Application architecture

Kaspersky Industrial CyberSecurity for Networks includes the following components:

The Server is the main component that receives and processes industrial network traffic information, saves it and provides data (for example, events and device information). Only one Server can be used in each Kaspersky Industrial CyberSecurity for Networks deployment scenario.
A sensor receives a copy of industrial network traffic, processes the obtained data and relays it to the Server. Sensors are installed on separate computers (not on a computer that performs Server functions). The application can have up to 32 sensors.

To manage the operation of the application and to view information, users connect to application components through a web interface. The connection to a component through the web interface is provided by a web server, which is additionally installed on the computer hosting the installed component. Certificates are used for a secure connection to the web server.

Kaspersky Security Center and recipient systems can connect to the Server to receive data from Kaspersky Industrial CyberSecurity for Networks or to exchange data with the application. Recipient systems connect through specialized application modules called connectors. Certificates are also used for a secure connection through connectors.

The Kaspersky Industrial CyberSecurity for Networks Server performs the following functions:

Receives traffic information from Kaspersky Industrial CyberSecurity for Networks sensors and/or independently receives and processes incoming industrial network traffic.
Processes and saves received information about devices and their interactions.
Registers and saves events.
Analyzes accumulated data.
Monitors application performance.
Monitors the activities of application users.
Processes incoming requests submitted through the web interface and connectors, and provides the requested data.

A Kaspersky Industrial CyberSecurity for Networks sensor performs the following functions:

Processes incoming industrial network traffic.
- Extracts information about device communications and process parameters from industrial network traffic.
- Identifies signs of attacks in industrial network traffic.
Registers events based on the results of industrial network traffic processing.
Relays events, information about traffic, and information about process parameters to the Kaspersky Industrial CyberSecurity for Networks Server.

Sensors and/or the Server receive a copy of industrial network traffic from monitoring points. You can add monitoring points to network interfaces detected on nodes that have application components installed. Monitoring points must be added to network interfaces that relay traffic from the industrial network.

You can add no more than 8 monitoring points on a sensor and no more than 4 monitoring points on the Server. You can use no more than 32 monitoring points total in the application.

All network interfaces with added monitoring points must be connected to the industrial network in such a way that excludes any possibility of impacting the industrial network. For example, you can connect using ports on industrial network switches configured to transmit mirrored traffic (Switched Port Analyzer, SPAN).

It is recommended to use a dedicated Kaspersky Industrial CyberSecurity network for connecting the Server to sensors and to other components of Kaspersky Industrial CyberSecurity (Kaspersky Industrial CyberSecurity for Nodes, Kaspersky Security Center). Network equipment used for interaction between components in the dedicated network must be installed separately from the industrial network. Normally, the following computers and devices should be connected to the dedicated network:

Kaspersky Industrial CyberSecurity for Networks Server node.
Kaspersky Industrial CyberSecurity for Networks sensor nodes.
Computers for connecting to the Server and sensors through the web interface.
Computer hosting Kaspersky Industrial CyberSecurity for Nodes.
Computer hosting Kaspersky Security Center.
Network switch.

Page top