Critical infrastructure organizations prioritize operational excellence, safety, and productivity above all else. Historically, operational technology (OT) teams relied on an “air gap” as a buffer from the outside world. While this thinking used to work well to achieve safety and reliability, today’s interconnected landscape makes this “black box” mentality increasingly risky. Cybersecurity is now a critical component for both safety and reliability, and without proper visibility into operational environments, it’s impossible to execute on a proactive defense that includes configuration and change management (CCM).
Basic OT asset management (OTAM) is absolutely critical to successful security--you can’t mitigate risk around devices that you can’t even see. Building a confident, credible baseline is the first step, but the next layer of visibility, configuration and change management, is just as important (maybe even more important). Understanding what changes (and why) is critical to both safety and security. While asset management is about determining presence, CCM is about detecting and measuring difference.
In one sense, both components of CCM should be easier for OT. Change happens less frequently, so there’s less information to collect and prioritize in the search for potential risk. And systems, once running, are optimized for continuous uptime, not constant change.
While this holds true in theory, other realities can make OT CCM more problematic.
IT thrives on consistency, centralizing around common tools and services. Where possible, organizations reduce the number of potential configurations, consolidate software tools, and move to common standards.
OT organizations are richly heterogeneous, with a more diverse potential set of configurations that span physical and control infrastructure, from RTUS and PLCS to firewalls and a long list of other specialized, sometimes legacy, assets.
This extends to information around the asset, too. From user access information and physical location data to environmental metrics, there’s a universe of important, often unstructured data, needing to be managed. Traditional IT CCM tools aren’t built to ingest this much complexity or context off the shelf.
In IT environments, that consistency also drives visibility and manageability via shared operating systems and applications. This enables the automation and orchestration that is so fundamental to modern DevOps and SecOps best practices, including CCM tooling.
OT environments are also built for consistency and speed, relying on mechanical automation and carefully tuned processes. But unlike environments where application delivery and security are increasingly managed as a single outcome, OT asset consistency and automation don’t translate into easy visibility and control for traditional CCM solutions.
Going back to where we started, those cultural attitudes towards change have operational consequences.
Practically speaking, these differences mean that OT CCM tools must be ready to handle a much greater depth of detail in data, including a greater number of variations between different device types. They must also be designed to move between real-time automation and outdated manual processes, watching for and measuring change.
OT orgs understand the value of watching for change—it’s their mission too. But they also know there will probably never be a turnkey solution for OT CCM. It will always require expert human intervention up front and continuous collaboration throughout. A purpose-built OT cybersecurity platform can act as a force multiplier, enabling teams to do more with their time and expertise.
You can’t monitor or mitigate what you can’t see. This will always require a combination of technology and team effort, mapping physical environments and their assets to not only construct a complete view, but organize that view in ways that make it easier to manage and secure.
Technology can help gather RTU, PLC, firewall software and firmware information, while manual imports will layer on critical information around physical location, user access, maintenance, etc. Both software and human processes must be optimized to collect lots of diverse, granular information, which means tools need to accommodate lots of custom fields and data types.
Once this baseline is built, you can then begin to build and organize a cross-environment view and make baseline comparisons to look for change. The tools we use to do this must come together in flexible ways that make change detection malleable.
Ultimately, your CCM strategy and tooling must be able to ingest and organize a long list of inputs from across the environment and translate all that disparate data into a unified view on change.
And if low tolerance for risk is what makes OT systems harder to secure, it will be high tolerance for adaptivity that makes any CCM solution successful. Teams need solutions that can be seamlessly shaped around specific organizational needs and nuances—that’s how OT and the enterprise will both get smarter, safer, and more effective over time.
To learn more about how OT asset management enables a strong configuration & change management program, check out our solution brief.