Episode 81 — Map Assets to a CMDB: Attributes, Relationships, and Drift Control:

When you hear the term CMDB for the first time, it can sound like yet another corporate database that exists for paperwork rather than for real operations, and beginners often assume it has nothing to do with safety or cybersecurity. In Operational Technology (O T), that assumption can quietly increase risk, because the ability to prove what exists, how it is connected, and what changed over time is one of the strongest foundations you can build. A Configuration Management Database (C M D B) is a structured way to store asset information and the relationships between assets so that teams can make decisions based on a shared, trusted picture of reality. That shared picture matters in O T because downtime is costly, troubleshooting is time-sensitive, and mistakes can affect physical processes. A well-used C M D B is not a magical system that makes everything perfect, but it can become the central place where identity, ownership, criticality, dependencies, and change history are tied together. The key is using it to control drift, which is the slow slide from an intended design to an undocumented, fragile reality.

Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.

At a high level, you can think of a C M D B as a map with memory, because it tells you what assets exist today and how they relate, and it also supports understanding how that picture has evolved. An asset inventory list tells you that devices exist, but it often fails to explain how those devices depend on each other, and in O T dependencies are where both outages and security incidents grow. A C M D B stores attributes, which are the facts about an asset, and it stores relationships, which are the connections and dependencies between assets. For example, it can capture that an engineering workstation is used to program a set of controllers, that a historian server pulls data from specific systems, and that a remote access gateway provides entry to a defined zone. Beginners should notice that these relationships are not just technical trivia; they represent pathways of influence. If a gateway is compromised, the relationship data tells you what could be reached next. If a controller is replaced, the relationship data tells you what systems might need updates to keep the process stable. A C M D B becomes valuable when it stops being a static list and becomes a living model of the environment.

Attributes in a C M D B are the structured details you capture about each asset so that it can be identified, managed, and understood consistently by different teams. In O T, this usually includes identity, location, function, vendor, and ownership, along with hardware and software details that shape supportability and risk. The reason attributes matter in a C M D B is that they enable filtering and prioritization when the environment is large. If a vulnerability affects a vendor product line, you can locate the assets with that attribute and focus attention where it matters. If an incident involves a specific zone or building, location attributes help responders narrow the scope quickly. If leadership asks which assets are safety-related or high criticality, function attributes help produce a defensible answer instead of a guess. Beginners sometimes worry that capturing attributes is bureaucratic, but the practical value is speed and accuracy under pressure. When the right attributes exist, the organization can answer common questions quickly, and quick answers reduce both downtime and the temptation to take risky actions. A C M D B is most helpful when it collects attributes that change decisions, not when it collects every possible detail that nobody maintains.

Relationships are what elevate a C M D B from an inventory tool to an operational risk tool, because relationships show how influence and dependency flow through the environment. In O T, relationships can include communication relationships, such as which systems exchange data, and management relationships, such as which systems administer or program other systems. They can include physical relationships, such as which devices are installed in which cabinets, and service relationships, such as which applications run on which servers and which servers depend on which network services. Beginners should understand that relationships are where the blast radius is defined. A compromised credential on a workstation is more dangerous if that workstation is related to engineering functions that can change control logic. A misconfiguration on a boundary device is more dangerous if that device is related to multiple critical zones. Relationships also help detect unrealistic assumptions. If a diagram says two zones are isolated but the C M D B relationships show routine data exchange, the isolation might be incomplete or misunderstood. Capturing relationships forces clarity, because you have to define what depends on what, and that clarity is exactly what teams need during incidents. When you can see relationships, you can choose containment steps that are proportional and avoid breaking essential control flows.

A beginner-friendly way to think about relationships is to imagine you are trying to answer the question, if this fails or is compromised, what else is affected. In a purely digital office network, that question often leads to productivity impacts, but in O T it can lead to process impacts and safety impacts. A C M D B allows you to answer that question with more confidence by showing dependencies and pathways. If a historian server goes down, the relationship data can show which dashboards and reporting systems lose data, and whether operator visibility is affected. If a remote access gateway is disabled as a precaution, the relationship data can show which support workflows are interrupted and which zones lose remote entry, helping teams plan safe alternatives. If a controller is flagged as suspicious, the relationship data can show which engineering workstations and operator interface systems interact with it, helping investigators focus on the most relevant endpoints. Beginners often underestimate how much time is lost in incidents just figuring out the scope, and relationships reduce that time. Reducing time reduces pressure, and reducing pressure reduces mistakes.

Mapping assets into a C M D B also helps unify different viewpoints that naturally exist between Information Technology (I T) teams, operations teams, and engineering teams. I T teams often track servers, operating systems, and network infrastructure. Operations teams focus on process continuity and safe procedures. Engineering teams focus on control logic, instrumentation, and vendor-specific systems. Without a shared system of record, each group maintains partial truths, and partial truths collide during incidents. A C M D B can bridge these viewpoints by storing both the technical attributes that I T needs and the functional context that operations and engineering need. For example, it can store that a server is a Windows system and also store that it hosts a specific historian application used for operational decisions. It can store that a device is a switch and also store that it enforces segmentation between two process areas. Beginners should see that the purpose is not to force everyone into one vocabulary, but to create mappings that let different vocabularies refer to the same reality. When that shared reality exists, coordination becomes faster and less emotional, because people can point to evidence rather than argue from memory.

Drift control is where the C M D B becomes especially important for security and resilience, because drift is the quiet enemy of determinism, segmentation, and auditability. Drift happens when assets change, connections change, and configurations change without being reflected in the records that teams rely on. Sometimes drift is benign, like a temporary workaround that never gets removed, and sometimes drift is risky, like an undocumented connection that creates a pivot path between I T and O T zones. Drift is also where many organizations lose their ability to trust their own diagrams and inventories, and once trust is lost, teams stop using documentation and start improvising. A C M D B supports drift control by providing a place where changes are recorded, reviewed, and reconciled with what is observed. Beginners should understand that drift control is not about stopping change; O T environments must change over time for maintenance and improvement. Drift control is about making change visible, intentional, and verifiable. When change is verifiable, the organization can maintain a stable, secure architecture without relying on heroic memory.

One important beginner misconception is assuming that a C M D B is automatically accurate because it is a database, as if the existence of a system guarantees the quality of the data inside it. A C M D B is only as good as the processes that feed it and the discipline that keeps it current. If updates are optional, they will be skipped under pressure, and then the database becomes a false comfort. That is why mapping assets to a C M D B must be tied to operational workflows that already exist, such as change approvals, maintenance tickets, commissioning activities, and decommissioning processes. When a new asset is installed, creating the record and relationships should be part of the installation definition of done. When a system is patched or reconfigured, the relevant attributes should be updated as part of the approved change. When a device is retired, the record should be marked appropriately so the database does not accumulate ghosts. Beginners should see that this is not administrative nitpicking; it is about preventing a dangerous situation where teams believe they know the environment but do not. In O T, believing the wrong thing can be worse than admitting uncertainty.

Another practical challenge is deciding how detailed relationships should be, because overly detailed models can become impossible to maintain, while overly simple models fail to support decisions. In O T, a good approach is to capture relationships that define control influence and high-consequence dependencies, rather than trying to model every minor connection. For example, relationships that identify programming pathways, remote access entry points, boundary devices, and critical service dependencies tend to be high value. Relationships that identify which systems depend on time synchronization or identity services can also be high value because those dependencies can cause widespread operational disruption when they fail. Beginners should understand that relationship modeling is a prioritization exercise guided by criticality. If a system’s compromise could affect safety or shut down production, its relationships deserve more attention. If a system is low impact and isolated, it may not need the same depth. The goal is to maintain a model that stays accurate over time, because accuracy is what builds trust. When the model is trusted, teams use it, and when teams use it, they notice errors and improve it. This positive loop is how drift control becomes sustainable.

A C M D B also supports better vulnerability and patch decision-making in O T, where updates must be carefully planned and validated. When a vulnerability is announced, teams need to know not only which assets are affected, but also what those assets do, where they live, and what dependencies they have. If a vulnerable component exists on a high-criticality jump host that connects to multiple zones, the risk may be urgent even if patching is operationally challenging. If a vulnerable component exists on an isolated system that has no external connectivity, the risk may be lower, and compensating controls might be the first step. The C M D B supports this reasoning because it ties software attributes to hardware and function, and it ties those assets to the relationships that define exposure. Beginners should notice that this is how you avoid blanket decisions like patch everything immediately or patch nothing because it is too risky. Instead, you can make targeted decisions based on evidence. Evidence-based decisions are what protect uptime and security at the same time. Without the mapping, teams either move too slowly and accept unnecessary risk, or move too quickly and create outages.

Incident response is another area where C M D B mapping pays off, because response requires fast scoping and safe containment choices. If you detect unusual behavior on a workstation, you want to know whether that workstation has a relationship to engineering functions, whether it connects to critical controllers, and whether it sits inside a sensitive zone. If you detect anomalous traffic at a boundary device, you want to know what compartments it separates and which systems are downstream. If a vendor remote access account appears compromised, you want to know which gateway it uses, what systems that gateway can reach, and which assets depend on vendor support through that path. A C M D B does not replace investigation, but it accelerates the first steps of understanding, which is often where time and confidence are lost. Beginners should understand that in O T, the most dangerous moments are the early moments when people do not know what they are looking at and feel pressured to act. A well-maintained C M D B reduces that uncertainty by turning “what is this thing” into “we know what it is and what it touches.” That reduction in uncertainty supports safer, calmer response.

Because O T environments involve physical reality, mapping should also include physical relationships where they matter, such as which devices are in which rooms, cabinets, and racks, and which cabling paths support key boundaries. Physical mapping supports investigation and recovery because responders may need to inspect for tampering, verify that cabling was not altered, and confirm that monitoring sensors are still connected as expected. It also supports resilience planning by showing where single points of failure exist in the physical layer, such as a single closet that serves multiple critical areas. Beginners should also recognize that physical relationships can reveal hidden exposure. A high-criticality switch placed in an unsecured cabinet creates a different risk than the same switch placed in a locked M D F. If the C M D B captures that location and the relationship to critical zones, it becomes easier to justify physical security improvements and to plan inspection routines. This is part of trust you can prove: you can show not only that a device exists, but also that its physical context supports the intended security design. When physical context is ignored, security plans can fail in practice, because the most important boundary might be protected logically but exposed physically.

As the C M D B becomes part of daily operations, it also becomes a tool for simplifying complexity, because it highlights where the environment has grown tangled and where dependencies create unnecessary fragility. If the relationship graph shows that a single server supports too many unrelated functions, that may be a resilience risk and a security risk. If it shows that many zones depend on a single remote access pathway, that may be a risk if that pathway fails or is compromised. If it shows that an asset has unclear ownership, that is a risk because maintenance and response will be slow. Beginners should see that mapping is not only descriptive; it can drive improvement. When you can see the environment’s structure, you can make more deliberate choices about compartmentalization, redundancy, and access governance. You can also identify where simplification would reduce attack surface without harming control. This is one of the most practical benefits of a C M D B in O T: it helps teams move from reactive fixes to deliberate architectural evolution. The database becomes a mirror that shows where design discipline is strong and where drift has created risk.

Ultimately, mapping assets to a C M D B is about building a trustworthy, shared model of the environment that supports safe operation, secure decision-making, and controlled change. Attributes give each asset a clear identity and context so that people can understand what it is, where it is, who owns it, and why it matters. Relationships turn those individual records into an operational map of dependencies and pathways, revealing where influence flows and where blast radius could expand. Drift control ensures that the map remains aligned with reality over time so teams do not drift into blind confidence or desperate improvisation. For beginners, the most important takeaway is that a C M D B is not valuable because it exists, but because it is used, maintained, and trusted. When it is trusted, it accelerates vulnerability response, clarifies incident scope, supports recovery verification, and reduces the confusion that turns manageable events into prolonged outages. That is what visibility that enables decisions looks like at the system level, and it is one of the most practical steps toward an O T program that can prove trust rather than merely hope for it.

Episode 81 — Map Assets to a CMDB: Attributes, Relationships, and Drift Control:
Broadcast by