The UK's National Cyber Security Centre (NCSC), in collaboration with international partners including U.S. CISA and the Australian Cyber Security Centre (ACSC), has issued powerful new guidance demanding that Operational Technology (OT) organizations create and maintain a "Definitive Architecture View" (DAV). This isn't simply another documentation exercise; it's a foundational mandate acknowledging that in complex, highly-interconnected OT environments, what you can't see, you cannot defend.
For cybersecurity professionals navigating the unique risks of industrial control systems (ICS), this guidance represents a necessary and mature shift toward continuous, risk-based defense.
OT systems—the infrastructure that keeps our manufacturing lines moving, water pumping, and lights on—have always presented unique security challenges. The NCSC guidance addresses the three key stressors that make defense challenging:
-
Undocumented change: Unlike greenfield deployments, brownfield OT environments are characterized by undocumented legacy systems. Temporary fixes become permanent, devices are swapped without record updates, and network paths organically evolve over decades. This fragmented knowledge is a defender's liability.
-
Increased connectivity: The myth of the air-gapped system is dead. Today's OT environments interact freely with enterprise IT, cloud services, and remote vendor management tools—massively expanding the attack surface.
-
Adversarial advantage: An attacker's job is made easier by this obscurity. Every configuration file, diagram, or undocumented device is a piece of valuable intelligence. If we do not maintain a definitive record, we are essentially building the adversary's playbook for them.
"Implementing and maintaining a 'definitive record' will be challenging for critical infrastructure organizations, but is essential and necessary for securing and protecting OT environments. The added context from a definitive record will help document essential components/assets, connectivity, overall system architecture, third-party access, as well as business and impact context," said Kevin E. Greene, Chief Cybersecurity Technologist, Public Sector, at BeyondTrust. "Having a source of truth is extremely important for complex legacy environments. Removing blind spots and lack of visibility in OT environments with a definitive record will help critical infrastructure organizations better defend and protect mission critical systems. This is in line with other industry initiatives like Software Bills of Material (SBOMs), vulnerability management, asset tracking, and zero trust enforcement to ensure a single, authoritative, accurate, and living source of truth—to inform and enable risk-based cybersecurity and resilience decisions."
Greene continued, "There is a shift and consensus towards prescriptive requirements across Five Eyes and international partners that points to enhancing visibility across OT environments as non-negotiable. These prescriptive requirements will become foundational to inform the implementation of security controls like patching, segmentation, identity protection, and security monitoring. This will help elevate cyber defense and preparedness in responding to, disrupting, and preventing OT cyberattacks. Proactive cybersecurity and posture management is pivotal to combat accelerated cyberattacks."
The DAV, or definitive record, moves beyond a basic asset inventory to capture the essential context needed for truly effective cyber risk management. The NCSC guidance organizes this view around five critical components:
-
Components: Detailed asset list including hardware, software, virtual systems, classified by their criticality, exposure, and availability requirements.
-
Connectivity: Documenting data flows, network paths, protocols in use, external links, and constraints like latency or bandwidth. This exposes lateral movement paths.
-
Wider system architecture: Mapping the network topology, including security segmentation (zones and conduits), and documenting redundancy and high-availability provisions.
-
Supply chain/third-party access: Identifying every vendor, integrator, or service provider that connects to the OT environment and detailing how those connections are protected and managed.
-
Business and impact context: Understanding the operational, safety, and financial consequences of an asset or connection failure. This is essential for prioritizing defensive spending and incident response.
The principles of continuous compliance and protection
The most critical takeaway for security teams is that the DAV is not a "one-and-done" task; it is a living record. The guidance is framed around a set of principles designed to ensure this record remains authoritative and secure over time:
-
Define processes for maintenance: Establish clear processes for how the definitive record will be established and, most importantly, continuously updated. This requires integration with change management protocols.
-
Establish an OT ISMS: Integrate the definitive view into a formal OT Information Security Management Program (ISMS) to ensure executive oversight and accountability.
-
Security of the DAV itself: Due to its sensitive nature, the definitive record must be protected against tampering and unauthorized access. It is the ultimate target for reconnaissance. Its protection requires secure storage, access control based on least privilege, and documented change control.
-
Informed risk decisions: The ultimate benefit of the DAV is enabling informed, risk-based decisions on patching, architecture changes, third-party access, and contingency planning, ensuring resources are targeted where they deliver the most risk reduction.
"Operational technology is at the heart of many businesses, but the security around those systems has lagged behind other areas of the tech stack. With air-gapping and traditional security methods enough at that point, those systems were secure," said Matt Middleton-Leal, Managing Director, EMEA, at Qualys. "As companies connect up more of their OT networks so they can work in real-time, those traditional methods are not enough at this point."
Middleton-Leal added, "Principle 3 of this guidance points to taking a risk-based approach to security across operational technology assets; to carry this out in practice, teams need to have accurate and timely insight into their OT networks and the threats that are out there, how likely those issues are to be exploited, and how current security controls manage those potential risks. Implementing a risk operations center makes this process easier, as teams can put those risks into context based on the potential monetary impact that can take place. Taking threat intelligence and vulnerability data feeds and putting that information into terms that the business leadership team can use makes this risk-based approach more effective over time."
He concluded, "For companies that rely on their OT networks, implementing a risk-based approach to measuring potential impact is essential when you could be making changes to the critical systems that are responsible for your revenue. Making those changes needs more insight and support for the impact that those risks have, and why those changes are necessary to avoid hacks or catastrophic downtime. Putting things in terms of money makes it easier to get support for those decisions."
The NCSC's Definitive Architecture View guidance validates the long-standing efforts of OT security practitioners while providing a formal, principles-based framework for executive engagement. By systematizing the collection, validation, and protection of architectural intelligence, organizations can finally transition from fragmented knowledge to a defensible, manageable security posture.
For those responsible for Critical National Infrastructure (CNI) or complex manufacturing systems, adopting this framework is no longer optional—it is the first step toward verifiable and sustained resilience.
