CISA’s new OT playbook just dropped, here’s how partners can turn it into value

If your clients run plants, pumps or production lines, this matters. A new joint guide led by CISA and co-authored with the EPA, NSA, FBI and five of the Five-Eyes and EU counterparts (including ASD), sets a crisp baseline for how operational technology (OT) owners should build and use an asset inventory, plus the taxonomy to make it useful. It’s published TLP:CLEAR (shareable) and dated 13 August 2025, so you can act on it with customers today.

What the guidance says

1) Inventory + taxonomy are non-negotiable.
CISA calls an OT asset inventory “essential,” and pairs it with an OT taxonomy, a consistent way to classify and prioritise assets by function and criticality so owners can decide what must be protected first. The goal: reduce the risk to mission and service continuity.

2) Benefits that business leaders will get.
The guide lists the practical upsides partners can sell: better organisation and retrieval of information, common language across teams, sharper decisions (maintenance, upgrades), cost savings from reduced downtime, and stronger analytics for continuous improvement.

3) A step-by-step method partners can deliver.
The authoring agencies recommend a clear sequence you can turn into a project plan:

• Define scope & governance; assign roles; set boundaries.
• Identify assets & collect attributes via physical inspection and logical survey; prioritise key fields such as protocols and criticality.
• Create the taxonomy (and keep it current); present relationships in tables or charts; review with stakeholders.
• Manage the data in a central system with appropriate security controls.
• Implement life-cycle management from acquisition to decommissioning, with mandatory inventory updates for any change – even under emergency authority.

4) What to do after you’ve built it.
Use the inventory to drive:

• Risk management tied to CISA’s Known Exploited Vulnerabilities (KEV) and the CVE database; prioritise compensating controls for unpatchable systems.
• Architecture and monitoring aligned to segmentation, access management and continuous detection; map threats to MITRE ATT&CK for ICS and CAPEC.
• Maintenance & reliability with cyber-informed engineering and spare-parts planning for critical assets.
• Performance reporting, ownership and training so the inventory stays accurate and actionable.

5) Sector examples you can adapt.
CISA includes conceptual taxonomies for Oil & Gas, Electricity, and Water/Wastewater, not “the standard”, but great starting points for partner workshops.

Why this lands squarely in the partner wheelhouse

OT owners know they need visibility. What they often lack is capacity to collect, classify and keep the data current, and to turn it into risk decisions. That’s a partner’s sweet spot.

Meanwhile, email-borne threats are still the easiest bridge into IT that supports OT. Business Email Compromise (BEC) and credential theft rarely look “malicious”, which is why they work, and why they’re so often the starting gun for operational disruptions.

“No alarms… just a quiet inbox.” That’s how many breaches begin, and days later the supplier calls, the investigation starts, and the damage unfolds.

For partners, this means your OT inventory work should connect to the controls that keep adversaries from getting valid credentials in the first place.

A suggested partner-ready service blueprint 

Phase 1 – Inventory Sprint (2–6 weeks).

• Run a scoping workshop with governance mapping and roles.
• Perform a mixed physical + logical asset sweep; populate high-priority attributes.
• Stand up an asset store (CMDB/AM system) with security controls.

Phase 2 – Taxonomy & Risk.

• Build the OT taxonomy with sector templates; visualise dependencies.
• Map assets to KEV, CVE and ATT&CK for ICS; produce an “exposure heatmap”.

Phase 3 – Controls & Reporting.

• Recommend segmentation, access and monitoring improvements; align maintenance with risk findings.
• Deliver performance and ownership metrics so the inventory doesn’t decay.

Phase 4 – Human & Email Layer.

• Close the most common entry route with MailGuard's AI-powered advanced email threat protection, reducing BEC-driven credential theft that often precedes OT impact. 

Talk tracks for your next customer meeting

• “We’ll build the single source of truth for your plants and networks, then use it to drive patching priorities tied to CISA’s KEV.”
• “We’ll classify what matters most and show you where one weak asset can halt production.”
• “We’ll connect that inventory to threat reality, the phishing and BEC attempts targeting your team every day, and close the credential gap at the email layer.”

What partners should do this quarter

1. Package the guidance as a fixed-price assessment. Two options: “Inventory QuickStart” for smaller utilities and “Taxonomy & Risk Accelerator” for multi-site operators. Deliver a board-level report with heatmaps and a 90-day plan.
2. Offer a managed OT inventory service. Own the quarterly review, attribute hygiene, and change-driven updates; include performance dashboards and training & awareness refreshers.
3. Tie vulnerability work to KEV and ATT&CK. Prioritise exploited flaws and known attack patterns; show measurable reduction in exposure.
4. Harden the inbox. Deploy MailGuard alongside Microsoft 365 to cut off BEC/credential theft that fuels lateral movement into the environments your inventory now reveals. Then report time-to-detect and “miss-rate” as KRIs executives understand.

The partner’s role: be the translator and the tempo

Your clients don’t need a longer to-do list; they need momentum. The CISA guide gives the blueprint; you provide the cadence, the talent, and the link between asset reality and cyber risk. When you pair OT visibility with email threat prevention and executive-ready reporting, you’re not just selling projects, you’re protecting uptime, safety and brand trust. If you’d like support, our partner team are here to help.

Keeping Businesses Safe and Secure

Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.

No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a specialist AI-powered email threat detection solution like MailGuard.   

For a few dollars per staff member per month, businesses are protected by MailGuard's specialist, zero zero-day email security. Special Ops for when speed matters!  Our real-time zero zero-day, email threat detection amplifies your client’s intelligence, knowledge, security and defence.

MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your clients today to ensure they’re prepared and get in touch with our team to discuss fortifying your client’s cyber resilience.

Talk to us

MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.

Australian partners, please call us on 1300 30 65 10

US partners call 1888 848 2822

UK partners call 0 800 404 8993