Configuring industrial protocol traffic filtering in Web Console

You can use the Kaspersky IoT Secure Gateway Network Protector application to configure rules for blocking and filtering industrial protocol traffic. Industrial traffic filtering uses packet analysis rules and includes the following checks:

• filtering of commands in the MQTT and Modbus protocols;
• Scanning for MQTT and Modbus traffic anomalies.

For Kaspersky IoT Secure Gateway Network Protector to work, you need to configure it first. When started without a completed configuration, Kaspersky IoT Secure Gateway 1000 enters emergency mode, as it cannot receive traffic filtering rules to ensure a secure state.

To configure traffic filtering rules for industrial protocols:

1. Use Kaspersky Update Utility to download files with lists of supported network packet analysis rules:
   • The industrial_commands.rules file contains a list of supported command filtering rules for industrial protocols.
   • The industrial_anomalies.rules file contains a list of supported traffic anomaly detection rules for industrial protocols.

   The identifier (sid) 90000001 is used for internal purposes and cannot be assigned to any rule.

   For detailed information on using the utility, refer to the Kaspersky Update Utility documentation.

2. If required, select from these files the rules that you want to apply to industrial protocol traffic filtering.
3. Encode the list of rules for filtering commands and the list of anomaly detection rules as two separate Base64 strings.
4. In the main window of the Web Console, select Devices → Managed devices.
5. Click the name of the device running Kaspersky IoT Secure Gateway 1000. If the device name is not on the list, add it to the Managed devices group.
6. In the device properties window that opens, select the Applications tab.
7. Press Kaspersky IoT Secure Gateway.

   This opens a window containing information about Kaspersky IoT Secure Gateway 1000.

8. Select the Application settings tab.
9. Select Settings of apps → Applications.

   The installed apps table will be displayed.

10. Stop Kaspersky IoT Secure Gateway Network Protector if running.

    While Kaspersky IoT Secure Gateway Network Protector is stopped, transit traffic on the device will be blocked to ensure the security of connected devices.

11. Click the name of Kaspersky IoT Secure Gateway Network Protector.

    The Kaspersky IoT Secure Gateway Network Protector application management panel opens on the right.

12. Provide rules for filtering industrial protocol traffic:
    • In the Rules for filtering commands in industrial protocols field, provide industrial command filtering rules in Base64 encoding.
    • In the Rules for searching anomalies in industrial protocols field, provide anomaly detection rules for industrial traffic in Base64 encoding.

    You can provide rules in one of the fields or in both.

    For Kaspersky IoT Secure Gateway Network Protector to work, define at least one configuration setting, or else Kaspersky IoT Secure Gateway 1000 will enter emergency mode after you start it, as it cannot receive traffic filtering rules to ensure a secure state.

13. Click Save in the lower part of the panel to save the changes.
14. Start Kaspersky IoT Secure Gateway Network Protector.

Industrial protocol traffic will be filtered using the specified rules. If the rule is triggered, traffic that matches the rule is blocked, and the IP address where the traffic originated is added to the IP address denylist. The information that the IP address was blocked is sent to the Kaspersky IoT Secure Gateway 1000 firewall. The traffic blocking event is recorded in the audit log.

Page top