Gold Image and Baseline Configuration Standard - ICS and OT security
Being the victim of a cyber-attack can be scary, expensive and potentially business-crippling.
So how do you prevent a cyber-attack? Start with making security a priority for all IT operations, and the first place to start is by making systems as ‘hacker proof’ as possible:
Gold Build Standard? Corporate Build / Hardened Build? Controlled Image? Baseline Configuration? You’ll find the need for a Gold Build Standard in all compliance frameworks (for example, NIST 800-53 CM-2 and CM-3, CIS Control 5.2, PCI DSS Requirement 2 and especially NERC CIP 007-3 and 010-3) as a means of guaranteeing security. Without a consistent build how else can you expect security to be maximized?
A Hardened Build standard encompasses the following:
- Functionality and features are reduced to the minimum required,
- Open logical network ports are cut back to just those that are necessary
- Only essential applications are included, and these must be fully patched
- Hardened configuration settings are applied to further reduce the Attack Surface
The same methodology should be applied to everything deployed, not just servers, desktops and applications, but the underlying infrastructure too, from the network devices to the underlying cloud, container or hypervisor platform.
In fact anything that is network-accessible and is controlled by software and configuration settings is potentially vulnerable to attack, which is why ICS (industrial control systems) and any other OT (operational technology) must now be managed with security as a priority.
As we move to a more automated society, be it power stations keeping the lights on, 'smart city' systems controlling traffic or any of the computerized production lines and growing numbers of robot workforces, they will all need serious care and attention in terms of cyber security. Vulnerability management, secure configuration baselines and change control are non-negotiable.
NNT make the entire process of creating a Hardened Build Standard, then baselining and tracking configuration drift a ‘Business as Usual’ process.
In addition to an unlimited supply of published hardened build standards, such as the Center for Internet Security (CIS) Benchmarks or the DISA Security Technical Information Guides (STIG), now with NNT Change Tracker, any device can be used as a ‘Baseline Source’ and the specific configuration attributes required for your Baseline can be captured to create your own Gold Build Standard blueprint.
A simple Wizard UI walks you through the process so anyone can be building their own Baselines within minutes!
Simple, UX-driven workflows make the personalization and maintenance of a Gold Build Standard straightforward, providing all the flexibility required to promote changes to the Baseline as they are required. It works to keep everything secure, from the most advanced cloud and container infrastructure through to the more primitive OT or IIoT systems like PLCs (Programmable Logic Controllers), Relays, actuators...you name it.
For example, following routine patching where not just product versions may change, but also the associated open ports and underlying filesystem, registry and configuration settings, you decide if you want to ‘promote changes to the baseline’. You can also assign basic logic to the promoted changes to either replace or extend the Baseline.
Of course the process is anchored in security best practices – permissions for users are controlled for all stages of baseline promotion, editing and creation, and all with a detailed, automated audit trail of who, what, when and why.
Any Baseline Image can be re-used to benchmark other systems to ensure consistency, or to evaluate drift over time.
You can even go back in time and see how the Baseline Image has been modified over time using NNT’s unique 4D Change Control, providing a timeline of changes to any configuration dimension
Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.
Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.