SucheKontaktRessourcen
Guidelines from the UK Cyber ​​Security Agency

How to document your OT without breaking down (part 1)

René Krause
Teamlead Service
Jan 7, 2026
3 min

At the end of September 2025, the guide “Creating and maintaining a definitive view of your Operational Technology (OT) Architecture” was published. The requirements can seem overwhelming, especially for small and medium-sized enterprises. Let's prioritize.

What’s this document about?

“Creating and maintaining a definitive view of your OT architecture” was published on September 29, 2025, by the UK National Cyber Security Centre (NCSC). The guide describes in five steps how companies can build and maintain a complete understanding of their OT networks and systems and the associated risks. This documentation is considered the basis for subsequently securing operational technology throughout its entire life cycle.

The document does not apply exclusively to the UK. The German Federal Office for Security in Information Technology (BSI), FBI, and CISA, as well as the respective authorities in Australia, Canada, and New Zealand, were involved as co-authors. Interested parties from IT and OT can access the concentrated knowledge as a multi-part website and as a PDF.

Wow, that's a lot of work, right?

The guide breaks down the project of building a comprehensive documentation of your OT infrastructure into five core principles or steps. At first glance, the requirements can seem overwhelming. However, those responsible in industrial companies should not lose heart. The guide is written as a big “make a wish” list, as “this is how you do it if you want to do it absolutely perfectly AND have the resources to do so.”  

Of course, the Pareto principle can and probably must also be applied here. Harvest the low-hanging fruits. Progress step by step. The main thing is to get started. Because 60-80% is still better than “nothing” or “ten years old in cardboard folders,” which still prevails in many industrial infrastructures today.

Let's break down how you can achieve results as quickly and easily as possible in each step – and how a network-based intrusion detection system like Rhebo Industrial Protector can help you.

Core principle 1: Processes for documentation and maintenance

Task How-to
Identify sources for OT information. The guide already provides a reasonable list of relevant sources, though easiness of access and information retrieval may vary:
  • Asset Inventory: If available, half the battle is already won. However, this is rarely the case. Ultimately, its creation is part of this project.
  • System documentation / configurations / SBOM / HBOM: Usually available, but often distributed, isolated, and very extensive. Depends on the supplier.
  • Employees: Excellent source for details and “hidden knowledge” (experience, location-specific implementation), but also subjectively biased.
  • Passive monitoring (Rhebo Industrial Protector) : Can create a complete network map within a few minutes (core principle 3) and answer relevant questions about connections and protocols (core principle 4) over a period of a few days.
  • One-time active scanning: Generally only possible during downtime. Creates a snapshot asset inventory, but does not cover most of the requirements of Core Principle 4.
Define how you want to ensure completeness, correctness, consistency and actuality of retrieved and documented OT information. This task can quickly become a Sisyphean task. It is advisable to compare different sources (e.g., passive monitoring vs. configuration and system documentation vs. expert knowledge). However, the task does not necessarily have to be answered at the outset, but will evolve over time based on experience with the reliability of the sources.
Define how edits and changes to the OT documentation will be managed.
  • Follow best practices for change management.
  • At a minimum, define:
    • who is authorized to make changes (including the approval process)
    • at what intervals and under what circumstances (e.g., installation of new components) changes must be documented

In addition to the requirements of the guide, the following naturally applies:  

1. Define a person responsible, who will be in charge of the project.

2. Avoid trying to do everything at once. Especially when resources are limited and the infrastructure is distributed or complex, it makes sense to start with a defined area of the OT and gradually expand the scope of the project. Start with your central OT before turning your attention to distributed systems (e.g., substations, etc.).

Core principle 2: Security of OT information

The “definitive view” of your OT infrastructure is worth more than a crown jewel. For you, it forms the basis for efficient asset management and effective OT security. For attackers, it is a manual for causing maximum havoc. Accordingly, you must be aware of its value and ensure that only authorized persons have access to the information.

However, the first two tasks in the table are more suited to perfectionists (the top 20% of Pareto) and are relevant for refining and specifying specific measures. To get the project up and running, information security should focus on general principles.

Task How-to
Categorize information types.
  • Review information sources and document what types of OT information exist in the company (design, business, identity and authorization, operation, security).
  • Document the purpose and characteristics of each piece of information.
Evaluate relevance of each OT information for attackers. It can generally be assumed that any information is valuable to attackers. Even the most superficial information, such as “device manufacturer”, can be used to deduce vulnerabilities, connections, location in the infrastructure, and protocols used, all of which are important for an attack.
Prevent the OT documentation falling into the wrong hands.
  • The information should be stored in a secure cloud, locally, or on-premises.
  • Set up access restrictions. Access should be limited to a few employees who are responsible for maintaining the information in the project.
  • Assign read and write permissions according to roles and responsibilities.
  • Create a data backup that is stored without network access (isolated, air-gapped).

Now you can start documenting. The second part of this blog post explains how a passive network-based intrusion detection system (NIDS) enables documentation and helps you collect key information in a structured way.