Using OT-BASE Report Writer is extremely simple. Just follow these steps.
1. Export desired asset data from OT-BASE Asset Center
In OT-BASE Asset Center, go to INVENTORY/DEVICES and filter the result set that you want to report on. In order to do this, use the Scope pane (for example, to filter for assets at one particular site or one particular network), and the other filter options.
After you have checked in the device table that the result set is as desired, export asset data by clicking on "JSON Export".
The result file will be placed in your download folder and start with the name "OT-BASE Devices".
2. Start OT-BASE Report Writer and specify source and destination files
Start OT-BASE Report Writer, usually by clicking on the program icon on your Desktop. OT-BASE Report Writer will open its main window and also a file selector box that prompts you for the source file, i.e. the asset data that you have exported from OT-BASE Asset Center.
After you have opened a PID file, you will be prompted to specify a file name for the resulting report.
3. In the main window, select the desired output settings
The main window of OT-BASE Report Writer allows you to adjust several settings that affect how verbose the report will be.
In the "vulnerability reporting" area you can specify with the slider what category of vulnerabilities you want to report on. If you select the default setting, only critical vulnerabilities will enter into the report. If you want vulnerability reporting to be more verbose, move the slider to include other (lower priority) vulnerabilities as well.
In the "other" area you can select the following settings:
- CVE Word Cloud: Checking this box will cause Report Writer to generate a Word Cloud that highlights software products with the highest numbers of vulnerabilities. In order to do this, Report Writer downloads up to 1000 CVE descriptions for your most critical vulnerabilities from the NIST website (https://nvd.nist.gov). The result looks like this:
The downside is that this process is time consuming, since every call to the NIST site takes around a second. This means that generating your report may take around 20 minutes, hence the option to turn it off.
- Policy chapter template: In an OT security assessment report, you will have to include a chapter on policy. Unfortunately, the best that OT-BASE can do for you is to provide a template that you may fill with a discussion of existing policies, their completeness and appropriateness, and any policy audit results. For other use cases, such as a simple OT asset inventory project, you don't necessarily need a chapter on policy, and may de-select this option.
- Device details: Report Writer can add kind of an OT asset inventory at the end of the report, where each asset is described individually along with location, operating system / firmware version, I/O modules etc. Such an appendix is mostly useful if your report is for an asset inventory project. For other use cases, it might not be needed. Depending on the number of devices in your source file, the device details appendix may well be several hundred or even thousand pages long, therefore the option to disable it.
4. Start the report run
After you have made your settings, start building the report by clicking the "Start" button. You will be able to monitor progress in the status bar at the bottom of the window.
5. Exit Report Writer
When Report Writer is finished, the "Start" button will change its label to "Exit". Press the exit button and post-process your report.