Asset Management modes and methods

Kaspersky Industrial CyberSecurity for Networks employs the following methods:

• Asset activity detection This method lets you monitor the activity of assets in industrial network traffic based on the obtained MAC- and/or IP addresses of assets.
• Asset Information Detection This method lets you automatically obtain and update information about assets based on received data about the interactions of assets.
• PLC Project Control This method lets you detect information about PLC projects in traffic, save this information in the application, and compare it to previously obtained information.

You can enable and disable the use of individual asset management methods.

The following modes are available for asset management methods:

• Learning mode. This mode is intended for temporary use. In this mode, all assets whose activity is detected in traffic are considered to be authorized by the application. You can enable learning mode only for the asset activity detection method. The Asset Activity Detection method can be applied together with the Asset Information Detection and PLC Project Control methods.
• Monitoring mode. This mode is intended for continual use. In this mode, when activity of assets is detected, the application considers only those assets that have been assigned the Authorized status as authorized.

In learning mode, the application assigns the Authorized status to all detected assets. The application does not register events when it detects activity of assets or when asset information is automatically updated.

Asset management learning mode must be enabled for a sufficient amount of time to detect the activity of new devices. This amount of time depends on the number of devices in the industrial network and how frequently they operate and are serviced. We recommend that you enable learning mode for at least one hour. In large industrial networks, learning mode can be enabled for a period ranging from one to several days to detect the activity of all new devices.

In monitoring mode (when the asset activity detection method is enabled), the application assigns the Unauthorized status to all devices that have showed activity and are either unknown to the application or are assets that have the Archived status. The application assigns the Archived status to assets that have not shown activity and whose information has not changed in a long time (30 days or more).

When the asset information detection method is enabled, the application automatically updates information about assets. For example, the application can automatically update the name of the operating system installed on an asset as it detects updated data in the traffic of the asset. The application updates data for which automatic updates are enabled in the settings of assets.

To automatically receive information about assets, the application analyzes industrial network traffic according to the rules for identifying information about devices and the protocols of communication between devices. These rules are embedded in the application and are applied independent from the security policy loaded in the Console or applied on the Server.

After installation, the application uses the default rules for identifying information about devices and the protocols of communication between devices. In most cases, these rules generate correct results. However, there can be situations when information is incorrectly identified due to the technical specifics of devices (for example, when identifying the category of some devices). To increase the accuracy of identifying information, Kaspersky experts regularly update the databases containing the sets of rules. You can update rules by installing updates.

In monitoring mode, the application registers the corresponding events based on Asset Management technology. Depending on the applied methods, events may be registered in the following cases:

• Detection of activity of unknown devices or assets with the Archived status.
• Automatic change of asset information.
• Detection of read/write operations with projects and PLC project blocks.

When PLC Project Control is enabled, the application may register a large number of events associated with the detection of read/write operations with projects/blocks. Normally, a large number of events are registered at the initial stage when this method is used. To reduce the total number of registered events, the PLC Project Control method is disabled by default after the application is installed. You can enable this method at any time.

Page top