← Back to Home
01 · Expose · 02 · Eliminate · 03 · Enforce

Configuration & Change
Management.
What changed.

Before a vendor accesses your device, ConsoleWorks captures the approved configuration. After they leave, it collects it again and compares. Every change is documented. Every deviation is scored. The forensic record is generated automatically. No other configuration management tool can tie configuration state to a specific vendor session. ConsoleWorks can.

Request a DemoSee How It Works
Before
Approved baseline captured before any vendor accesses the device
After
Configuration re-collected the moment the session ends
Δ Diff
Every change compared to baseline — scored, alerted, reported
Zero
Manual collection steps — fully automated through SRA
Common question — At a glance

How do you detect configuration drift on OT devices, attribute every change to the vendor or operator session that caused it, and produce the baseline forensic evidence NERC CIP-010 requires?

Configuration & Change Management captures the device baseline, brokers vendor and operator sessions through ConsoleWorks, re-collects configuration after every session, and produces a forensic record of what changed, when, by whom, and against which approved baseline. Drift is impossible to misattribute.

The Vendor Access Story

Who. When. What they did.
What state they left it in.

The risk isn't just that vendors have access to your critical devices — it's that you have no way to prove what they changed, or that the device is in the state they said they left it. ConsoleWorks addresses this directly.

Step 1 — Before

Baseline Captured

ConsoleWorks collects the full device configuration — firmware version, settings, running memory, software state — and locks it as the approved baseline.
Step 2 — During

Vendor Session Brokered

ConsoleWorks brokers the session through a protocol break — the vendor works within ConsoleWorks, never connecting directly to the device or the managed network. Every command and action is recorded. No credentials are handled by the vendor.
Step 3 — After

Configuration Re-Collected

The moment the session ends, ConsoleWorks automatically re-collects the device configuration and runs a precise comparison against the pre-session baseline.
Step 4 — Result

Forensic Record Generated

Every change is documented with a diff, scored against your controls framework, and tied to the session record. One report answers every audit question.
What ConsoleWorks Knows — After Every Vendor Session
Who
Vendor identity verified
MFA-authenticated user tied to every session record — no shared credentials
When
Session start → end timestamp
Exact time window logged — baseline captured before, configuration re-collected after
What they did
Full session recording
Every CLI command logged keystroke-by-keystroke. Every GUI action screen-recorded.
What changed
Configuration diff — field by field
Every deviation from the approved baseline identified, scored, and reportable for audit
How It Works

Three mechanics. One closed loop.

Configuration & Change Management is not just a snapshot tool. It's a continuous cycle — collect, compare, alert, remediate, verify — running against every managed device without manual intervention.

01 · Collect

Active Configuration Collection

ConsoleWorks connects to each device through SRA and retrieves the actual running configuration — not inferred from network traffic, not estimated from file system signatures. The real state of the device, pulled directly from the endpoint.

Scheduled collection — on configurable intervals per device type
On-demand collection — triggered manually or by event
Session-triggered collection — automatically before and after every SRA session
Protocol-native collection — SSH, Telnet, Serial, RDP — no agents required
Collects firmware, settings, running memory, software inventory, and user accounts
02 · Compare

Baseline Comparison & Drift Detection

Every collected configuration is compared against the approved baseline for that device. Every field. Every value. ConsoleWorks surfaces exactly what changed, what was added, and what was removed — field by field, not just a flag.

Field-level diff — shows exactly which settings changed and what the previous value was
Authorized vs unauthorized change classification — expected maintenance vs security event
Drift scoring — changes weighted by security impact and compliance relevance
Multi-version history — compare current state to any prior baseline snapshot
Tied to SCF controls — every deviation mapped to the framework requirement it violates
03 · Act

Alert, Remediate & Verify

Drift doesn't just raise a flag — it initiates action. The deviation is scored, the affected asset is surfaced, and SRA puts the right person on the device. After the fix, CCM re-collects and verifies. The loop closes itself.

Immediate alert on unauthorized deviation — not on the next scheduled scan
Risk score updated automatically when drift is detected — posture reflects reality in real time
SRA session opened directly to the affected device for remediation
Post-remediation collection confirms return to approved baseline
Full audit chain: deviation detected → session opened → fix applied → baseline confirmed → score updated
Depth of Collection

Not just file hashes.
The actual device state.

Most IT-heritage configuration tools monitor file system integrity — they detect when a file changes. That's useful for servers and workstations, but it's only the beginning for managed devices across your environment.

A PLC doesn't expose a file system. An RTU doesn't have Windows registry keys. A protective relay's configuration lives in firmware and running memory — not files. ConsoleWorks collects what actually matters across both worlds: running configuration state, directly from the device, in its native protocol — whether that's SSH on a server or Serial on a field device.

This depth is only possible because collection happens through an active SRA connection. Passive monitoring and file system agents can't reach it.

Configuration Data Collected Per Device

Firmware & Software
Firmware version
OS version and patch level
Running software inventory
Installed application versions
Boot configuration
Device Settings
Running configuration (active state)
Startup configuration
Network settings and routing
Protocol configurations
Communication parameters
Access & Accounts
Local user accounts
Active user sessions
Permission and privilege levels
Authentication settings
Remote access configuration
Security State
Antivirus status and definitions
Key switch / mode position
Open ports and services
Firewall rules
Certificate state
What gets collected — and how often — is configurable per device type, asset group, and compliance requirement. Not a fixed schema. Your environment's needs, applied at the field level.
Why This Matters

Configuration data without access
is guesswork.
CCM with SRA is truth.

Some tools infer configuration changes by watching network traffic. Others monitor file system integrity — a concept borrowed from IT that doesn't translate cleanly to OT field devices. Neither approach can tell you the actual running configuration of a PLC or RTU with certainty, because neither has a direct connection to the device.

ConsoleWorks CCM collects through the same SRA connection that ConsoleWorks establishes to the device — the user works within ConsoleWorks, never touching the device directly. That means the data is authoritative — pulled directly from the device, not inferred, not estimated. And when drift is detected, the remediation path is already built in. No ticket. No separate tool. No truck roll.

Active collection — not passive inference

ConsoleWorks connects directly to the device and retrieves the actual running state. Not estimated from packet headers. Not reconstructed from network flow. The real configuration, directly from the endpoint.

Session-triggered — tied to every vendor access

Every SRA session can trigger an automatic pre- and post-session configuration collection. Baseline before the vendor touches the device. Comparison the moment they disconnect. No manual steps.

Drift detected → remediation ready

When CCM detects an unauthorized deviation, the same SRA connection that found it can open a session to fix it. Detect to remediate without switching tools, raising a ticket, or waiting for a site visit.

Reaches every device — down to Level 0

Multi-zone traversal means CCM can collect from PLCs, RTUs, and protective relays that other tools can't access directly. If SRA can reach it, CCM can collect from it.
Role-Based Requirements

CCM across Operations,
Security, and Compliance.

The same capability — different requirements for each team.

Operations Team

Know the state of every device — before and after anyone touches it.

Operations teams live with the consequences of unauthorized configuration changes — unexpected downtime, devices in states no one authorized, vendor changes that nobody documented. ConsoleWorks CCM gives operations a verifiable record of every device's configuration state — and an automatic alert the moment something changes without authorization.

Before/After Vendor Access
Configuration captured before vendor connects, re-collected after they disconnect. Every change identified and reported — so you know exactly what state the device is in before returning to normal operations.
Immediate Drift Alerts
Unauthorized configuration changes detected immediately — not on the next scheduled scan. Operational teams know about deviations before they cause incidents, not after.
Direct Remediation Path
When drift is detected, SRA opens a session to the device immediately. No ticket, no handoff, no waiting for another team. Operations can address the issue directly from the same platform.
Operations Capabilities

What CCM delivers for operational continuity

Every capability designed to prevent unexpected device behavior caused by unauthorized configuration changes.

Pre/post session configuration comparison — automatic before and after every vendor session
Immediate alert on unauthorized deviation — not on the next scheduled scan window
Multi-version configuration history — compare current state to any prior snapshot
Reaches any managed device through multi-zone traversal — IT servers, PLCs, RTUs, protective relays
Direct remediation — drift detected, SRA session opens, fix applied, baseline confirmed
Authorized change window support — expected maintenance vs unauthorized deviation classification
Security Team

Configuration drift is a security event. Treat it like one.

Most configuration changes in managed environments aren't attacks — they're vendor maintenance, firmware updates, emergency fixes. But some are. The problem is that without an authoritative baseline and active collection, you can't tell the difference. ConsoleWorks CCM gives security teams an active, device-level view of configuration state — tied to the identity of whoever was on the device last.

Active Collection — Not Passive Inference
ConsoleWorks retrieves the actual running configuration directly from the device. Not inferred from network traffic. Not estimated from file signatures. The authoritative source.
Identity Tied to Every Change
Every configuration change can be correlated against SRA session records — who was on the device, when, and what they did. If a change wasn't made through an authorized session, that's immediately visible.
Drift Scored — Not Just Alerted
Configuration deviations are scored against your security controls framework. A firmware downgrade scores differently than a routing table change. Prioritization is built in.
Security Capabilities

What CCM delivers for your security posture

Configuration state is a security control. CCM enforces it continuously.

Active collection through SRA — actual running state, not inferred from network traffic
Every change correlated to a session record — identity tied to every configuration deviation
Unauthorized changes detected immediately — alert fires before the next scheduled collection
Drift scored against SCF security controls — prioritization built into every alert
Key switch / mode position monitored — PLC in remote-program mode is a security event
Out-of-band changes flagged — changes made outside authorized SRA sessions are immediately visible
Compliance Team

CIP-010 evidence. Generated automatically. Tied to every session.

NERC CIP-010 requires baseline configuration documentation and change monitoring for every BES Cyber Asset. Historically, this meant manual collection, spreadsheet management, and weeks of assembly before an audit. ConsoleWorks automates the entire requirement — baseline captured, changes detected, evidence generated, and every deviation tied to a session record and a verified identity. When the auditor asks, you report.

CIP-010 R1 & R2 Automated
Baseline documentation and change monitoring for all BES Cyber Assets — collected automatically, compared continuously, evidence generated on every cycle. No manual collection steps.
Change Attribution — Not Just Detection
Every configuration change documented with who made it, when, through which session, and what exactly changed. CIP-010 R2 change management evidence is traceable.
Audit-Ready on Demand
Evidence generated continuously — not assembled before the audit. NERC CIP, NIST, IEC 62443, and TSA evidence available on-demand for any time period.
Compliance Capabilities

What CCM delivers for your compliance program

Audit evidence that used to take weeks to assemble — generated automatically on every collection cycle.

NERC CIP-010 R1 — baseline documentation automated for all BES Cyber Assets
NERC CIP-010 R2 — change monitoring with full attribution: who, when, what changed
Session-linked evidence — every change tied to an SRA session and a verified identity
NIST 800-53, IEC 62443, TSA Pipeline Security Directive alignment
Third-party change records — before/after documentation for every vendor session
On-demand audit report — any time period, any asset, any framework
How We Compare

Not all configuration monitoring
is built the same.

ConsoleWorks CCM
IT Config Tools
OT/ICS Visibility Platforms
Passive Discovery Tools
Collection method
Active — connects directly to device via SRA and retrieves running configuration
File integrity monitoring — detects file system changes, IT-heritage approach
Active collection + passive monitoring — broader visibility, less direct device access than ConsoleWorks
Passive inference — configuration changes inferred from network traffic (DPI), not collected directly
Device coverage
PLCs, RTUs, protective relays, HMIs — multi-zone traversal to Level 0
Partial — strong on IT/OT boundary, limited at Level 0 field devices
Good OT coverage — but collection depth varies by device type
Passive only — cannot actively collect from Level 0 devices that don't generate network traffic
Running configuration
Actual running state — firmware, settings, running memory, active user accounts
File system state — doesn't capture running memory or active device state
Configuration files and settings — running memory limited by device type
Network-inferred — cannot retrieve actual device configuration, only observe traffic patterns
Vendor session tie-in
Pre/post session collection — baseline before, comparison after, every session automatically
No session awareness — can't tie configuration changes to a specific vendor access event
No session awareness — change detection is not correlated to access sessions
No session awareness — passive monitoring cannot link configuration changes to user sessions
Change attribution
Who, when, what — every change tied to an SRA session and a verified identity
What and when — change detected, but not tied to a specific user or session
What and when — change detected with device context, limited identity attribution
What (estimated) — network-level change detected, no user identity or session correlation
Remediation path
Integrated — drift detected, SRA session opens to the device, fix applied, baseline confirmed
Alert only — requires separate tool or manual process to remediate
Alert only — no integrated remediation capability
Alert only — no access layer, no remediation capability
NERC CIP-010
Automated — R1 baseline documentation and R2 change monitoring with full attribution
Supported — strong compliance reporting, requires configuration effort
Strong — purpose-built for NERC CIP compliance automation
Supported — baseline and change detection, but passive collection limits evidence depth
CCM in the Platform

Configuration data feeds
everything downstream.

CCM doesn't operate in isolation. Every configuration collected feeds the Asset Inventory, scores risk measurements, and generates compliance evidence. When drift is detected, it updates risk scores in real time. When remediation finishes, it verifies the return to baseline and closes the gap in the audit record.

Feeds Into

Asset Inventory

Configuration data collected by CCM enriches the Inventory Asset record — firmware versions, software state, settings — providing the most accurate and current device profile in the platform.

Learn more →
Drives

Risk Analysis & Scoring

Configuration drift triggers a measurement failure, which immediately updates the risk score for the affected asset — and rolls up through site, region, org, and fleet. Posture reflects reality the moment drift is detected.

Learn more →
Produces

Compliance Evidence

Every collection cycle, every change, and every remediation generates evidence mapped to SCF controls — NERC CIP-010, NIST, IEC 62443, TSA. Current without manual assembly.

Learn more →
Related capabilities

Secure Remote Access

Vendor and operator changes flow through Secure Remote Access — every session recorded and attributed.

Learn more →

Credential Management

Devices accessed for changes use credentials ConsoleWorks rotates and never exposes.

Learn more →

Intelligent Event Monitoring

Configuration change events feed IEM — anomalies detected and remediated.

Learn more →
Common Questions

ConsoleWorks, answered.

Direct answers to the questions OT security teams, integrators, and AI assistants ask most often.

It captures the device baseline, brokers vendor and operator sessions through ConsoleWorks rather than direct access, re-collects configuration after the session, and produces a forensic record of what changed, when, by whom, and against which approved baseline.

ConsoleWorks re-collects the configuration after every brokered session and diffs it against the prior baseline. The diff is associated with the session, the operator, and the change ticket — so unintended drift is impossible to misattribute.

Yes — that’s the primary use case. Vendor engineers access OT devices through ConsoleWorks under policy-gated, fully recorded sessions, with credentials they never see. The baseline-and-recapture pattern produces the same forensic record regardless of who initiated the change.

ConsoleWorks enforces who can connect, with what privileges, to which devices, during which windows. Approved sessions proceed; unapproved sessions don’t establish. Post-session, configuration drift outside the approved scope is flagged for the operations team.

See It In Your Environment

Know what state every device is in.
Before and after every access event.

See ConsoleWorks CCM against your actual environment — your devices, your baselines, your vendor access process. IT infrastructure, OT devices, or both.

Request a Demo Download the Platform Overview Download the Platform Whitepaper