Automated mapping of OT devices to the Equipment Model

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Automated mapping of OT devices to the Equipment Model

    The automated mapping feature enables ServiceNow customers to automatically associate Operational Technology (OT) devices with the ISA equipment model entities that represent production processes. This mapping provides crucial context for OT managers to understand device-to-process relationships, which is essential for prioritizing vulnerability management and workflow involving OT devices.

    Show full answer Show less

    The feature supports importing OT subnet data from authoritative sources and uses IP addresses within these subnets to assign OT devices to corresponding equipment model entities. Note that only one subnet range per site is supported; if multiple subnets exist within the same range at one site, manual mapping is recommended.

    Key Features

    • Subnet Import and Storage: Upload OT subnets from sources like NetDB or firewalls and store them as records within ServiceNow.
    • Automated Device Assignment: Automatically map OT devices to equipment model entities based on IP addresses and subnet mappings.
    • Support for Private IP Reuse: Minimizes issues caused by reuse of private IP address ranges across different sites by associating subnets with specific equipment model entities.
    • Role-based Access: Different personas have defined roles in managing the mapping:
      • System Admin: Imports subnet mapping data and manages scheduled mapping flows.
      • ISA Admin: Triggers automated mapping processes manually or via scheduled jobs.
      • ISA Editor: Performs manual device and subnet mappings on demand.
    • Plugin Requirements: Requires activation of the Operational Technology Manager and Industrial Process Manager plugins.
    • Guided Setup and Workflow: Includes guided setup for configuration, scheduled flows for continuous automated mapping, and user interface actions for manual mapping.
    • Device and Subnet Visibility: Provides views for unmapped OT devices, devices not assigned to sites, mapped OT devices, and subnet mappings associated with equipment model entities.
    • Configurable System Properties: System administrators can configure properties to tailor the mapping behavior.

    Practical Use for ServiceNow Customers

    By implementing this automated mapping feature, customers can:

    • Gain immediate insight into how OT devices relate to specific production equipment and processes.
    • Streamline vulnerability management and operational workflows by understanding device context.
    • Reduce manual effort and errors in assigning OT devices to production assets.
    • Maintain an organized and up-to-date model of OT device distribution across sites and processes.
    • Leverage role-based controls to delegate mapping tasks efficiently across system administrators, ISA admins, and editors.

    Next Steps

    • Ensure the required Operational Technology Manager and Industrial Process Manager plugins are installed and activated.
    • Import OT subnet data from reliable sources into ServiceNow.
    • Use the guided setup to configure and enable automated mapping workflows.
    • Assign appropriate roles to users to manage and maintain OT device mappings.
    • Monitor mapped and unmapped OT devices regularly to maintain accurate device-to-process relationships.

    Automate mapping of OT devices to the production process.​

    When OT managers experience vulnerabilities or need to manage workflow involving OT devices, the context of how the OT device connects to the production process it automates is critical to prioritizing work. ​ ​Automatic mapping of OT devices to ISA equipment model entities enables the view of device-to-process relationships​.
    Note:
    Only one subnet range per site is supported. Two different sites can have the same subnet; for example, 192.168.101.0/24. But multiple subnets of the same range are not supported for the same site. It is recommended that you use manual mapping in this scenario.

    Key benefits

    • Upload and store OT subnets from authoritative sources (such as NetDB or Firewalls) as records in a ServiceNow ​ instance.
    • Automate assignment of OT devices to ISA entity using IP addresses and OT subnet
    • Minimize issues with reuse of private IP address ranges across multiple sites​

    Industrial networks use subnets to divide the private IP address space with a single subnet often aligned to a part of the production process, or the equipment model entity. For example: A canning line runs on a 192.168.101.0/24 network in which all the equipment was programmed by the integrator. The IPs used by the control systems, or OT devices, are often hard coded into the automation software used to run the line. If the subnet maps to the canning line in the Atlanta site, a manager can automatically map a detected PLC with IP 192.168.101.66 to the canning line.

    The mapping feature relates each subnet to an equipment model entity, enabling you to automatically map OT devices to the subnets associated with the equipment model entity based on the IP address that was reported upon import from an OT Certified integration or ServiceNow® Discovery for OT.​

    A system administrator can import OT subnet mapping records. An ISA administrator can automatically create mappings of subnets to equipment model entities through a scheduled job flow. An ISA Editor can manually create mappings of an individual OT device on-demand.

    Automated mapping feature personas

    The automated mapping feature is aimed at the following personas.
    Table 1. Personas for automated mapping
    Persona Description
    System Admin The System Administrator performs these tasks:
    • Imports data into the OT subnet to Equipment Model Entity Mapping table
    • Activates, schedules, or manually triggers the OT Subnet Mapping scheduled flow
    ISA Admin The ISA admin manually triggers the Map all OT devices UI action from the OT Subnet Mapping list view.
    ISA Editor The ISA editor performs these tasks:
    • Manually creates and updates OT subnet mapping entries for specific sites
    • Maps individual OT devices to an equipment model entity from an OT device record
    • Maps multiple OT devices to an equipment model entity from an OT subnet mapping record

    Plugins

    Enabling the mapping feature requires the following plugins:

    If the required plugins are installed, an ISA administrator can access the subnet mapping feature from the Industrial Process Manager application menu.