NIST's National Cybersecurity Center of Excellence (NCCoE) is launching a new operational technology (OT) visibility project, with the center's director citing asset management and visibility as the most commonly reported challenge among critical infrastructure operators.
Cherilyn Pascoe, director of NIST's NCCoE, said the project follows several sector-specific critical infrastructure efforts. Speaking at GovCIO's "CyberScape" conference in Arlington, Virginia, on April 16, Pascoe noted that across multiple conversations with critical infrastructure sectors, "the largest challenge that came up was asset management, asset visibility." NIST will form a consortium with industry and government agencies to advance the project.
Background
The initiative comes amid persistent, well-documented gaps in OT environment awareness across manufacturing, energy, utilities, and logistics. Fewer than 30% of OT networks have visibility across IT/OT boundaries, according to Dragos's 2026 OT Cybersecurity Year in Review. The same report found that 56% of networks below that threshold lack monitoring capabilities, and 88% face challenges with detection and response.
The Cybersecurity and Infrastructure Security Agency (CISA) last year joined several U.S. and international cyber agencies in urging critical infrastructure organizations to inventory their OT assets. Cyber experts have routinely warned that organizations - especially smaller water utilities - need help strengthening defenses against nation-state attacks. The urgency was underscored at the congressional level: Tatyana Bolton, executive director of the Operational Technology Cyber Coalition, told a House Homeland Security Committee hearing that "most sectors have not done an OT asset inventory. So they don't even know what they have."
In August 2025, CISA - alongside the EPA, NSA, FBI, and five international cybersecurity agencies - released comprehensive guidance establishing OT asset inventory as an official Cybersecurity Performance Goal. That guidance highlighted inherent challenges in maintaining an updated OT asset inventory, noting that OT environments often contain diverse systems - including specialized devices, sensors, instrumentation, and legacy equipment - that frequently use unique and proprietary communication protocols.
Details
Effective asset management - maintaining accurate tracking of devices, systems, and their configurations - is a critical foundation for cybersecurity. Asset management within OT networks is particularly challenging due to the diversity of assets and protocols involved. Quantifying the exact number of OT devices in operation is difficult because these devices are built on proprietary systems whose construction varies widely across industries, with many unable to be tracked. Organizations also constantly add and replace devices and sensors; without a centralized inventory, knowing what is connected is nearly impossible.
Many devices still rely on outdated protocols without authentication, flat network architectures, and long hardware lifecycles that make patching or replacement difficult. Critical infrastructure operators cannot accept downtime for comprehensive overhauls, and legacy systems with 20- to 30-year lifespans were not designed for today's cyber threats.
Pascoe said NIST would launch a consortium with industry and government agencies, with the stated goal of demonstrating "how do you leverage existing standards, existing frameworks to be able to enhance visibility" and how to "build an architecture using commercially available technologies that you can buy off the shelf." Pascoe also indicated the project may explore the use of AI to enhance OT visibility, depending on community interest.
Based on stakeholder input, the NCCoE intends to launch a technology demonstration providing practical guidelines for achieving and maintaining OT cybersecurity - starting with asset management - to help organizations establish the foundation for risk assessments and implementation of modern security controls.
Outlook
In 2026, the NCCoE plans to release a project description for public comment and invite collaborators to participate. The project is structured to leverage existing frameworks - including NIST SP 800-82r3, the primary U.S. federal guide for securing industrial control systems, published in September 2023, and NIST CSF 2.0 - rather than introduce wholly new standards. The NCCoE has previously pursued sector-specific cybersecurity work, including a water and wastewater cybersecurity project and a draft framework for transit agencies. The new cross-sector OT visibility initiative represents an effort to generalize those lessons into reusable guidance applicable across manufacturing, utilities, and other critical infrastructure verticals.
