Kaspersky Industrial CyberSecurity for Networks can monitor the network interactions of devices in the industrial network. Interaction Control rules are used to define authorized and unauthorized network interactions. All detected network interactions that do not satisfy the active Interaction Control rules are considered to be unauthorized. The application registers the corresponding events when unauthorized interactions are detected.
Network interactions between devices are identified based on the MAC- and/or IP addresses of the devices. If only the device IP address is known for one of the sides of interaction, this IP address is checked against the list of subnets known to the application. For sources and destinations of network packets, only the IP addresses that belong to specific types of subnets are taken into account (IP addresses of some types of subnets are not monitored by the application).
Subnets of IP addresses for Interaction Control
An Interaction Control rule can be applied by one of the following technologies:
An Interaction Control rule contains the following information about interactions/communications:
Interaction Control rules can be enabled or disabled.
By default, a rule is enabled after it is created and is applied to allow the described communications. The application does not register events when it detects interactions that are described in enabled rules.
Disabled rules are intended for describing unwanted network interactions. In learning mode for Interaction Control technologies, disabled rules prevent automatic creation of new enabled rules that describe the same network interactions. In monitoring mode, disabled rules are not taken into account.
The application processes Interaction Control rules based on Network Integrity Control and Command Control technologies if the use of these technologies is enabled.
The following methods are provided for creating a list of Interaction Control rules:
You can configure Interaction Control rules in the Allow rules section of the Kaspersky Industrial CyberSecurity for Networks web interface. This section contains a table with Interaction Control rules based on Network Integrity Control and Command Control technologies. This rules table may also contain allow rules created for events.
Events registered based on Network Integrity Control and Command Control technologies are categorized as system events.
You can view Interaction Control events in the table of registered events. Events registered based on Network Integrity Control technology have the Warning severity level. Events registered based on Command Control technology are assigned a severity that depends on the severity level defined for the detected system command.