CISA and Partners Release OT Asset Inventory Guidance for Critical Infrastructure
Summary
Hide β²
Show βΌ
The Cybersecurity and Infrastructure Security Agency (CISA) and several international partners have released new guidance to assist operational technology (OT) owners and operators in creating and maintaining comprehensive OT asset inventories and taxonomies. This initiative aims to enhance the security of critical infrastructure sectors by providing deeper visibility into OT assets, thereby reducing risk and ensuring operational resilience. The guidance is a collaborative effort involving the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and cybersecurity agencies from Australia, Canada, Germany, the Netherlands, and New Zealand. OT systems are crucial for the safe and reliable operation of critical infrastructure, including water systems, energy grids, manufacturing, and transportation networks.
Timeline
-
13.08.2025 15:00 π° 1 articles Β· β± 1mo ago
CISA and Partners Release OT Asset Inventory Guidance
On August 13, 2025, CISA and several international partners released new guidance to assist OT owners and operators in creating and maintaining comprehensive OT asset inventories. This initiative aims to enhance the security of critical infrastructure sectors by providing deeper visibility into OT assets, thereby reducing risk and ensuring operational resilience.
Show sources
- CISA and Partners Release Asset Inventory Guidance to Strengthen Operational Technology Security β www.cisa.gov β 13.08.2025 15:00
Information Snippets
-
OT systems are essential for the core functionality of critical infrastructure, powering process automation, instrumentation, cyber-physical operations, and industrial control systems.
First reported: 13.08.2025 15:00π° 1 source, 1 articleShow sources
- CISA and Partners Release Asset Inventory Guidance to Strengthen Operational Technology Security β www.cisa.gov β 13.08.2025 15:00
-
The new guidance is a collaborative effort involving CISA, NSA, FBI, EPA, and international cybersecurity agencies from Australia, Canada, Germany, the Netherlands, and New Zealand.
First reported: 13.08.2025 15:00π° 1 source, 1 articleShow sources
- CISA and Partners Release Asset Inventory Guidance to Strengthen Operational Technology Security β www.cisa.gov β 13.08.2025 15:00
-
The guidance aims to help OT owners and operators create and maintain comprehensive OT asset inventories and taxonomies.
First reported: 13.08.2025 15:00π° 1 source, 1 articleShow sources
- CISA and Partners Release Asset Inventory Guidance to Strengthen Operational Technology Security β www.cisa.gov β 13.08.2025 15:00
-
The initiative is part of CISA's ongoing priority to secure OT and industrial control systems.
First reported: 13.08.2025 15:00π° 1 source, 1 articleShow sources
- CISA and Partners Release Asset Inventory Guidance to Strengthen Operational Technology Security β www.cisa.gov β 13.08.2025 15:00
-
The guidance aligns with the Cross-Sector Cybersecurity Performance Goals and helps organizations improve their cybersecurity posture.
First reported: 13.08.2025 15:00π° 1 source, 1 articleShow sources
- CISA and Partners Release Asset Inventory Guidance to Strengthen Operational Technology Security β www.cisa.gov β 13.08.2025 15:00
Similar Happenings
Chinese State-Sponsored Actors Targeting Global Critical Infrastructure
Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.
Static Tundra Exploits Cisco IOS Flaw for Cyber Espionage
The Russian state-sponsored cyber espionage group Static Tundra, also known as Berserk Bear, Blue Kraken, Castle, Crouching Yeti, Dragonfly, Ghost Blizzard, and Koala Team, has been actively exploiting a seven-year-old vulnerability in Cisco IOS and Cisco IOS XE software to gain persistent access to target networks. The attacks target organizations in telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. The vulnerability, CVE-2018-0171, allows unauthenticated, remote attackers to execute arbitrary code or trigger a denial-of-service condition. The group, linked to the FSB's Center 16 unit, focuses on long-term intelligence gathering operations. The FBI and Cisco Talos have issued advisories warning about the ongoing exploitation of CVE-2018-0171 by Static Tundra. The FBI has observed FSB cyber actors exploiting SNMP and end-of-life networking devices running the unpatched vulnerability to target entities in the United States and globally. The attackers collect configuration files for thousands of networking devices and modify them to facilitate unauthorized access. They use custom tools like SYNful Knock to maintain persistence within victim networks. Static Tundra uses publicly-available scan data to identify systems of interest and sets up GRE tunnels to redirect traffic to attacker-controlled infrastructure. The group's activities are primarily focused on unpatched, end-of-life network devices to establish access on primary targets and facilitate secondary operations. The ongoing campaign highlights the importance of maintaining a current inventory of network infrastructure and prioritizing patching for end-of-life devices. The FBI has also warned about the group targeting US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade. The U.S. Department of State is offering up to $10 million for information on three FSB officers involved in cyberattacks targeting U.S. critical infrastructure.