Chances are, you have a real problem on your hands. More than likely, at least one Windows machine in your installed base is running Windows XP. You don’t have to do an online search to know it has thousands of vulnerabilities associated with it. While one machine is bad enough, another thought has probably crossed your mind: how many other machines in your installed base are running the same or older OS?
To answer that question, you need a few things.
The most important is an accurate and complete OT asset inventory. Simply put, you will never be able to arrive at the level of functionality we’re going to be talking about in this blog with a manual OT asset inventory. It simply doesn’t have the information/data needed.
If you’re equipped with the required OT asset inventory, you then need configuration policies. Finally, the ability to audit that inventory against those policies.
It’s all possible. This blog discusses how.
The Mutual Necessity of Configuration Policies and Automated Audits
Configuration policies are used to define standard configurations that meet specific cybersecurity requirements as set forth by the company. Those policies define compliance. In this instance, compliance or non-compliance is not regulatory in nature.
The real value of configuration policies is scalability. Policies apply not just to one OT device, but all devices of a particular class. For example, for all engineering stations. Or for all Windows PCs in a particular network zone. Or for all laptops. That’s where scalability comes in.
Efficiency is added thanks to automated audits. OTbase has this type of automation built-in. Without automated audits, configuration policies are useless. That’s because audits act as the decision-making process to determine if policy provisions are met or not.
Automated Audits in OTbase
Once you have defined a configuration policy in OTbase, it will automatically audit your inventory against that policy. Doing so will expose which devices are compliant and which are non-compliant.
For example, you set a configuration policy that says all engineering stations must be running Windows 10 or higher. The policy, in this instance, is meant to ensure problematic setups (machines running OSs older than Windows 10) are avoided.
An automated audit in OTbase takes a couple of mouse clicks. In just a few moments, you can determine which machines need remediating.
You can also drill down further by clicking on the device and opening the Device Profile. This will show you for which policies the device is non-compliant and compliant.
The Value of Reporting
In OTbase, compliance policies are automatically associated with a report. Doing so provides metrics and visuals that show, among other things, the ratio of compliant to non-compliant devices. This helps teams identify whether there has been progress toward compliance or a lack of progress.
Reports are also dynamic. The screenshot above shows you a snapshot at a particular point in time. The same report a week later will probably look different. As changes are made, OTbase automatically updates the report accordingly.
Conclusion
With an accurate, complete OT asset inventory, defined configuration policies, and automated audits, enterprises can reduce their attack surface. All are important pieces of an OT security arsenal.
With OTbase this is simplified to just a couple of mouse clicks. Teams can identify non-compliant devices within minutes. Remediation efforts can start. And progress can be tracked over time.
Learn more about OT configuration management by reading the OT Asset Management Handbook from OTbase.