Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

US and UK Issue Joint Cybersecurity Guidance for Operational Technology Systems

Skadden Publication / Cybersecurity and Data Privacy Update

William E. Ridgway David A. Simon Nicola Kerr-Shaw Joshua Silverstein Susanne Werry Kyle G. Kysela Josh Metzger

Executive Summary

  • Whats new: U.S., U.K. and other international partners have issued new joint guidance for operational technology owners and operators, providing a road map for better understanding and securing OT systems through a “definitive record” of assets.
  • Why it matters: The joint guidance, together with the EU’s NIS2 Directive, highlights a converging international approach to OT cybersecurity, emphasizing asset transparency, third-party risk accountability and operational resilience for organizations with interconnected digital and physical systems.
  • What to do next: Organizations should consider developing asset-mapping and inventorying capabilities, implementing an OT information security management program, establishing third-party risk management policies and reviewing network security measures to align with the new guidance and evolving regulatory expectations.

__________

The United States’ Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), in collaboration with the United Kingdom’s National Cyber Security Centre and other international partners, have issued new joint guidance for operational technology (OT) owners and operators, providing a road map for better understanding and securing their OT systems.

OT systems increasingly function on an integrated basis with enterprise systems, cloud servers and third-parties ranging from business partners to suppliers. The practice of establishing and maintaining a “definitive record” of OT assets can enable organizations to:

  • Comprehensively understand this complex and multilayered environment.
  • Provide for more precise diagnosis of risks, targeted security measures and business function preservation.

Taken together, the September 29, 2025, joint guidance and the European Union’s NIS2 Directive underscore a converging international approach to OT cybersecurity — one that prioritizes asset transparency, accountability for third-party risk and operational resilience across interconnected digital and physical systems.

OT organizations may want to take account of the new guidance, which incorporates not only technical but also administrative and governance recommendations:

  • Owners and operators of OT systems should consider establishing an OT information security management program and identifying, documenting and mitigating third-party risks introduced by vendor connectivity.
  • Organizations operating in the EU should also consider how these measures intersect with the NIS2 Directive’s requirements for OT risk management and supply chain security.

New Joint Guidance

The joint guidance establishes a framework approach for organizations to:

  • Leverage available data sources.
  • Detect vulnerabilities and exposures.
  • Triage decision-making about asset management.

Supplementing a publication released in August 2025, “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators,” the joint guidance sets forth five principles that organizations should strive to implement through the development of a “definitive record,” defined as a “continually updated, accurate and up-to-date view of the system.”

The accuracy and authority of the definitive record is predicated on its status as a living document — specifically, as the OT systems undergo changes over time, so too will the definitive record.

Notably, while the guidance stipulates that a definitive record should be created for each OT system that an organization owns, it acknowledges the difficulty of balancing this task with other constraints and therefore recommends prioritizing its adoption for particular systems based on their relation to business function, the extent of third-party connections and overall exposure.

While the guidance is rooted in U.S. and U.K. collaboration, it carries strong parallels with the EU’s NIS2 Directive, which extends cybersecurity obligations to industrial and operational sectors across the EU. Both frameworks emphasize proactive asset management, third-party accountability and continuous risk evaluation.

OT operators in multinational environments may want to ensure that their compliance strategies address overlapping requirements across jurisdictions, particularly where operations or vendors span the U.S., U.K. and EU regulatory landscapes.

  • Principle 1: Define processes for establishing and maintaining the definitive record. The information constituting the definitive record should be gathered from various sources — ranging from asset inventories to passive monitoring to point-in-time active scanning — validated according to benchmarks such as completeness, accuracy and consistency, and thereafter maintained to ensure integrity. Organizations should consider implementing change management processes that outline clearly defined duties of personnel to insulate the definitive record against potential distortion over time.
  • Principle 2: Establish an OT information security management program. A record should offer a comprehensive view of all relevant asset information distinguished by purpose and property. This information is both highly valued by threat actors and presents concentrated risk to the organization. The guidance encourages infrastructure owners and operators to implement security controls and leverage existing risk management frameworks, such as ISO/IEC 27001, to protect sensitive OT data.
  • Principle 3: Identify and categorize assets to support informed risk-based decisions. Appropriate security controls can only be identified after evaluating an OT asset’s “criticality, exposure, and availability.” The criticality of an asset, for example, varies by the strength of its connection with business, safety and security objectives. The findings related to these factors form a key part of the “definitive record” of an OT asset. These findings, in turn, can support “risk-based decision-making” concerning “security controls, maintenance, and updating.”
  • Principle 4: Identify and document connectivity within your OT system. Increasingly connected OT environments can foster business efficiencies and enhance security monitoring. However, they also introduce unknown risks when not properly inventoried. An effective definitive record maps each linkage in the wider system while noting any existing third-party dependency. Once this insight is harnessed, organizations can reduce vulnerability through calculated connectivity design and implementation of architectural security controls, ranging from network flow controls and segmentation to isolation plans.
  • Principle 5: Understand and document third-party risks to your OT system. The definitive record shines a light on the third-party risks facing an OT system. The guidance encourages organizations to understand (1) what external entities have external connections to and roles in managing the OT environment, (2) what contractual requirements adhere to such relationships, and (3) what, if any, equipment third parties are installing in your OT environment.

What To Do Now

As the guidance suggests, marshaling these principles to create a definitive OT record can help develop the holistic view needed for effective OT cybersecurity governance and risk management.

The absence of such a record, conversely, may obscure visibility into asset vulnerabilities, frustrate the adoption of targeted and timely solutions, and ultimately compromise a company’s operational resilience and business continuity.

This joint U.S.-U.K. guidance coupled with the EU’s NIS2 Directive reflect an emergent international approach to OT cybersecurity. Regulators across jurisdictions increasingly expect companies to understand and mitigate risk across the OT and information technology environments.

Companies should consider reexamining their existing practices, and in particular should:

  • Develop asset-mapping and inventorying capabilities to create a definitive OT record.
  • Implement an OT information security management program and tailored set of security measures that sufficiently address issues regarding criticality, exposure and availability of data.
  • Implement a third-party risk management policy and evaluate existing contractual arrangements to ensure appropriate audit, monitoring and notification rights are maintained.
  • Mitigate network risks presented by third parties, namely by analyzing areas where additional layers of security are permitted or where access to high-value information could be audited or limited.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP