Automated mapping of OT devices to the Equipment Model

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Automated mapping of OT devices to the Equipment Model

    This feature automates the mapping of Operational Technology (OT) devices to the Industrial Standards Architecture (ISA) equipment model, providing critical context for OT managers to understand device-to-production process relationships. By linking OT devices to the production processes they automate, customers can prioritize vulnerability management and workflow activities more effectively. The automation leverages IP addresses and OT subnets, which are aligned to specific equipment model entities.

    Show full answer Show less

    Note that only one subnet range per site is supported; multiple sites may share the same subnet range, but multiple subnets within the same range for a single site are not supported, and manual mapping is recommended in such cases.

    Key Features

    • Upload and store OT subnets from authoritative sources (e.g., NetDB, Firewalls) directly into ServiceNow as records.
    • Automate assignment of OT devices to ISA equipment model entities based on their IP addresses and subnet mappings.
    • Minimize complications from reuse of private IP address ranges across multiple sites by associating subnets with specific equipment model entities.
    • Support for manual and automated mapping workflows, including scheduled jobs and on-demand mapping.
    • Visibility into unmapped OT devices and devices not assigned to any site, enabling proactive management.
    • Role-based access and responsibilities for System Admin, ISA Admin, and ISA Editor personas to manage and maintain mappings.
    • Integration with ServiceNow Operational Technology Manager and Industrial Process Manager plugins to enable the feature.
    • Includes system properties, tables, and scheduled flows to support the automated mapping process.

    Practical Application and Workflow

    • Configuration: Use the Industrial Process Manager guided setup to configure the automated mapping of OT devices to ISA equipment model entities.
    • Automated Mapping: System administrators can import OT subnet records, and ISA administrators can trigger scheduled or manual mapping jobs to associate devices with equipment models.
    • Manual Mapping: ISA Editors can perform manual mapping of individual OT devices or subnets when needed.
    • Monitoring: View lists of OT devices that are unmapped or unassigned to sites to identify and resolve gaps in device-to-process mapping.

    Benefits for ServiceNow Customers

    • Improves operational visibility by linking OT devices to production processes, enabling better risk prioritization and workflow management.
    • Reduces manual effort and errors in mapping OT devices by automating subnet and device associations.
    • Supports governance and compliance by maintaining accurate and current mappings between network infrastructure and industrial equipment models.
    • Enables effective management of complex industrial networks with reused private IP ranges across multiple sites through subnet-based mappings.
    • Facilitates integration with existing ServiceNow OT management and discovery tools for seamless data import and mapping updates.

    Automate mapping of OT devices to the production process.​

    When OT managers experience vulnerabilities or need to manage workflow involving OT devices, the context of how the OT device connects to the production process it automates is critical to prioritizing work. ​ ​Automatic mapping of OT devices to ISA equipment model entities enables the view of device-to-process relationships​.
    Note:
    Only one subnet range per site is supported. Two different sites can have the same subnet; for example, 192.168.101.0/24. But multiple subnets of the same range are not supported for the same site. It is recommended that you use manual mapping in this scenario.

    Key benefits

    • Upload and store OT subnets from authoritative sources (such as NetDB or Firewalls) as records in a ServiceNow ​ instance.
    • Automate assignment of OT devices to ISA entity using IP addresses and OT subnet
    • Minimize issues with reuse of private IP address ranges across multiple sites​

    Industrial networks use subnets to divide the private IP address space with a single subnet often aligned to a part of the production process, or the equipment model entity. For example: A canning line runs on a 192.168.101.0/24 network in which all the equipment was programmed by the integrator. The IPs used by the control systems, or OT devices, are often hard coded into the automation software used to run the line. If the subnet maps to the canning line in the Atlanta site, a manager can automatically map a detected PLC with IP 192.168.101.66 to the canning line.

    The mapping feature relates each subnet to an equipment model entity, enabling you to automatically map OT devices to the subnets associated with the equipment model entity based on the IP address that was reported upon import from an OT Certified integration or ServiceNow® Discovery for OT.​

    A system administrator can import OT subnet mapping records. An ISA administrator can automatically create mappings of subnets to equipment model entities through a scheduled job flow. An ISA Editor can manually create mappings of an individual OT device on-demand.

    Automated mapping feature personas

    The automated mapping feature is aimed at the following personas.
    Table 1. Personas for automated mapping
    Persona Description
    System Admin The System Administrator performs these tasks:
    • Imports data into the OT subnet to Equipment Model Entity Mapping table
    • Activates, schedules, or manually triggers the OT Subnet Mapping scheduled flow
    ISA Admin The ISA admin manually triggers the Map all OT devices UI action from the OT Subnet Mapping list view.
    ISA Editor The ISA editor performs these tasks:
    • Manually creates and updates OT subnet mapping entries for specific sites
    • Maps individual OT devices to an equipment model entity from an OT device record
    • Maps multiple OT devices to an equipment model entity from an OT subnet mapping record

    Plugins

    Enabling the mapping feature requires the following plugins:

    If the required plugins are installed, an ISA administrator can access the subnet mapping feature from the Industrial Process Manager application menu.