of knowledge which will be in the definitive record of the OT environment and the need to protect that information from exposure. It again uses three guiding questions to consider when building the OT information security management program.

  1. What is in scope?

The guide identifies five categories of information to include as part of your OT information security management program:

  • Design information
  • Business information
  • Identity and authorization data
  • Operational data
  • Cyber and safety risk assessments
  1. What is the value of the information to an attacker?

Attackers generally use OT information to inform their understanding of your environment, identify potential targets in your environment, and finally to exploit their target and achieve their objectives. You can use threat modeling to identify the value of various pieces of information to an attacker and then focus your information security measures on the most critical sources of information an attacker might seek to access.

  1. How do you secure your OT information?

Since this principle is focused on information about your OT operations, the guide recommends focusing on the traditional CIA triad of Confidentiality, Integrity, and Availability of the information. Your “IT” information security program probably already addresses some of these issues, but the guidance focuses on the need to include a review of OT information as part of your information security program.

Principle 3: Identify and Categorize Assets to Support Informed Risk-based Decisions

This is where the lack of step-by-step guidance is most obvious. Rather than a process for categorizing your assets, this principle focuses on criteria to use when categorizing your assets. It focuses on three main factors which should be considered in creating your categorization model. 

  • Criticality: how important is the asset from a business, safety, or security perspective? 
  • Exposure: how connected is the asset to the wider OT, business, or (hopefully not) public networks?
  • Availability: how often or when does the asset need to be available to users or other systems? 

Principle 4: Identify and Document Connectivity

The guidance understands that standalone, air-gapped systems are generally not the way OT environments are deployed or managed, so it focuses on identifying and documenting the connectivity which does exist, and uses five guiding questions to highlight what should be in your definitive record.

  1. What does the asset need to communicate with?
  2. What communication protocols are required, and how are they secured?
  3. What architectural security controls are implemented?
  4. What are the network constraints in your OT environment?
  5. Would a compromise allow an attacker to bypass existing controls?

Principle 5: Understand and Document Third-party Risks

The definitive record should include documentation of third-party risks, especially for those third-parties connecting to your network. Information to ensure is in the definitive record includes:

  • What entities are involved in the external connection?
  • What are the contractual requirements imposed by the third party?
  • Is the third party installing any out-of-band access?

What The Guide Gets Right

This guide provides several important and helpful ideas.

1. Big-Picture View

It elevates the scope from “assets” to “architecture” and “operations.” The guide explicitly treats operations as the combination of people, processes, and technology. It focuses on how these elements interact and function together, rather than just on computers and documents. That aligns with how real incidents unfold and how real OT organizations actually operate.

2. Focus on Change Management

By rooting the definitive record in change management, the document bakes in the idea that your diagrams and inventories must evolve as fast as your plants do. Many OT organizations have an asset inventory – but it isn’t up-to-date, accurate, or maintained. 

3. Focus on Connectivity – Both Internal and External

It treats connectivity as first-class risk data. Principle 4 pushes you to document both internal and external connectivity. This is crucial for understanding attack paths, choke points, and where segmentation will matter most.

4. Ties into Other Guidance

As we mentioned at the start, this flows from, and pairs naturally with, CISA’s recent OT Asset Inventory guidance. The asset inventory work gives you canonical attributes to gather, this guide tells you how to stitch them into an authoritative, continuously correct architecture model.

5. Highlight of Ransomware Threat

Principle 3, on securing the information about your OT operations, correctly highlights the ransomware threat. Many cybersecurity incidents affecting OT operations are ransomware events. Ransomware does not even need to get into the OT environment to cause an impact on operations.

Where It Could Be Stronger (Constructive Gaps)

No guidance or document is ever perfect. There are some things that need to be fleshed out before this can be implemented by your organization.

1. Minimum “Definitive Record” Deliverables

A short appendix that lists the must-have documents would speed adoption, especially for smaller operators. A starter list of things to include would be:

  • Zone and Conduit Diagrams
  • Trust Boundaries
  • Remote Access Flows
  • Configuration Repositories (with change control)
  • User and Service Accounts

2. Metrics and Maturity

This was one of our critiques of the OT Asset Inventory guidance, as well. The guide does not define metrics or a maturity ladder for building your OT architecture definitive record over time, although it does nod at the need to prioritize where you perform the first work on this project.

3. Normative Mappings

While other standards and frameworks are mentioned, there’s no explicit mapping of each principle to other frameworks, which would make compliance and internal communications easier (again, echoing a wish from the inventory review)

A Roadmap for Implementing This Guidance

The following is a sample timeline for implementing this guidance to drive risk reduction within your organization.

Days 0–30: Lay the Groundwork

Begin laying the groundwork for building your definitive record and improving your change management programs.

  • Name an accountable owner and set governance
  • Ensure executive leadership involvement and support
  • Review Information Security Program
    • You probably already do a lot of the activities included in developing the definitive record
  • Define a simple change-control gate (especially if this isn’t already managed)
    • Identify something that can be enforced and added relatively easily
    • Examples may be no commissioning/decommissioning activities or remote-access changes without updating the definitive record
  • Begin Data Collection
    • Identify initial sources of information to be collected and begin the process of identifying sources of truth

Days 31–60: Start to Bring Things Together

Begin the process of bringing disparate information sources together into a cohesive view of your OT architecture.

  • Produce level-based zone & conduit diagrams
    • Document all external and internal connectivity (WAN, vendor tunnels, IT/OT links, cloud, etc.)
  • Overlay third-party dependencies and data flows
  • Validate collected information and records
    • This will be ongoing, but it’s easier if you think about how you’ll validate information as part of collecting that information

Days 61–90: Make it work for risk & operations

  • Tie your definitive record to your risk register and framework of record
  • Run a KEV sweep against exposed paths and remotely reachable assets to prioritize mitigations (something we recommended alongside CISA’s inventory guidance, as well)
  • Socialize the definitive record with operations
    • Publish a lightweight process for keeping it current (e.g. update within 5 business days of any approved change)
  • Use the definitive record to identify a use case which will help Operations or Engineering do their jobs
    • The best way to get ongoing buy-in from non-security people is to make their lives easier
    • Examples may be having an accurate network map they can use, or supporting their case for replacing or augmenting that one device out in the field which they always complain about

Bottom line

This joint guidance is small but mighty. The guidance included in it can upgrade your program from a one-time inventory to a living, governed architecture. Pair it with your asset inventory and use the 90-day plan above to start driving real risk reduction, and capturing those wins to help ensure stakeholder buy-in.

Ready to Take Action?

At Enaxy, we help asset owners translate guidance into action. This means standing up change-managed definitive records, reconciling drawings with observed traffic, and phasing segmentation in brownfield environments without operational drama. Whether you’re starting from scratch or enhancing an existing system, we tailor solutions that integrate seamlessly with your workflows and security goals. Contact us at info@enaxy.com to explore how we can help you leverage CISA’s guidance and elevate your OT cybersecurity maturity. Let’s turn asset data into actual systems understanding.

[1] And partners – including FBI, the UK’s NCSC, BSI, NCSC-NL, ACSC, the Canadian Centre for Cyber Security, and NCSC-NZ.

[2] The original document, being from the UK, uses European spellings. We will use American spellings unless it is a direct quote.