One element of configuration management is the recording and auditing of the actual configuration files on IT/OT devices. The first time we document the configuration of a device that becomes the device’s baseline. The baseline is required before an audit can be performed.
The most straightforward audit checks the configuration to see if it has changed. More advanced audits use records (approved and assigned changes) from the CMDB or other change management repository, checking to see if the configuration of the device is what it should be. Each configuration change that is supposed to occur (like installing a patch) creates a new baseline.
This is often a very manual process. People are involved in each step along the way, connecting to each device to pull down the current configuration and then manually comparing the baseline with the current configuration. They have to check records in multiple places when the audit is checking the “should be” configuration.
The process is expensive, it is reactive (it lags actual changes sometimes by weeks or months), it is error-prone and unintentional device configuration changes can impact the overall security practice. There has to be a better way.
With ConsoleWorks BCM, configuration data is pulled automatically on a periodic basis. ConsoleWorks uses an agentless, patented approach to managing the IT/OT Infrastructure. ConsoleWorks is connected to the device regardless of its state (i.e. up, down, single user or maintenance mode). The configuration is checked against the current baseline, and any changes between the two are immediately alerted on. Alerts include the exact (keystroke by keystroke) changes between the baseline and the current configuration data. You can also check for differences between devices that are in specific groups (i.e. – they should all have the same security patches installed). Having this capability significantly reduces the time involved in collecting the data required to support an audit and producing the reports to prove compliance.
Looking at the Utility industry, in particular, there is a requirement to meet specific NERC-CIP requirements for establishing and retaining a set of secure configuration profiles across hundreds, often thousands, of cyber assets. Manufacturer point solutions exist in a few cases today. However, the limited capabilities vary across manufacturers, and the functionality is inadequate for addressing the basic NERC CIP requirements.
ConsoleWorks automates baseline configuration management of all cyber assets from the control room, to the substation, to the pole. It periodically retrieves the current configuration of each monitored asset and compares it to the established baseline. If a difference is detected, an Event is created and logged, and a notification is sent to a designated person for further assessment.
Moving from a manual configuration management process to an entirely automated process has many benefits. There is a drastic reduction in cost (man hours), the accuracy of the data and audit findings is dependable and issues can be identified quickly and resolved, typically long before the manual process would even detect that the issue exists.