Security audit using Kaspersky Industrial CyberSecurity for Networks

You can use Kaspersky Industrial CyberSecurity for Networks for security audit of the monitored devices. Security audit lets you assess device compliance with security standards and perform other checks (for example, search for vulnerabilities or detect installed software on devices).

Security audit in Kaspersky Industrial CyberSecurity for Networks is performed by running the jobs created for the selected devices. You can manually run security audit jobs or configure a schedule to automatically run each job.

When a job is started, the application initiates a scan of devices covered by this job. You can receive the job execution results by email or view and download the relevant data in the application web interface. Based on the job execution results and on the scans, the application can perform the following actions:

• Generate reports with information about the results.

  The application generates report files in PDF format. If sending reports by email is enabled in the job settings, the application automatically generates reports on each job execution and sends these reports to the specified recipients. If necessary, you can manually generate a report for a completed job or an individual device scan and then export the report to a file.

• Register detected risks of the Vulnerability category.

  For the risks registered based on the results of security audit jobs, the application indicates the source of the OVAL vulnerability. Such risks are registered by the application if registration of detected vulnerabilities is enabled in the job settings. At the same time, risks with the specified source of OVAL vulnerability are registered and processed irrespective of the risks for which other vulnerability sources are specified. Thus, the risk table may display risks with the same CVE ID (or an ID of a different vulnerability database), but with different vulnerability sources.

The security audit jobs must specify the rules used for conducting the audits. Rules can be written in the OVAL language or in the XCCDF language using OVAL definitions.

You can perform device scans as part of a security audit job in one of the following device polling methods:

• Local agent.

  You can use this method if Kaspersky Endpoint Agent is installed on the devices selected for the job and integration between Kaspersky Endpoint Agent and Kaspersky Industrial CyberSecurity for Networks is configured. This method is used for scanning using Kaspersky Endpoint Agent on each device.

• Remote connection.

  Use this method if the devices selected for the job do not have Kaspersky Endpoint Agent installed, but it is possible to connect to these devices via protocols that ensure secure management and data transfer. For this method, in the job settings specify one of the nodes with the installed application components from which connection to the devices is established. Also, specify the credentials for remote connections (credentials are stored in the application as secrets).

Only users with the Administrator role can run security audit jobs.

You can configure security audit and run jobs on the Server web interface page in the Security audit section. If the Remote connection method is used to scan devices, you can create secrets with the necessary credentials in the Settings → Secrets section.

When using the security audit function, take into account the following special considerations and limitations:

• This functionality is available after a license key is added.
• Nodes that are used for device scan and have the application components installed must have network access to devices to send and receive data. To provide network access to devices, the node computer must have a network interface providing a connection of these devices to the network. Network interfaces of monitoring points cannot be used for this purpose if these network interfaces receive mirrored industrial network traffic (for example, from SPAN ports of network switches).
• For the Remote connection device polling method, the option to strengthen the security of connections with devices by verifying the certificates of these devices is not available. Attackers can attempt to spoof these devices in the network by exploiting the lack of device certificate authentication.