NIST launches OT visibility initiative

Operational technology is the gear that runs physical processes — pumps, breakers, valves, factory lines, train systems. When defenders can’t see those assets clearly, they miss the devices, protocols, and weak links that actually matter in an outage or intrusion. That’s the gap NIST is now trying to close with a new operational-technology visibility project through its National Cybersecurity Center of Excellence, first described publicly in late April 2026. ### What is NIST actually launching? The new effort sits inside the NCCoE, NIST’s applied cybersecurity lab, and it is aimed at helping critical-infrastructure operators get practical visibility into OT environments rather than just writing another abstract framework. Cherilyn Pascoe, who leads the NCCoE, said the center decided to step back after several sector-specific projects and focus on the common problem underneath them — organizations still struggle to know what OT assets they have, how those assets communicate, and where the blind spots are. ### Why is “visibility” the hard part? OT networks are weird compared with enterprise IT. A lot of equipment is old, fragile, proprietary, and never designed for constant scanning or modern identity controls. You can’t just point the same discovery tools at a power substation or a water plant that you use in an office network, because aggressive probing can break things or at least scare operators away from trying. That makes passive discovery, protocol awareness, and careful asset baselining much more important in OT than in normal IT security. ### Why now? Part of the timing is that NIST has already spent years doing this in slices. The NCCoE built earlier projects for electric-utility situational awareness and for energy-sector asset management, both centered on discovery, identification, and monitoring of OT assets. The new project looks like an attempt to generalize those lessons across critical infrastructure instead of keeping them trapped inside one sector at a time. Basically, NIST is treating OT visibility as the foundation layer that other controls depend on. ### What problem is NIST trying to solve? The short version is that many operators still cannot answer basic questions fast enough during a cyber incident. Which programmable logic controller is talking to what? Which remote access path reaches the plant floor? Which unmanaged device appeared last week? In OT, that uncertainty is not just an IT hygiene problem — it can turn into downtime, safety risk, or loss of control over physical equipment. That is why visibility keeps coming up before segmentation, before zero trust, and before most governance talk. ### How does this connect to the new CISA guidance? The overlap is obvious. CISA released joint guidance on April 29, 2026 for adapting zero-trust principles to OT, trying to translate a very IT-shaped security model into industrial environments. But the immediate reaction from several OT security practitioners was that the document is useful mainly as a high-level framing tool — not as a concrete roadmap for environments with decade-long refresh cycles, limited maintenance windows, and systems that cannot tolerate constant authentication churn. ### So is NIST contradicting CISA? Not really. It’s more like NIST is working one layer lower in the stack. Zero trust tells you how a mature environment should make access decisions. Visibility tells you what environment you actually have. If you don’t have trustworthy asset inventories, communications maps, and passive monitoring, then zero trust in OT becomes a PowerPoint strategy instead of an operating model. That’s why these two developments landed almost on top of each other but feel very different in practice. ### What will success look like? NCCoE projects usually pull in vendors and collaborators under CRADAs, build a reference architecture, test commercial and open tools, and then publish implementation guidance others can copy. So the likely output is not a new regulation. It’s a worked example — a repeatable way to discover assets, map communications, and improve OT monitoring without disrupting operations. For smaller utilities and industrial operators, that kind of example can matter more than another strategic memo. ### Bottom line? This matters because OT security keeps failing at the first question — what exactly is running in the environment right now? NIST’s new project is a bet that better answers to that question unlock everything else.