The National Cybersecurity Center of Excellence (NCCoE) at NIST is launching a cross-sector operational technology (OT) asset visibility project targeting energy and water utilities. The initiative responds to a consistent finding that asset management is the single largest cybersecurity challenge across critical infrastructure sectors.
NCCoE Director Cherilyn Pascoe announced the project on April 16 at GovCIO's "CyberScape" conference in Arlington, Virginia, describing it as a deliberate pivot from sector-specific guidance toward a unified, cross-sector approach. The announcement follows multi-sector consultations in which asset management and asset visibility emerged as the top shared challenge across critical infrastructure operators, according to Pascoe.
Background
The project builds on earlier NCCoE work that addressed individual sectors in isolation. In recent years, the NCCoE completed a water and wastewater cybersecurity project and released draft guidance to help transit agencies implement the NIST Cybersecurity Framework, according to Federal News Network. The center also published NIST SP 1800-23, its Energy Sector Asset Management practice guide, which demonstrated automated OT asset discovery, baselining, and alerting for energy utilities using commercially available technologies from collaborators including Dragos and Forescout Technologies.
Deteriorating conditions in OT environments underscore the urgency of the new effort. Research from Forescout Technologies found that ICS cybersecurity risk hit a record in 2025, with 508 advisories covering 2,155 vulnerabilities - the highest volume since tracking began - including a sharp rise in high-severity flaws affecting field controllers, PLCs, and SCADA systems. The report also identified dangerous visibility gaps, with many disclosures lacking corresponding central advisories that defenders could act upon.
Details
The core challenge the NCCoE project targets is structural. Pascoe noted that achieving visibility is particularly difficult in industrial control systems due to legacy equipment and geographically distributed environments. Many OT operators lack a complete and accurate device inventory; without one, patch prioritization and anomaly detection against a known baseline are not operationally feasible.
NCCoE's earlier energy sector asset management framework specified that a viable OT asset management solution must be able to discover assets connected to a network; capture asset attributes such as manufacturer, model, operating system, IP addresses, MAC addresses, protocols, patch-level information, and firmware versions; and continuously alert operators to newly connected or disconnected devices, according to NIST SP 1800-23. The new cross-sector initiative is expected to extend this model to water and wastewater systems and align inventories across sector boundaries using standardized classification schemes.
For water utilities specifically, the NCCoE has previously identified asset management, data integrity, remote access, and network segmentation as the four primary areas of cybersecurity concern raised by water and wastewater sector stakeholders. Inter-agency data sharing and achieving sufficient asset classification granularity across heterogeneous legacy device populations remain active technical challenges in a cross-sector context.
The NCCoE operates through Cooperative Research and Development Agreements (CRADAs), assembling technology partners ranging from Fortune 50 companies to specialized industrial security firms to build modular, standards-aligned reference solutions documented in the NIST Special Publication 1800 series.
Broader OT incident response considerations add further complexity. OT incident response differs fundamentally from IT response because isolating a compromised system may shut down a critical process, requiring response plans to account for operational continuity and physical safety, according to NIST SP 800-82r3. Balancing security controls against operational continuity requirements is expected to be a central design tension in the cross-sector pilot.
Outlook
Pascoe has not disclosed a timeline for a published practice guide or formal Federal Register notice soliciting technology collaborators. The NCCoE typically issues a concept paper or project description for public comment before opening a consortium for industry participation. The cross-sector pilot is expected to inform regulatory reporting requirements by providing a replicable methodology for unified OT asset inventories, which regulators across energy and water sectors have increasingly referenced in proposed rulemaking. An NIST SP 1800-series practice guide consolidating cross-sector findings would be the first such publication to address OT asset visibility at the multi-sector level.
