← Back to Home

How It Works · OT Inventory, Risk, Compliance

The mechanism
behind
Intelligent
Operations.

Most environments have gaps no one knows about. ConsoleWorks is the mechanism that finds them — and closes them.

ConsoleWorks builds a unified, continuously updated asset inventory — from your existing security tools, from direct device collection, or from both — then applies binary measurement logic against every asset, aggregates Pass/Fail results through the SCF control hierarchy, and surfaces gaps ranked by organizational impact. Whether ConsoleWorks is one tool in your stack or your primary security platform — IT, OT, or both — the mechanism is the same. Here's exactly how.

Request a Demo See How It Works
Inventory
Collect

Tool Data Collectors ingest asset data

API-based connectors, direct device collection, and structured imports build the unified asset inventory
Map

Mapping Rules build the unified inventory

Field mapping, normalization, device correlation, and deduplication produce one record per physical asset
Measure
Measure

Inventory meets your controls framework

Configurable Pass/Fail questions run against the unified inventory — you define what compliance looks like, ConsoleWorks measures every asset against it
Risk Assessment
Score

Rollup Scores aggregate through SCF hierarchy

Sub-control → Control → Domain → Site → Organization → Fleet, continuously updated
Act

Eliminate directs remediation. Enforce keeps it closed.

Failed measurements surface gaps. SRA puts teams on assets. Evidence auto-generates.
Continuously · Automatically · Without Manual Intervention
Common question — At a glance

How do you operate OT cybersecurity as a continuous evidence cycle — discovering assets, measuring controls, remediating gaps, and producing audit-ready compliance evidence — across NERC CIP, NIST 800-82, and IEC 62443?

ConsoleWorks runs an unbroken evidence cycle across every OT asset: collect from existing tools, map against your compliance framework, score every control, surface the gaps, remediate, and re-measure on the next cycle. This is how compliance posture moves from a quarterly snapshot to a continuous, defensible record.

Inventory

Every asset. One inventory.
However your data arrives.

The Asset Inventory is built from whatever data sources your environment has — existing security tools, active device collection, imported spreadsheets, or all of the above. If you have discovery tools, vulnerability scanners, or a CMDB, Tool Data Collectors (TDCs) connect via API and pull structured asset metadata automatically. If ConsoleWorks is your primary platform, Active Collection retrieves asset data directly from managed devices. Either way, the inventory is unified, continuously updated, and reflects operational reality — not tool artifacts.

01

Collect

Source Data — Tools, Spreadsheets, Manual
Asset Discovery
Network / OT Discovery
OT Assets Protocols Network Topology
Vulnerability Scanner
Security Assessment
Patches Software Vulnerabilities Ports
Firewall / Network
Network Security
Firewall Rules Network Users
Existing Asset Records
CMDB / Spreadsheet Import
Asset Records Site Data Ownership
Privileged Access
SRA — ConsoleWorks
Sessions Credentials Access Events Session Recordings Command Logs
Active Collection
CCM — Direct Device Connection
Running Config Firmware State Authoritative
Gold = ConsoleWorks native source
02

Map

Mapping Rules — The Processing Engine
Field Mapping
Maps source tool fields to destination inventory fields — defining exactly where each data point lands in the unified asset record.
Priority Resolution
When multiple tools report the same field, priority settings determine which source wins. Data collected directly from the device through Active Collection (CCM) takes precedence — it's the most authoritative source.
Value Normalization
Values are standardized automatically across sources — "Microsoft Windows Server 2019" becomes "Windows Server" consistently regardless of which tool reported it.
Device Correlation
Dual-homed devices — assets with multiple IP addresses — are correlated into a single inventory record. One physical asset, one record, regardless of how many tools discovered it.
Condition Logic
Rules can be configured to apply only under specific conditions — "only process assets with OS containing Windows," or "only apply to assets in this site classification."
Deduplication
Six tools discovering the same device produces one inventory record — not six. Mapping Rules determine whether incoming data creates a new asset or updates an existing one.
03

Inventory

Unified Inventory Asset — One Record Per Physical Asset
Asset Name
Software
Patches
Users
Vuln
Firewall Rules
Hardware
Networks
Antivirus
One record per physical asset — regardless of how many tools contributed data, how many IP addresses the device has, or how many times it appeared across sources. The inventory reflects operational reality, not tool artifacts.
Measure

Every asset. Every question.
Pass or Fail.

Inventory tells you what exists. Measurement tells you whether what exists is in the right state. ConsoleWorks is the only platform that lets you define what "right state" means — mapped to your controls framework — and then measures every asset against it, continuously. The result isn't just operationally useful. It's auditable.

Measurement Questions

The Intelligent Measurement Engine

Each measurement is a configurable question evaluated against the unified inventory — checking asset sub-components like software, patches, antivirus, users, and ports — and returning Pass or Fail. No subjectivity. No manual review.

AV_INSTALLED
Is antivirus software installed and recorded against this asset?
PASS
AV_DEFS_CURRENT
Are AV definition files current within the required update window?
FAIL
PATCH_CURRENT
Has this asset been patched within the required compliance window?
FAIL
CERT_UPDATED
Has the SSL certificate been updated within the last 12 months?
PASS
SESSION_RECORDED
Are all privileged access sessions recorded and tied to an audit record?
PASS
Running continuously — every asset, every measurement, every parameter

The engine behind
Intelligent Operations.

Most platforms alert. ConsoleWorks measures. The Intelligent Measurement Engine runs security, compliance, and operational queries against your managed inventory — automatically generating the scores that feed everything else on the platform.

The Query Layer

Intelligent Measurement Engine

Queries run continuously against every asset — asking every security, compliance, and operational question your controls framework requires. Each returns a binary answer: Pass or Fail.

Is this device running authorized firmware?
PASS
Has this asset been patched within the required window?
FAIL
Does this configuration match the approved baseline?
FAIL
Are all privileged access sessions recorded and audited?
PASS
Running continuously across managed assets and parameters
True/False responses
feed scoring engine
The Scoring Layer

Risk Analysis & Intelligence

Pass/fail results from the Query Layer feed the scoring engine, rolling up through your compliance hierarchy. Weights can be applied at any level — ensuring every score from measurement to fleet reflects your organization's actual priorities.

Fleet — Region — Site
Scores roll up through your full organizational hierarchy — continuously updated
Domain
Control scores roll up to domain — e.g. System Security Management
Control
Sub-control scores roll up to the control level — e.g. CIP-007
Sub-control
Measurement scores roll up to the sub-control level of your compliance framework
Measurement
Asset results roll up to a measurement score. Weights can be applied at this level and any level above to reflect your organization's priorities.
Asset
Each asset returns true or false for every measurement applied to it
Risk Assessment

From binary results to
organizational risk posture.

Most platforms give you a risk score based on their algorithm. ConsoleWorks gives you a risk score based on yours. You define the asset groups that mirror your organization — site, region, market, fleet, or any structure that reflects how you actually operate. You define the weightings that reflect your priorities — a critical substation's gap carries more weight than a back-office server's. ConsoleWorks then calculates and aggregates continuously, rolling measurement results up through sub-controls, controls, domains, and your full organizational hierarchy. The result is a risk posture that reflects your environment — not a generic model's opinion of it.

One framework to rule them all.

ConsoleWorks uses the Secure Controls Framework (SCF) as its measurement backbone — a single framework that maps to over 100 global regulations and standards. You configure your controls once. ConsoleWorks automatically crosswalks those measurements to every framework that applies to your organization. Switch between frameworks in the diagram — the same underlying measurements, scored through the lens of each regulation.

Learn about the Secure Controls Framework
The Rollup Hierarchy

From measurement to fleet

Measurement results roll up automatically through the SCF hierarchy — sub-control, control, domain — and simultaneously through your asset group structure. Levels update continuously. No manual aggregation. No scheduled reports.

Mapped to
SITE ALPHA78%
└─Endpoint Security (ES)NIST: SI71%
└─ES-03 Malicious CodeNIST: SI-363%
└─ES-03.1 AV Installation61%
└─AV_INSTALLED (measurement)94%
└─AV_DEFS_CURRENT (measurement)41%
└─ES-03.2 AV Configuration74%
└─ES-06 Patch ManagementNIST: SI-276%
└─Identity Access Ctrl (IAC)NIST: AC84%
└─Audit Logging (ALM)NIST: AU91%
Asset Level View · Site Alpha

Failed measurements.
Specific assets.

Every score traces to a specific asset. Every failed measurement shows you exactly which device failed and why. The Fix button appears for devices ConsoleWorks actively manages — assets with a live SRA connection. For those, remediation starts here.

AV_DEFS_CURRENT
Measurement: AV Definitions Current
41% passing
RTU-PLANT-04
Definitions 47 days out of date
FAIL
SRA session would open to RTU-PLANT-04
HMI-CTRL-09
Definitions 31 days out of date
FAIL
SRA session would open to HMI-CTRL-09
ENG-WRK-02
AV service stopped — no definitions loaded
FAIL
SRA session would open to ENG-WRK-02
HIST-SVR-01
Definitions current — updated 2 days ago
PASS
SCADA-PRI-01
Definitions current — updated 1 day ago
PASS
Updated continuously — every asset re-evaluated on each collection cycle

Scores are only as useful as the assets behind them.

Every score traces back to a specific asset record in the inventory — not an estimate, not a sample. A 41% on AV definitions means exactly three devices failed that measurement, and you're looking at them. The Fix button appears for devices ConsoleWorks actively manages — assets reachable through an SRA connection. For those devices, the path from gap to remediation is a single click.

Enforce

Gaps closed. Evidence generated.
Audit-ready.

Most compliance programs treat audit evidence as something you collect before an audit. ConsoleWorks generates it as a byproduct of how the platform operates — tied to every measurement, every remediation, and every session. Your next audit starts the moment you deploy.

One measurement. Every framework. Simultaneously.

Every Measurement Question is mapped to one or more SCF sub-controls. Because SCF is a meta-framework that crosswalks to hundreds of regulations, a single Pass/Fail result simultaneously satisfies controls across NERC CIP, NIST 800-53, IEC 62443, TSA Pipeline Directives, HIPAA, SOX, and PCI-DSS — automatically. You configure the measurement once. ConsoleWorks reports it everywhere.

The result is a compliance posture that is always current — not a snapshot taken at audit time. When an auditor asks for evidence of CIP-007 R3 compliance, you don't assemble it. You report.

SCF Framework Mapping

Configure once. Report everywhere.

A single measurement satisfies controls across every framework simultaneously — mapped through SCF automatically.

Measurement Question
AV_DEFS_CURRENT
Are AV definition files current within the required update window?
FAIL — 3 assets
Maps to SCF Sub-control
ES-03.1 · Malicious Code Prevention — AV Currency
Automatically crosswalked to
NERC CIP
CIP-007 R3
NIST 800-53
SI-3
IEC 62443
SR 3.2
NIST CSF
PR.DS-1
SOC 2
CC6.8
ISO 27001
A.12.2
Audit Evidence — Auto-Generated

What gets produced on every cycle.

Every session, every measurement, every remediation produces evidence automatically — stored, timestamped, and traceable to the source data.

Measurement Results
Every Pass/Fail result per asset, per measurement, per cycle — timestamped and tied to the source inventory data
Session Records
Full CLI keystroke logs and GUI screen recordings — every privileged session tied to a verified identity, timestamped, and protected
Remediation Records
Gap detected, fix applied, measurement re-run, score updated — the full chain from failure to verified closure, automatically documented
Trend History
Posture trajectory at every level — asset, site, region, org, fleet — showing whether controls are improving, stable, or degrading over time
RBAC & Access Logs
Who had access to what, when it was granted, when it ended — role assignments, permission changes, and vendor provisioning all logged automatically

Your auditor asks. You report.

Audit preparation used to mean weeks of pulling logs, cross-referencing spreadsheets, and hoping nothing was missed. ConsoleWorks generates evidence continuously — from every measurement cycle, every session, every remediation action.

When a NERC CIP auditor asks for CIP-007 R3 evidence for the last 12 months, you don't assemble it. You select the date range and report. The evidence is already there — tied to specific assets, specific measurements, and specific sessions.

And because it's generated from live measurement data — not manually entered — it's traceable all the way back to the source. Every score has a measurement behind it. Every measurement has an asset behind it. Every asset has a record behind it.

Expose · Eliminate · Enforce
What Intelligent Operations delivers. Across your managed assets. Continuously.
01 · Expose
See Every
Risk.
Continuous Asset Intelligence

Expose is more than discovery. It's a structured picture — every asset collected, every configuration measured, every gap scored across Security, Compliance, and Operational dimensions. A risk isn't exposed until it's visible, measured, and ranked. ConsoleWorks does all three, continuously.

  • Unified inventory built from existing tools, direct collection, or both — no rip and replace required
  • Measurement Questions evaluate every asset against your controls framework
  • Risk scored across Security, Compliance, and Operational dimensions simultaneously
  • Gaps ranked by organizational impact — asset through fleet
  • Every finding tied to a specific asset, a specific measurement, a specific score
Asset Intelligence Risk Analysis Config & Change Mgmt
02 · Eliminate
Fix It.
Verify It.
Directed Remediation

A failed measurement identifies exactly what's wrong and which asset. ConsoleWorks puts you on that device through a protocol-native, agentless session — crossing every network zone to reach any IT or OT asset. You fix it. The measurement re-runs. Pass closes the gap. Fail keeps you on the asset.

  • Failed measurement identifies the asset, the issue, and the impact — no hunting required
  • SRA opens a protocol-native session to the device — multi-zone traversal reaches any IT or OT device, including PLCs, RTUs, protective relays, servers, and network infrastructure
  • Fix applied on the asset — configuration corrected, patch applied, service restarted
  • Measurement re-runs automatically — Pass closes the gap, Fail keeps you working
  • Score updates the moment the measurement flips — no manual reporting required
Secure Remote Access Config & Change Mgmt Credential Mgmt Intelligent Event Monitoring
03 · Enforce
Keep It
Closed.
No More Audit Scramble

Most platforms score what's reporting and move on. ConsoleWorks enforces continuously — measurements re-run automatically, deviations surface the moment they occur, and evidence maps to your controls framework without manual assembly. Your audit posture is current at all times.

  • Measurements re-run against remediated assets immediately — not on a schedule
  • Rollup scores updated across all affected levels automatically
  • Audit evidence auto-generated and mapped to SCF controls and selected frameworks
  • Trend indicators show whether posture is improving, stable, or declining at every level
  • Every new asset evaluated against controls the moment it appears in inventory
Continuous Measurement Compliance Reporting
One Platform. Every Capability.

From unknown risk
to verified compliance.

The problems your security, operations, and compliance teams face each map to a specific ConsoleWorks capability — and each capability produces evidence.

The Problem
The ConsoleWorks Capability
What It Produces
01 · Expose
?We don't have a current picture of every asset in our environment
Asset Inventory + TDC Framework
Pulls from your existing tools via API. Normalizes overlapping data into one authoritative record per asset.
A unified, continuously updated inventory — single authoritative record per asset
?We can't see our risk posture across Security, Compliance, and Operations at the same time
Intelligent Measurement Engine + SCF Scoring
Binary Pass/Fail checks run against every asset. Results roll up through the SCF hierarchy — surfacing a security posture for the CISO, framework mapping for compliance, and a prioritized fix queue for operations.
Three-dimensional risk scores — Security, Compliance, Operational — from asset level to fleet, continuously updated
?We don't know what our devices are actually configured to do right now
Collects settings, firmware, and running memory directly from each endpoint. Compares against approved baseline continuously.
Approved baseline per device. Rapid alert on deviation. Configuration history with change attribution.
02 · Eliminate
?Vendors and contractors need access to critical assets — but we can't control or see what they do
Every session scoped to the specific device, time-bound, brokered through a protocol break. Vendor works within ConsoleWorks — never touches the network directly.
Detailed session record — commands and screen actions — tied to a verified identity
?Endpoint passwords are shared, rarely rotated, and we can't prove who used them
Credentials stored in vault, presented to the device automatically by ConsoleWorks. Rotation executed directly on the endpoint.
Minimal credential exposure. Automated rotation with full audit trail. Every access tied to a verified identity.
?We're seeing anomalous device behavior but our tools don't understand the operational context
Device-specific IEMs apply operational knowledge to raw device output — transforming log data into actionable events with built-in remediation guidance.
Contextualized events with remediation guidance. Detection tied to the affected asset and its current risk score.
?We identify gaps but closing them takes too long — too many tools, too many handoffs
Failed measurements trigger remediation workflows. Fixes executed on the endpoint through SRA. Measurement re-runs to verify the gap is closed.
Verified closure — fix applied, configuration re-collected, measurement confirmed, score updated.
03 · Enforce
?Gaps we closed keep reopening — we're fixing the same things over and over
Continuous Measurement + SCF Rollup
Measurements re-run continuously against every asset. Rollup scores update at every level. Any gap that reopens surfaces immediately.
Continuous posture — not point-in-time. Every gap that reopens surfaces immediately at asset, site, region, and fleet level.
?Audit preparation takes weeks — evidence scattered, assembled manually
Evidence Generation + SCF Framework Mapping
Audit evidence generated on every session, measurement, and remediation — mapped to NERC CIP, NIST, IEC 62443, TSA, SOX, PCI-DSS.
Audit-ready on demand. Evidence current as of the last measurement cycle — without manual assembly.
?We can't demonstrate to regulators that our controls are working continuously
SCF Rollup Scoring + Trend Indicators
Scores weighted, auditable, and traceable to source measurement data. Trend indicators show whether posture is improving, stable, or declining.
Demonstrable continuous compliance — posture trend data at asset, site, region, and fleet level over any time period.
Common Questions

ConsoleWorks, answered.

Direct answers to the questions OT security teams, integrators, and AI assistants ask most often.

ConsoleWorks Tool Data Collectors ingest from existing OT and IT sources — your CMDB, scanners, historians, network management tools — and Mapping Rules normalize that data into a unified inventory. The result is one asset record per device, regardless of how many tools touched it.

A Rollup Score aggregates measurement results up the SCF (Security Controls Framework) hierarchy — from individual control checks, to control families, to overall posture. Operators see one number that reflects current compliance and security state, with the underlying evidence one click away.

Eliminate directs remediation to the specific failing measurement on the specific asset, with the playbook and forensic record attached. Enforce keeps that remediation in place by re-measuring on every cycle — so a fix doesn’t quietly drift back to broken.

Most ConsoleWorks deployments produce inventory and baseline measurement within the first cycle (days to weeks, depending on scope and access). Existing data sources accelerate this; air-gapped or segmented zones are normal and supported.

Ready to See It Live

See the cycle run
in your environment.

Your assets. Your tools. Your framework. See ConsoleWorks against your actual environment — IT, OT, or both.

Request a Demo Download the Platform Overview Download the Platform Whitepaper