A Guide to Configuration and Change Management in OT

November 7, 2022

Critical infrastructure organizations prioritize operational excellence, safety, and productivity above all else. Historically, operational technology (OT) teams relied on an “air gap” as a buffer from the outside world. While this thinking used to work well to achieve safety and reliability, today’s interconnected landscape makes this “black box” mentality increasingly risky. Cybersecurity is now a critical component for both safety and reliability, and without proper visibility into operational environments, it’s impossible to execute on a proactive defense that includes configuration and change management (CCM).

Basic OT asset management (OTAM) is absolutely critical to successful security--you can’t mitigate risk around devices that you can’t even see. Building a confident, credible baseline is the first step, but the next layer of visibility, configuration and change management, is just as important (maybe even more important). Understanding what changes (and why) is critical to both safety and security. While asset management is about determining presence, CCM is about detecting and measuring difference.

What Is Configuration Management?

Configuration management focuses on maintaining the integrity of all configurable elements of a piece of hardware or software, including capturing a baseline build or settings for any specific asset, detecting new configurations and managing deployment of new builds or configurations.

What Is Change Management?

Change management is about the people, processes, and decisions that implement these changes to configurable assets. This includes:
  • Building processes for requesting, vetting, and approving change requests
  • Establishing processes for emergency/exception change requests
  • Creating review and reporting processes in support of change management

What Makes OT Configuration & Change Management Different?

In one sense, both components of CCM should be easier for OT. Change happens less frequently, so there’s less information to collect and prioritize in the search for potential risk. And systems, once running, are optimized for continuous uptime, not constant change.

While this holds true in theory, other realities can make OT CCM more problematic.

A consistent lack of consistency

IT thrives on consistency, centralizing around common tools and services. Where possible, organizations reduce the number of potential configurations, consolidate software tools, and move to common standards.

OT organizations are richly heterogeneous, with a more diverse potential set of configurations that span physical and control infrastructure, from RTUS and PLCS to firewalls and a long list of other specialized, sometimes legacy, assets.

This extends to information around the asset, too. From user access information and physical location data to environmental metrics, there’s a universe of important, often unstructured data, needing to be managed. Traditional IT CCM tools aren’t built to ingest this much complexity or context off the shelf.

A less direct path between automation and orchestration

In IT environments, that consistency also drives visibility and manageability via shared operating systems and applications. This enables the automation and orchestration that is so fundamental to modern DevOps and SecOps best practices, including CCM tooling.

OT environments are also built for consistency and speed, relying on mechanical automation and carefully tuned processes. But unlike environments where application delivery and security are increasingly managed as a single outcome, OT asset consistency and automation don’t translate into easy visibility and control for traditional CCM solutions.

The pace and posture of change

Going back to where we started, those cultural attitudes towards change have operational consequences.

  • For IT teams, change is the way forward. Orchestration, automation, continuous delivery, reliability through adaptivity and elasticity—these are the trends shaping thinking on that side of the perimeter.
  • For OT teams, elasticity and adaptivity are essentially built into the physical infrastructure itself. Change should be minimized and managed, being a potential obstacle to reliability.

Practically speaking, these differences mean that OT CCM tools must be ready to handle a much greater depth of detail in data, including a greater number of variations between different device types. They must also be designed to move between real-time automation and outdated manual processes, watching for and measuring change.

Getting Started with Configuration & Change Management in OT

OT orgs understand the value of watching for change—it’s their mission too. But they also know there will probably never be a turnkey solution for OT CCM. It will always require expert human intervention up front and continuous collaboration throughout. A purpose-built OT cybersecurity platform can act as a force multiplier, enabling teams to do more with their time and expertise.

Establish an asset baseline first

You can’t monitor or mitigate what you can’t see. This will always require a combination of technology and team effort, mapping physical environments and their assets to not only construct a complete view, but organize that view in ways that make it easier to manage and secure.

Technology can help gather RTU, PLC, firewall software and firmware information, while manual imports will layer on critical information around physical location, user access, maintenance, etc. Both software and human processes must be optimized to collect lots of diverse, granular information, which means tools need to accommodate lots of custom fields and data types.

Watch and listen for change

Once this baseline is built, you can then begin to build and organize a cross-environment view and make baseline comparisons to look for change. The tools we use to do this must come together in flexible ways that make change detection malleable.

  • You may start with manual imports only done once a day, increasing that rate over time. At the same time, vulnerability assessments driven by firmware and software version and config data, need their own pace.
  • Additionally, whether you’re operating in a regulatory environment demanding regular assessments or just want to be ready if an audit hits, reporting tools need to be equally flexible.

Optimize for flexibility

Ultimately, your CCM strategy and tooling must be able to ingest and organize a long list of inputs from across the environment and translate all that disparate data into a unified view on change.

And if low tolerance for risk is what makes OT systems harder to secure, it will be high tolerance for adaptivity that makes any CCM solution successful. Teams need solutions that can be seamlessly shaped around specific organizational needs and nuances—that’s how OT and the enterprise will both get smarter, safer, and more effective over time.

Ready to take the next best step?

To learn more about how OT asset management enables a strong configuration & change management program, check out our solution brief.