Peter A Clarke

It is common that Australian companies and organisations refer to liaising with the Australian Cyber SecuSecurity Centre amongst other authorities and agencies after a data breach. It is so common that it is now boilerplate. All of that relates to damage mitigation. What is less common is organisations using the guides prepared by the ACSC to improve cyber security so as to prevent data breaches. The ACSC publishes quite good guides, as does the Information Commissioner even if they tend to the general. Other resources include standards prepared by the NIST and the ISO series. The NIST guides while highly technical are the most useful. The UK Information Commissioner publishes guidelines which cover general issues as well as guides relating to UK legislation. Guidelines are already important but will take on greater significance as privacy related litigation grows. The question of whether a defendant acted reasonably and proportionately is likely to be determined on the facts having regard to appropriate standards and best practice. On 13 August 2025 the ACSC released Foundations for OT cybersecurity: Asset inventory guidance for owners and operators.  For practitioners whose clients manage critical infrastructure it is an important document.  It is generally useful in setting out the methodology when ordering and prioratising assets which may be the subject of internet access.   

The Executive Summary provides:

When building a modern defensible architecture, it is essential for operational technology (OT) owners and operators across all critical infrastructure sectors to create an OT asset inventory supplemented by an OT taxonomy. Using these tools helps owners and operators identify which assets in their environment should be secured and protected, and structure their defenses accordingly to reduce the risk a cybersecurity incident poses to the organization’s mission and service continuity.

An asset inventory is an organized, regularly updated list of an organization’s systems, hardware, and software. For OT environments, a key part of creating an asset inventory is developing an OT taxonomy: a categorization system that organizes and prioritizes OT assets, aids in risk identification, vulnerability management, and incident response by classifying assets based on function and criticality.

This guidance outlines a process for OT owners and operators to create an asset inventory and OT taxonomy. This process includes defining scope and objectives for the inventory, identifying assets, collecting attributes, creating a taxonomy, managing data, and implementing asset life cycle management. These steps define a thorough and systematic approach to creating and maintaining an OT asset inventory and OT taxonomy, enabling organizations to maintain an accurate and up-to-date record of their OT assets.

Furthermore, this guidance outlines how OT owners and operators can maintain, improve, and use their asset inventory to protect their most vital assets. Steps include OT cybersecurity and risk management, maintenance and reliability, performance monitoring and reporting, training and awareness, and continuous improvement. By addressing these areas, organizations can enhance their overall security posture and ensure the reliability and safety of their OT environments.

To illustrate real world examples of OT taxonomies, CISA developed conceptual taxonomies through working sessions with organizations in the Energy Sector and Water and Wastewater Sector (see Appendix B: Taxonomy for Oil and Gas Organizations, Appendix C: Taxonomy for Electricity Organizations, and Appendix D: Water and Wastewater). These are not authoritative taxonomies for these sectors but are meant to help guide sector-specific organizations develop their own asset classification systems.