Configuring Interaction Control
Kaspersky Industrial CyberSecurity for Networks can monitor the network interactions of devices in the industrial network. Interaction Control rules are used to define authorized and unauthorized network interactions. All detected network interactions that do not satisfy the active Interaction Control rules are considered to be unauthorized. The application registers the corresponding events when unauthorized interactions are detected.
An Interaction Control rule can be applied by one of the following technologies:
- Network Integrity Control – the rule describes network interaction between devices using a specific set of protocols and connection settings.
- Command Control – the rule describes the monitored system commands during communications between devices over one of the supported protocols for Process Control.
An Interaction Control rule contains the following information about interactions/communications:
- Sides participating in network interactions.
- Allowed protocol or system commands.
Network interactions between devices are identified based on the MAC- and/or IP addresses of the devices. If additional address spaces were added to the application, you can configure Interaction Control rules for the addresses of relevant address spaces.
When analyzing network interactions for Network Integrity Control, the application also checks the IP addresses in these interactions to see if they belong to known subnets. IP addresses are verified for all IPv4 interactions. The application checks each interaction against Network Integrity Control rules (and registers the corresponding event if necessary) only if this interaction must be controlled according to the table below.
Subnets of IP addresses whose interactions are controlled
Source subnet | Destination subnet | ||||
|---|---|---|---|---|---|
Private, IT | Private, OT | Private, DMZ | Public | Link-local | |
Private, IT | no | yes | no | no | yes |
Private, OT | yes | yes | yes | yes | yes |
Private, DMZ | no | yes | no | no | yes |
Public | no | yes | no | no | yes |
Link-local | yes | yes | yes | yes | no |
Example When controlling interactions based on Network Integrity Control technology, the application checks all interactions in which the sources or destinations of network packets have IP addresses from Private, OT subnets. The application does not check interactions in which the destinations of network packets have IP addresses from Private, DMZ subnets while the network packet sources have IP addresses from Private, IT subnets. |
Command Control technology is applied regardless of the specific subnet of the IP addresses of the sources and destinations of network packets containing system commands.
Interaction Control rules can be enabled or disabled.
By default, a rule is enabled after it is created and is applied to allow the described communications. The application does not register events when it detects interactions that are described in enabled rules.
Disabled rules are intended for describing unwanted network interactions. In learning mode for Interaction Control technologies, disabled rules prevent automatic creation of new enabled rules that describe the same network interactions. In monitoring mode, disabled rules are not taken into account.
The application processes Interaction Control rules based on Network Integrity Control and Command Control technologies if the use of these technologies is enabled. You can also configure the learning mode for these technologies.
The following methods are provided for creating a list of Interaction Control rules:
- Automatic generation of rules in learning mode.
- Manual creation of rules.
You can configure Interaction Control rules in the Allow rules section of the Kaspersky Industrial CyberSecurity for Networks web interface. This section contains a table with Interaction Control rules based on Network Integrity Control and Command Control technologies. This rules table may also contain allow rules created for events.
Events registered based on Network Integrity Control and Command Control technologies are categorized as system events.
You can view Interaction Control events in the table of registered events. Events registered based on Network Integrity Control technology have High severity. Events registered based on Command Control technology are assigned a severity that depends on the severity level defined for the detected system command.
