Selecting the monitored system commands

You can configure traffic monitoring of system commands that are transmitted and received by process control devices. In Kaspersky Industrial CyberSecurity for Networks, system commands include device management commands (for example, START PLC) as well as system messages related to the operation of devices or containing packet analysis results (for example, REQUEST NOT FOUND).

When a monitored system command is detected, Kaspersky Industrial CyberSecurity for Networks registers an event for Command Control technology. The event is registered using the system event type that is assigned the code 4000002602. You can configure the settings for this type of event.

Only users with the Administrator role can configure monitoring of system commands for devices.

To configure monitoring of system commands for a device:

  1. In the Assets section on the Devices tab or in the Network map section, select the relevant device with defined Process Control settings.

    If Process Control settings are not defined for a device, add the settings.

  2. On the Addresses tab in the details area, click the button icon in the block containing the defined Process Control settings.

    The Edit Process Control settings window appears.

  3. Specify the relevant system commands for the first protocol. To do so, expand the System commands list under the Protocol field and select the check boxes of the system commands that you want to monitor. After selecting system commands, click OK.
  4. If a different protocol is additionally indicated in the Process Control settings, or if it is the same protocol but with different address information, select the system commands that will be monitored during communications over this protocol. To do so, use the System commands drop-down list under the field containing the name of this protocol. Likewise, configure monitoring of system commands for all other specified protocols of the device.
  5. Click Save.

    This button is unavailable if not all required values are specified or if there are invalid values in the settings.

Information in the block containing the defined settings is updated in the lower part of the Addresses tab in the details area.

Page top