Why OTbase
The quintessential tool driving the Digital Transformation
Designed by the team that cracked Stuxnet, OTbase is the first platform specifically designed to help medium and large enterprises move toward secure and resilient OT networks.
What’s so special about OT asset inventories?
Factory automation is getting ever more complex. Call it the Digital Transition, IT/OT Convergence, or IoT. No matter what you call it, it just keeps growing and more intertwined.
The reality is that in large and mid-size industrial companies, OT has become by far more complex than IT. But where IT has a Configuration Management Database (CMDB), OT has a bunch of outdated Excel spreadsheets.
The remedy is well known: You need a comprehensive and accurate OT asset inventory, providing similar functionality that IT enjoys since decades in their CMDBs.
Everybody agrees with this, yet companies are struggling to make it happen. The simple reason is that they were using inappropriate tools.
What about conventional tools?
Manual data collection. You must assign someone, likely an entire team, to collect and enter all asset details. The information gathered barely scratches the surface of what you have installed, yet the whole process may take weeks.
Local focus. OT asset inventories kept in Excel are usually created for an individual site, or even a specific machine line or plant component. While an IP address like 192.168.0.10 might mean something for a local engineer, it becomes meaningless for an analyst who is working on multiple data sheets from different sites.
The Excel file is often stored on someone’s local machine. It is not accessible by other users, or updated regularly. There is no access control. Often, a “version conflict” will be created.
At least go to automatic discovery. Let’s just assume you still plan to use Excel as the documentation tool of choice for your OT asset inventory. But just drop the laborsome manual asset discovery for good. Check out OTbase Snapshot, which supports automatic discovery and give you an Excel table with asset details like never before.
Excel is by far the most (ab)used application for OT asset inventories. While Excel is great for many things, an OT asset inventory is not one of them. If for some reason you still plan to use Excel, at least automate the discovery process using OTbase Snapshot.
Requires hardware sensors. The original sin of the product category. Commissioning of those sensors is expensive and time-consuming, prompting most asset owners to limit the number of sensors, which in turn means limited visibility — particularly for East/West traffic.
CVE “probabilities” and “likelihoods”. If you don’t have exact asset details, you can’t reliably determine the known vulnerabilities that affect your assets. That’s why you see “probabilities” and “likelihoods” assigned to vulnerabilities, which make the product catagory useless for vulnerability management.
Insufficient asset details. No matter how much vendors boast about asset “visibility”, the reality is that passive sniffing can yield only so much data about an asset based on deep packet inspection. Call yourself lucky if you see useful serial numbers, firmware versions, and apps.
No network visibility. When OT threat detection products talk about networks, they actually mean data flow. The reality is that passive discovery doesn’t allow you to tell which devices are on one and the same subnet. OTbase, on the other hand, even draws automatic L1 network topology maps for you.
OT Threat Detection products have their place for network anomaly detection, but they are inappropriate for creating and maintaining OT asset inventories. The simple reason is the underlying technology (passive discovery), which doesn’t yield sufficient asset details.
Limited coverage. Proprietary OT asset management tools from automation vendors are usually limited to the vendor’s own product lines. If you run systems from multiple vendors — let’s just say, Emerson, Rockwell, Siemens for starters –, you will find asset details siloed in the respective platform.
Limited functionality. Overall functionality and usability of automation vendor tools cannot compete with OTbase. The reason is simple: The proprietary tool is thought to be an add-on to existing automation software, for existing customers. It was not developed with the idea to compete against independent offerings.
Proprietary asset management tools may have their place in OT mono-cultures, where an organization’s OT is limited to one automation vendor’s products, and where expectations about functionality and usability are humble. For every other scenario they are not the best choice.
Choose your platform
Explore OTbase's capabilities
Deep dive:
What makes OTbase different from OT threat detection products?
If you are familiar with OT threat detection products, you know that they also claim to provide an OT asset inventory. Another term in this context is “asset visibility”. Fact is that they don’t live up to the promise. If you introduce an OT threat detection product for detecting anomalies in network traffic, you may get what you whished for. If you hoped for a solid OT asset inventory, you will be disappointed. Check the following table for the differences between OTbase and OT threat detection solutions:
OT Threat Detection Solutions |
OTbase |
|---|---|
| Require hardware sensors with complex and expensive deployment procedures | Software-only solution, no hardware sensors required |
| Forced Cloud hosting. Your asset information is transferred to an anonymous server. | Self-hosted on premise (OTbase Enterprise). You retain full custody of your sensitive asset data |
| Anecdotal serial number information | Comprehensive serial number data, including I/O modules, sensors, and actuators |
| Don’t know about networks. You get IP addresses, but it’s unknown which logical networks they belong to. | Fully enumerates your process networks, highlighting spare IP address ranges and DHCP scopes |
| No visibility into field buses. All your legacy gear in ControlNet etc. is invisible. | Discovers lots of field buses like ControlNet, DeviceNet, Profibus, SERCOS, EtherCAT |
| No manual asset entry | Supports creating new assets manually, via REST API, Excel import, and by cloning existing assets |
| Limited support for custom data fields | Unlimited support for custom fields and file attachments |
| Unreliable CVE mapping with “probabilities” and “likelihoods”, making the tool useless for vulnerability management | Exact CVE mapping with integrated prioritization logic and remediation workflow |
| No software inventory | Detailed software inventory with installed apps, components, security patches, and time of last execution |
| Limited access control to asset information | Granular access control based on multiple metadata dimensions (geolocation, role, …) |
| No IP address management functionality | Integrated IP address management functionality |
| No change management workflow | Integrated change management workflow |
| No configuration integrity assurance capability | Integrated configuration integrity assurance |
| No problem management workflow | Integrated problem management workflow |
| No spare parts management | Integrated spare parts management |
| Limited obsolescence management | Extensive obsolescence management |
| Realtime analysis of network traffic in order to detect anomalies (potential cyber attacks) | Data flow collection, visualization, and analysis |
What's required for a real OT asset inventory? We wrote the book on it.
When you have been working on OT asset inventories for over two decades, you know a thing or two about the subject. The OT Asset Inventory Handbook outlines the requirements for an OT asset inventory that’s actually useful. You’ll read about:
- Legacy OT asset inventories
- Getting the must-have data from your devices
- Populating an OT asset inventory
- Managing access control in an enterprise environment
Ready to start your OT Security Journey?
We can help.
