System version management in OT-BASE Asset Center is basically the capability to baseline a given configuration of an OT system, automatically be made aware of any configuration changes from the last approved version, and tracking those changes.
Required access rights to approve a system configuration
In order to be able to approve system configurations, you must be a member of a user group with the "approve release" permission set to Yes.
You will then be able to approve system configurations by clicking the "Approve" button in the systems list.
Automatic integrity check
When you approve a given system configuration, this now becomes the baseline against which you will be able to detect and document changes. These changes might be due to planned change, random configuration drift, or malicious misconfiguration.
After approving the current configuration of a system, you will see the following information in the new columns that have been added to the system table:
- If the system is in its approved configuration (check mark) or if there have been configuration changes after the approval ("x"). If the system was never approved, this field will be empty.
- The date of the approval.
- The name of the approver.
- The release identifier, which is automatically assigned by OT-BASE and will be incremented when you approve subsequent system configurations.
Note that you may need to activate the new columns with right-click in the column header row.
Approval information in the system profile
For systems that have been approved at some point in time you will see a "Release Management" section in the system profile. This section will detail any configuration changes between releases, and also between the latest release and the current (non-approved) configuration if there were any configuration changes after the last release. For the initial release, you will see all the devices that have been added to the system.
For the devices in the system device list you will see a new column "Approved" that contains a checkmark if a device's configuration is unchanged in respect to the last approved release, or an "X" if there were any changes. Note that you can also sort the list by this column by clicking on the column header, as with other columns. This way you can easily identify any devices that were changed after the last approval.
Unapproved configuration changes in the EVENTS page
If the configuration of a device that is part of an approved system is changed, the device will be identified in the new "Changed systems" area in EVENTS. As usual you can double click on an entry to open the device profile, where you will be able to see the configuration changes in the timeline at the bottom of the profile.