OT configuration management is the process of assuring consistency of OT system design with requirements. It helps you to gradually arrive at more robust network architectures, standardized software configurations, better maintainability, and higher security posture. In this article you’ll learn how.
The secret sauce that makes digital OT so efficient is its flexibility. But like everything good under the sun, flexibility also has a downside. Everything that can be configured to serve your needs best can also be misconfigured to produce an unreliable, insecure infrastructure that is difficult to maintain. Configuration management is the discipline that allows you to reap the benefits of the digital transition, and to avoid “organically grown structures” (digital chaos).
In a digital world, a correct, integer, optimized configuration largely determines the reliability, maintainability, and security of a given plant and process. Hence, configuration management becomes a key factor that determines if your digital journey is heading towards success or frustration.
What is governed by OT configuration management?
In OT environments, the subject of configuration management includes the following:
- Hardware: Make and model, CPU & memory resources, type and model of any extension modules such as I/O.
- Software: Installed operating system, software applications, security patches, firmware.
- Networking: Network topology, choice of network addresses and protocols, communication pathways.
For each of these areas, configuration management verifies that all design decisions are met by the de-facto configuration, and that configuration change will not yield undesired results. It also makes inevitable configuration change a much smoother and systematic process. For example, a bit of planning and documentation allows you to prevent incompatibilities in software or hardware to turn into operational problems.
The forces of evil are not just hackers
The forces that can change a system configuration to become non-compliant with specification and documentation are manifold, and are present in every environment. Here’s what you need to battle:
- Configuration drift: More or less random factors, and complacency. Examples are replacing defect devices with different models, re-configuring devices according to preference rather than policy, accidental misconfiguration (nobody is perfect).
- Silent installs: This is about the contractors and coworkers who update ladder logic, install new software versions, replace switches etc. in the best intent, but fail to tell you about it. As a result, de-facto configuration is different from what you have in mind, or in your Excel spreadsheet.
- Cyber attack: Next, there is the rare case of malicious configuration change by hackers and malware. While very infrequent, note that every sophisticated cyber attack involves unauthorized configuration change. Hence, if you are very good at detecting or even preventing such change, your cyber security posture rises dramatically.
- Product end-of-life: Every now and then, proven technology can no longer be used because it becomes obsolete. The asset owner is then forced to look for alternatives, and to re-define standards and configuration settings. Configuration management makes sure that this process can be started as early as possible, rather than being hit by surprise.
Configuration management methods with the most bang for the buck
The good thing about configuration management is that it’s not a high-level concept that is hanging over your head up in thin air, but a set of concrete, practical, down-to-earth methods that can be executed reliably and at scale. The three most useful methods are:
- Change management
- Lifecycle management
Baselines are the power tool of configuration management. A baseline is a standardized target configuration that you define for a given type of equipment, let’s say HMI stations. The baseline specifies all the software (or firmware), along with version number, that must be installed, OS version, security patches, hardware type & model, the works.
With a modern asset management system like the OT-BASE Asset Management Platform, all of this takes just a couple of minutes. This is possible because de-facto device type (hardware model), including any I/O modules, is discovered automatically. Installed software, OS, firmware, security patches are discovered automatically as well. Since all this information is already known to OT-BASE, baseline audits become a snap.
Change management assures that intentional changes of OT infrastructure are executed according to specification and comply with policy. An automated workflow for change management, as implemented in the OT-BASE Asset Management Platform, makes change management straightforward. Such a workflow assures that every change is planned, documented, and authorized.
But the benefits of change management even go further when it comes to cyber security. Once that you start using its change management workflow, the OT-BASE Asset Management Platform can determine automatically if any configuration change is authorized or not. As a consequence, any unmanaged change in ladder logic or software configuration will automatically be flagged as a cyber security incident, prompting further investigation.
Lifecycle management assures operational continuity in the face of product obsolescence and asset lifetime, both of which are “natural” facts that need to be dealt with in environments where devices are in use for decades. Aging and product obsolecense force you to employ configuration change, and lifecycle management give you a means to approach it proactively rather than running into surprise.
The OT-BASE Asset Management Platform addresses both asset lifecycle and product lifecycle. For each device, a detailed configuration history is maintained automatically. Lifecycle stage starts with “planned” and ends with “decommissioned”. For OT products, OT-BASE maintains end-of-life information and other vendor data that allow you to determine quickly which products need to be updated soon.
Why new technology makes OT configuration management a hot topic
Configuration management didn’t used to be a hot topic in OT. The simple reason is that until recently, the technology wasn’t ready. If all you have is Excel spreadsheets for device inventory and a Word document describing target configurations, configuration management doesn’t really fly. It is way too laborsome for any industry outside nuclear and pharmaceuticals, where it was simply mandated by regulation for decades.
That has changed completely with the availability of modern tools for automatic asset and configuration discovery such as the OT-BASE Asset Management Platform. Today, OT configuration management is no longer a tedious exercise that nobody has time for, it is a function that can be automated almost entirely. To spice it up, you, your auditors, cyber security experts, regulators, and admins get nice reports by the click of a mouse.
But there’s even more. The secret sauce behind state-of-the-art configuration management is a high-fidelity system model that you can imagine as a machine-readable documentation. This system model can be visualized, analyzed, and searched. It can also be shared. The OT-BASE Asset Management Platform allows you to export the system model in whole or in parts in the JSON format, either via REST API or as a file, in order to share it with others.
In other words, you can store the configuration of your digital OT configuration on a USB stick and take it home, if you want to. You can also pass it to a contractor or vendor as a specification for a plant modernization, or as the basis to perform a cyber security assessment. Or to a consultant who helps you modernizing your network topology, to mention yet another use case.
How is OT configuration management different from IT configuration management?
Over at IT, configuration management is around for quite a long time. Lots of software products are available that assist you with the discipline, and an international standard — ITIL, the IT Infrastructure Library — teaches how to do it right. Can’t we simply use these standards and software products for OT as well? The simple answer is: No, we can’t. Many have tried — and failed.
IT configuration management software doesn’t perform well in OT environments because the models and methods used don’t really fit for controllers and realtime environments. As one example, configuration auto-discovery doesn’t address OT protocols such as Modbus or Ethernet/IP, and they don’t address the delicacies of legacy realtime equipment either.
Another drawback is rooted in the terms of the trade. In IT configuration management, the basic currency is a “configuration item”, which is quite an abstract concept that must be filled with meaning by the user. You can make a database a configuration item, a computer, a document, a location, a cable. You can easily spend a year or more defining and re-defining what your configuration items are. But you certainly don’t have the time to do that.
In OT, we can leverage the fact that OT environments are much more homogeneous than their IT counterparts. This allows us to pre-define useful entities for configuration management as you have seen before (hardware, software, networks). When you start using the OT-BASE Asset Management Platform, you don’t need to spend a single hour thinking about configuration items. It’s all built in, ready to use right after installation.
How OT configuration management enhances cyber security as a bonus
By now it should be clear that positive impact of configuration management is yielded in various areas that have nothing to do with cyber security. Nevertheless, the full depth of the discipline becomes clear when we focus on protection against malicious configuration change. A solid configuration management process will allow you to detect and prevent cyber attacks almost as a bonus.
Detecting cyber attacks: What do all cyber-physical attacks from Stuxnet to the Triconex incident have in common? Simple: Unauthorized configuration change, either of computer software, ladder logic, or network switches (or all of those combined). Once that you have the capability to detect unauthorized configuration change, as outlined above, there is little that you have to fear — including potent nation-state threat actors.
Preventing cyber attacks: Configuration management includes full transparency of your de-facto configuration. This allows you to spot misconfigured DMZs, unauthorized network traffic, vulnerable software versions and missing security patches easily. Remediate these vulnerabilities step by step and watch your security posture rising.
Note that all these benefits are realized without even starting to talk about threat actors, hacking techniques, and risk. The reality is, OT configuration management opens a path torwards better cyber security for engineering-minded professionals who don’t appreciate the more vaporous and drama-laden concepts and terminology of the field.
How is the security function of configuration management different from Network Anomaly Detection?
Having addressed cyber security, let’s finally explore how the security function of OT configuration management is different from the Network Anomaly Detection products that enjoy recent popularity. Both approaches can actually be differentiated pretty easily.
Configuration management is not concerned about the content of data in motion. It doesn’t try to figure out if such content may be malicous. It does catch any manifest results — unauthorized configuration change — that such content may cause, though. Let’s illustrate the difference using the recent cyber attack against a Triconex safety controller. Here’s how OT configuration management would have caught — or prevented — the attack:
- Malicious packets travelling from IT networks to OT networks down to the safety controller required a configuration of the DMZ in place which allowed cutting through that DMZ just like yello. It was a fictional DMZ, what configuration management as implemented in the OT-BASE Asset Management Platform would have shown early.
- Next, dropping malicous code on the Triconex engineering station was only possible because that station was not protected by a $50 whitelisting solution. A proper baseline would have shown that lack of protection right away.
Bottom line: OT configuration management as implemented in the OT-BASE Asset Management Platform and NAD products take very distinct, non-overlapping approaches to the cyber security problem. NAD tries to spot potentially malicious packets, whereas configuration management spots the manifestations of cyber attacks in the form of unauthorized configuration change.