Overview of Kaspersky Industrial CyberSecurity for Networks functionality

Industrial network traffic analysis functionality

In Kaspersky Industrial CyberSecurity for Networks, industrial network traffic analysis is provided by the following functionality:

• Asset Management. This functionality lets you monitor the activity of devices and track changes to device information based on data received in network packets. To automatically receive information about devices, the application analyzes industrial network traffic according to the rules for identifying information about devices and the protocols of communication between devices. The application can also define device settings for Process Control. In conjunction with Process Control functionality, read/write operations for programmable logic controllers are also monitored. For the purpose of Asset Management, the application generates a table containing information that is received automatically from traffic or information that is manually provided.
• Interaction Control. This functionality lets you monitor interactions between devices of the industrial network. Detected interactions are checked to see if they match any Interaction Control allow rules. When the application detects an interaction that is described in an enabled rule, it considers this interaction to be allowed and does not register an event.
• Deep Packet Inspection (hereinafter also referred to as "Process Control"). This functionality lets you monitor traffic to detect the values of process parameters and the systems commands transmitted or received by devices. Values of industrial process parameters are tracked with the aid of Process Control rules that are used by the application to detect unacceptable values. Lists of monitored system commands are generated when you configure the settings of Process Control devices.
• Intrusion Detection. This functionality lets you monitor traffic to detect signs of attacks or unwanted network activity. For detection, the following tools are used: intrusion detection rules, built-in network packet scanning algorithms, and the rules for analyzing network activity statistics. When the conditions defined in the rule or described in the scan algorithm are detected in the traffic, the application registers an event based on the Intrusion Detection technology.

Only an application user with the Administrator role can configure industrial network traffic analysis functionality.

Functionality for performing common operator tasks

Application user accounts with the Operator role can be used to perform common tasks for monitoring the state of the industrial process and devices in Kaspersky Industrial CyberSecurity for Networks. These users can utilize the following functionality:

• Display information for system monitoring in online mode. This functionality lets you view the most significant changes to the system that have occurred up to the current moment. When the system is being monitored in online mode, you can monitor hardware resource consumption, various dynamic data, and the main information about devices and events.
• Displaying data on the network interactions map. This functionality lets you visually display detected interactions between devices of the industrial network. When viewing the network interactions map, you can quickly identify problematic objects or objects with other attributes and view information about these objects. To conveniently present information, you can arrange devices on the network interactions map automatically or manually. In addition to the functionality of the network interaction map, the application displays a table of network sessions, thus providing more capabilities for investigating incidents and analyzing network connection statistics.
• Displaying data on the topology map. This functionality lets you visually display a diagram of the physical connections between devices in the industrial network. When viewing the topology map, you can study the structure of connections between devices via network equipment and view information about devices and their connections. To conveniently present information, you can arrange devices on the topology map automatically or manually.
• Display information about events and incidents. This functionality lets you download registered events and incidents from the Server database and display this information as an events table or as interacting objects on a network interactions map. To provide the capability to monitor new events and incidents, by default the application loads events and incidents that occurred most recently. You can also load events and incidents for any period. When viewing the events table, you can change the statuses of events and incidents, copy and export data, load traffic, and perform other actions.
• Display tag values in online mode. This functionality lets you view the current values of process parameters detected in traffic at the current point in time. Information about received values is displayed in the tags table generated for Process Control.
• Display information about detected risks. This functionality let you detect risks that could affect information system resources. The application detects risks based on traffic analysis and received information on devices. Information about risks can be viewed when managing devices or in the general risks table.
• Display information for centralized monitoring in the Kaspersky Security Center Web Console. This functionality lets you view data on the security state of information systems that are running application components (including deployment scenarios involving multiple Kaspersky Industrial CyberSecurity for Networks Servers). When working with the Kaspersky Security Center Web Console, you can view information in web widgets and on component deployment maps, search devices and events in Kaspersky Industrial CyberSecurity for Networks, and quickly navigate from the Kaspersky Security Center Web Console directly to the web interface pages of Servers.

Functionality for managing operation of the application

To manage the application for the purpose of general configuration and control of its use, an application user with the Administrator role can use the following functionality:

• Manage deployment settings on nodes. This function allows you to add sensor nodes and monitoring points to the application to receive traffic, manage technologies, and change other deployment settings. You can pause and resume monitoring of industrial network segments, enable technology learning mode, enable and disable technologies, and configure the settings for saving application data on nodes.
• Manage address spaces. This functionality lets you control devices and interactions between them with respect to their MAC addresses or IP addresses affiliation with address spaces. You can also use this functionality to check detected IP addresses against the list of subnets of address spaces. You can configure the settings of rules and subnets of address spaces.
• Performing active polling of devices. This functionality lets you run active polling of devices using connectors to obtain the most accurate and complete information about devices and their configurations directly from the devices themselves. Performing active polling of devices is only available after adding a license key to Kaspersky Industrial CyberSecurity for Networks. You can specify the information you want to get about devices using active polling, and you can also choose the method for obtaining that information.
• Performing device security audit. This functionality lets you assess device compliance with security standards and perform other checks (for example, search for vulnerabilities or detect installed software on devices). Performing device security audit is only available after adding a license key to Kaspersky Industrial CyberSecurity for Networks. You can manually run security audit jobs or configure a schedule to automatically run each job. The application can generate reports with the results of device scans according to security audit rules.
• Operation with EPP applications. This functionality lets you select the nodes with installed application components that will receive and process data from Kaspersky applications that perform functions to protect workstations and servers. These applications are included in the Endpoint Protection Platform (EPP) and are installed to endpoint devices within the enterprise IT infrastructure. When data is received from EPP applications, Kaspersky Industrial CyberSecurity for Networks can register events, add devices, and update device information. When working with Kaspersky Endpoint Agent in Kaspersky Industrial CyberSecurity for Networks, the following actions can be performed on devices: scanning devices as part of security audit jobs and triggering response actions.
• Distribute access to application functions. This functionality lets you restrict user access to application functions. Access is restricted based on the roles of application user accounts.
• Monitor the state of the application. This functionality lets you monitor the current state of Kaspersky Industrial CyberSecurity for Networks, and view application messages and user activity audit entries for any period. Users with the Operator role can also access the log containing application messages.
• Updating databases and application modules. This functionality lets you download and install updates, thereby improving the effectiveness of traffic analysis and ensuring maximum protection of the industrial network against threats. Update functionality is available after a license key is added to Kaspersky Industrial CyberSecurity for Networks or to Kaspersky Security Center. You can manually start installation of updates, or enable automatic installation of updates according to a defined schedule.
• Configure the types of registered events. This functionality lets you generate and configure a list of event types for event registration in Kaspersky Industrial CyberSecurity for Networks, and for event transmission to recipient systems (for example, to a SIEM system) and to Kaspersky Security Center.
• Manage logs. This functionality lets you change the settings for saving data in application logs. You can configure the settings for saving entries in logs and the settings for saving traffic in the database. You can also change the logging levels for process logs. The traffic dump files saved on nodes with the installed application components can be configured to be recorded and stored both in the internal storage and in the external storage. If necessary, you can download traffic from storages to PCAP files.
• Manage reports. This functionality allows you to generate reports based on report templates (report templates are used to get information about the status of the information system) and based on the results of device scans during security audits. When configuring the settings for receiving reports, you can specify the report recipients and configure the schedule settings for the automatic generation of reports. You can also manually start generating reports and download the received files. Users with the Operator role have access to the generated reports.
• Use the application programming interface. This functionality lets you use the set of functions implemented through the Kaspersky Industrial CyberSecurity for Networks API in external applications. Using the Kaspersky Industrial CyberSecurity for Networks API, you can obtain data on events and tags, send events to Kaspersky Industrial CyberSecurity for Networks, and perform other actions.