Gold Image and Baseline Configuration Standard - ICS and OT security

Being the victim of a cyber-attack can be scary, expensive and potentially business-crippling.

So how do you prevent a cyber-attack? Start with making security a priority for all IT operations, and the first place to start is by making systems as ‘hacker proof’ as possible:

Gold Build Standard? Corporate Build / Hardened Build? Controlled Image? Baseline Configuration? You’ll find the need for a Gold Build Standard in all compliance frameworks (for example, NIST 800-53 CM-2 and CM-3, CIS Control 5.2, PCI DSS Requirement 2 and especially NERC CIP 007-3 and 010-3) as a means of guaranteeing security. Without a consistent build how else can you expect security to be maximized?

Developing a Secure Baseline Configuration - For every IT endpoint, even ICS and OT devices

A Hardened Build standard encompasses the following:

  • Functionality and features are reduced to the minimum required,
  • Open logical network ports are cut back to just those that are necessary
  • Only essential applications are included, and these must be fully patched
  • Hardened configuration settings are applied to further reduce the Attack Surface

The same methodology should be applied to everything deployed, not just servers, desktops and applications, but the underlying infrastructure too, from the network devices to the underlying cloud, container or hypervisor platform.

In fact anything that is network-accessible and is controlled by software and configuration settings is potentially vulnerable to attack, which is why ICS (industrial control systems) and any other OT (operational technology) must now be managed with security as a priority.

As we move to a more automated society, be it power stations keeping the lights on, 'smart city' systems controlling traffic or any of the computerized production lines and growing numbers of robot workforces, they will all need serious care and attention in terms of cyber security. Vulnerability management, secure configuration baselines and change control are non-negotiable.

Change Tracker – Automated development and maintenance of a Configuration Baseline

NNT make the entire process of creating a Hardened Build Standard, then baselining and tracking configuration drift a ‘Business as Usual’ process.

In addition to an unlimited supply of published hardened build standards, such as the Center for Internet Security (CIS) Benchmarks or the DISA Security Technical Information Guides (STIG), now with NNT Change Tracker, any device can be used as a ‘Baseline Source’ and the specific configuration attributes required for your Baseline can be captured to create your own Gold Build Standard blueprint.

A simple Wizard UI walks you through the process so anyone can be building their own Baselines within minutes!

baseline source
Build a Baseline using the Baseline Wizard

Simple, UX-driven workflows make the personalization and maintenance of a Gold Build Standard straightforward, providing all the flexibility required to promote changes to the Baseline as they are required. It works to keep everything secure, from the most advanced cloud and container infrastructure through to the more primitive OT or IIoT systems like PLCs (Programmable Logic Controllers), Relays, name it.

For example, following routine patching where not just product versions may change, but also the associated open ports and underlying filesystem, registry and configuration settings, you decide if you want to ‘promote changes to the baseline’. You can also assign basic logic to the promoted changes to either replace or extend the Baseline.

UX-driven workflows
Any drift can be managed with changes promoted to the Baseline

Of course the process is anchored in security best practices – permissions for users are controlled for all stages of baseline promotion, editing and creation, and all with a detailed, automated audit trail of who, what, when and why.

Any Baseline Image can be re-used to benchmark other systems to ensure consistency, or to evaluate drift over time.

You can even go back in time and see how the Baseline Image has been modified over time using NNT’s unique 4D Change Control, providing a timeline of changes to any configuration dimension

4D Change Control means you can view previous Baselines, drift over time, and compare configuration states between devices and times
Baseline Configuration FAQs

Contact Us

USA Offices

New Net Technologies LLC
4850 Tamiami Trail, Suite 301
Naples, Florida, 34103

New Net Technologies LLC
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
[email protected]


UK Office

New Net Technologies Ltd
The Russell Building, West Common
Harpenden, Hertfordshire

Tel: 020 3917 4995
 [email protected]

SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Sans Institute Now Certified IBM Security
Copyright 2021, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.