Configuring Interaction Control

Kaspersky Industrial CyberSecurity for Networks can monitor the network interactions of devices in the industrial network. Interaction Control rules are used to define authorized and unauthorized network interactions. All detected network interactions that do not satisfy the active Interaction Control rules are considered to be unauthorized. The application registers the corresponding events when unauthorized interactions are detected.

Network interactions between devices are identified based on the MAC- and/or IP addresses of the devices. If only the device IP address is known for one of the sides of interaction, this IP address is checked against the list of subnets known to the application. For sources and destinations of network packets, only the IP addresses that belong to specific types of subnets are taken into account (IP addresses of some types of subnets are not monitored by the application).

Subnets of IP addresses for Interaction Control


Source subnet	Destination subnet
Private, IT	Private, OT	Private, DMZ	Public	Link-local
Private, IT	no	yes	no	no	yes
Private, OT	yes	yes	yes	yes	yes
Private, DMZ	no	yes	no	no	yes
Public	no	yes	no	no	yes
Link-local	yes	yes	yes	yes	no

An Interaction Control rule can be applied by one of the following technologies:

Network Integrity Control – the rule describes network interaction between devices using a specific set of protocols and connection settings.
Command Control – the rule describes the monitored system commands during communications between devices over one of the supported protocols for Process Control.

An Interaction Control rule contains the following information about interactions/communications:

Sides participating in network interactions.
Allowed protocol or system commands.

Interaction Control rules can be enabled or disabled.

By default, a rule is enabled after it is created and is applied to allow the described communications. The application does not register events when it detects interactions that are described in enabled rules.

Disabled rules are intended for describing unwanted network interactions. In learning mode for Interaction Control technologies, disabled rules prevent automatic creation of new enabled rules that describe the same network interactions. In monitoring mode, disabled rules are not taken into account.

The application processes Interaction Control rules based on Network Integrity Control and Command Control technologies if the use of these technologies is enabled.

The following methods are provided for creating a list of Interaction Control rules:

Automatic generation of rules in learning mode.
Manual creation of rules.

You can configure Interaction Control rules in the Allow rules section of the Kaspersky Industrial CyberSecurity for Networks web interface. This section contains a table with Interaction Control rules based on Network Integrity Control and Command Control technologies. This rules table may also contain allow rules created for events.

Events registered based on Network Integrity Control and Command Control technologies are categorized as system events.

You can view Interaction Control events in the table of registered events. Events registered based on Network Integrity Control technology have the Warning severity level. Events registered based on Command Control technology are assigned a severity that depends on the severity level defined for the detected system command.

In this section:

Learning mode for Interaction Control technologies

Monitoring mode for Interaction Control technologies

Selecting the technologies applied for Interaction Control

Automatic generation of Interaction Control rules in learning mode

Viewing Interaction Control rules in the table of allow rules

Selecting Interaction Control rules in the table of allow rules

Manually creating Interaction Control rules

Editing Interaction Control rule settings

Enabling and disabling Interaction Control rules

Deleting Interaction Control rules

Page top