Kaspersky Industrial CyberSecurity for Networks
- About Kaspersky Industrial CyberSecurity for Networks
- What's new
- Application architecture
- Common deployment scenarios
- Installing and removing the application
- Preparing for application installation
- Ports used for installation and operation of components
- Using a script for centralized installation of application components
- Centralized installation of application components
- Centralized installation menu commands
- Reconfiguration and centralized reinstallation of application components
- Centralized installation of application components in non-interactive mode
- Reinforcing the security of computers with application components installed
- Upgrading from a previous version of the application
- Centralized removal of application components
- Using a script for local installation of application components
- Using a script for local removal of application components
- Installing the Kaspersky Industrial CyberSecurity for Networks Administration Plug-in for Kaspersky Security Center
- Getting started
- Initial configuration of the application after Server installation
- Starting and stopping the application
- Application interface
- Licensing the application
- About the End User License Agreement
- About the Privacy Policy
- About the license
- About the license certificate
- About the license key used for activating update functionality
- About the license key file used for activating update functionality
- Adding a license key when connected to the Server through the web interface
- Viewing information about an added license key
- Removing a license key
- Data provision
- Administration of Kaspersky Industrial CyberSecurity for Networks
- Managing nodes that have application components installed
- Managing monitoring points on nodes
- Monitoring the state of Kaspersky Industrial CyberSecurity for Networks
- Monitoring the application state when connected through the web interface
- Viewing application messages
- Viewing user activity audit entries
- Viewing information about nodes with application components installed and about network interfaces on nodes
- Viewing the status of services supporting operation of application components
- Restarting a computer that has application components installed
- Using a test network packet to verify event registration
- Synchronizing the time on nodes of Kaspersky Industrial CyberSecurity for Networks with the time source used for industrial network devices
- Updating SSL connection certificates
- Updating databases and application modules
- Distributing access to application functions
- About application user accounts
- Application functions that are available when connected to the Server through the web interface
- Viewing information about application user accounts
- Creating an application user account
- Changing the role of an application user account
- Deleting an application user account
- Changing a user account password
- Configuring Asset Management
- Asset Management methods and modes
- Selecting the applied methods and changing the Asset Management mode
- Manually adding devices
- Merging devices
- Deleting devices
- Manually changing the statuses of devices
- Generating a list of subnets for asset management
- Viewing information about devices with IP addresses from the selected subnets
- About arranging devices into groups
- Automatic grouping of devices based on a specific criterion
- Manually arranging devices into groups
- Moving nodes and groups to other groups on the network map
- Manually creating a device group tree
- Adding and removing labels for devices
- Editing device information
- Adding, editing and deleting custom fields for a device
- Configuring Process Control
- Supported devices and protocols
- Process Control devices
- Process Control settings for devices
- About automatic detection of Process Control settings for devices
- Enabling and disabling automatic detection of Process Control settings for devices
- Manually adding Process Control settings for a device
- Editing Process Control settings for a device
- Selecting the monitored system commands
- Clearing Process Control settings defined for a device
- Importing configurations of devices and tags from external projects
- Tags
- Process Control rules
- Rules with defined conditions for tag values
- Rules with Lua scripts
- Process Control rules learning mode
- Enabling and disabling rule-based Process Control
- Viewing the table of Process Control rules
- Selecting Process Control rules
- Creating a Process Control rule with settings of conditions
- Creating a Process Control rule with a Lua script
- Editing Process Control rule settings
- Creating, viewing and editing a global Lua script
- Deleting Process Control rules
- Viewing information about devices associated with Process Control rules
- Viewing tags associated with Process Control rules
- Configuring Interaction Control
- Learning mode for Interaction Control technologies
- Monitoring mode for Interaction Control technologies
- Selecting the technologies applied for Interaction Control
- Automatic generation of Interaction Control rules in learning mode
- Viewing Interaction Control rules in the table of allow rules
- Selecting Interaction Control rules in the table of allow rules
- Manually creating Interaction Control rules
- Editing Interaction Control rule settings
- Enabling and disabling Interaction Control rules
- Deleting Interaction Control rules
- Configuring Intrusion Detection
- Intrusion Detection rules
- Additional Intrusion Detection methods
- Enabling and disabling rule-based Intrusion Detection
- Enabling and disabling additional Intrusion Detection methods
- Viewing the table containing sets of Intrusion Detection rules
- Selecting sets of Intrusion Detection rules
- Enabling and disabling sets of Intrusion Detection rules
- Loading and replacing custom sets of Intrusion Detection rules
- Removing custom sets of Intrusion Detection rules
- Managing logs
- Managing technologies
- Managing connectors
- Configuring event types
- Viewing the table of event types
- Selecting event types in the table
- Editing the settings of a system event type
- Configuring automatic saving of traffic for system event types
- Configuring forwarding of events via connectors
- Common variables for substituting values in Kaspersky Industrial CyberSecurity for Networks
- Managing a security policy
- Using the Kaspersky Industrial CyberSecurity for Networks API
- Performing common tasks
- System monitoring in online mode
- Asset Management
- Devices table
- Viewing the devices table
- Viewing subnets for asset management
- Selecting devices in the devices table
- Selecting subnets in the subnets table
- Viewing device information
- Automatically adding and updating devices
- Automatically changing the statuses of devices
- Device group tree
- Monitoring read and write of PLC projects
- Viewing events associated with devices
- Exporting devices to a file
- Exporting subnets to a file
- Working with the network map
- Nodes on the network map
- Groups of devices on the network map
- Links on the network map
- Viewing details about objects
- Changing the network map scale
- Positioning the network map
- Pinning and unpinning nodes and groups
- Manually changing the location of nodes and groups
- Automatic arrangement of nodes and groups
- Filtering objects on the network map
- Saving and loading network map display settings
- Searching nodes on the network map
- Viewing events associated with nodes of known devices
- Viewing events associated with a link
- Viewing information in the devices table for selected nodes
- Viewing information in the devices table for a selected link
- Monitoring events and incidents
- Event severity levels
- Event registration technologies
- Event statuses
- Table of registered events
- Selecting events in the events table
- Viewing events included in an incident
- Filtering events
- Searching events
- Resetting the defined filter and search settings in the events table
- Sorting events
- Configuring the table of registered events
- Viewing event details
- Viewing information about devices associated with events
- Switching to the network map to display event information
- Changing the statuses of events
- Creating allow rules for events
- Setting markers
- Copying events to a text editor
- Exporting events to a file
- Loading traffic for events
- Creating a folder for exporting events to a network resource
- Monitoring vulnerabilities of devices
- Scenario for implementing the continuous vulnerability management process
- Device information used to check for vulnerabilities
- Viewing devices with detected vulnerabilities
- Viewing the vulnerabilities table
- Choosing vulnerabilities in the vulnerabilities table
- Viewing vulnerability information
- Automatically changing the states of vulnerabilities
- Manually changing the states of vulnerabilities
- Viewing information about devices with a detected vulnerability
- Viewing events associated with a vulnerability
- Exporting vulnerabilities to a file
- Deep Packet Inspection
- Detecting security issues in encryption protocols
- Application interaction with Kaspersky Security Center
- Connecting to the Server computer from Kaspersky Security Center
- Adding a license key to Kaspersky Industrial CyberSecurity for Networks from Kaspersky Security Center
- Using the Kaspersky Security Center Administration Server as the source of updates
- Monitoring events via Kaspersky Security Center
- Monitoring the ICS security state: Kaspersky Security Center and SCADA
- Troubleshooting
- The application cannot be installed due to an unavailable repository for DNF
- An application component cannot be installed on a selected node
- Application problems detected
- New application message
- Not enough free space on hard drive
- An error occurs when enabling a monitoring point
- No traffic at monitoring point
- Traffic is not being loaded for events or incidents
- Preventative maintenance and adjustment operations on the ICS
- Unexpected system restart
- After the Kaspersky Security Center Administration Server is reinstalled, Network Agent cannot be synchronized
- Unable to connect to the Server through the web interface
- When connecting to the Server, the browser displays a certificate warning
- Contacting Technical Support
- Sources of information about the application
- Appendices
- Steps to fix the CVE-2024-23836 vulnerability in the Intrusion Detection System
- Configuring time synchronization via the NTP and PTP protocols
- Supported ASDU types identification in protocols of the IEC 60870-5-104 and IEC 60870-5-101 standards
- Sending Kaspersky Industrial CyberSecurity for Networks events to SIEM systems
- Changing the validity period of connection sessions and authentication tokens by using a script
- Files for importing a universal project
- File with descriptions of devices: devices.csv
- File with descriptions of connections and protocols: connections.csv
- File with descriptions of tags and variables: variables.csv
- File with descriptions of enumerations: enums.csv
- File with descriptions of data sets (tag sets): datasets.csv
- File with descriptions of MMS protocol reports: iec61850_mms_reports.csv
- System event types in Kaspersky Industrial CyberSecurity for Networks
- System event types based on Deep Packet Inspection technology
- System event types based on Command Control technology
- System event types based on Network Integrity Control technology
- System event types based on Intrusion Detection technology
- System event types based on Asset Management technology
- System event types based on External technology
- Glossary
- Account role
- ARP spoofing
- Asset Management
- Command Control
- CVE
- Dedicated Kaspersky Industrial CyberSecurity network
- Deep Packet Inspection
- Device
- Device vulnerability
- Event
- Event correlation rule
- Event type
- External
- ICS
- Incident
- Industrial network
- Intelligent electronic device (IED)
- Interaction Control rule
- Intrusion Detection
- Intrusion Detection rule
- Kaspersky Industrial CyberSecurity for Networks Sensor
- Kaspersky Industrial CyberSecurity for Networks Server
- Link on the network map
- Monitoring point
- Network Integrity Control
- Network map
- Node
- Notification
- PLC project
- Process Control rule
- Programmable Logic Controller (PLC)
- SCADA
- Security policy
- SIEM
- System command
- Tag
- Information about third-party code
- Trademark notices
Centralized installation menu commands
This section provides information on the main commands in the centralized installation menu. The menu is displayed when you run the application components centralized installation script kics4net-deploy-<application version number>.bundle.sh. This file must be run in the folder that was created during preparations for application installation.
You can use the centralized installation menu to create or modify the application installation configuration and run the procedure for installing or removing components.
The installation menu has a hierarchical structure of items. The first level contains the items of the main menu. To select the necessary option, you must enter its number and press ENTER. If the selected item takes you to another group of items, a submenu will appear on the screen.
The menu items that define the values of settings may have default values or previously defined values. These values are displayed in brackets after the item name.
The main menu contains the following groups of commands:
- Server installation management commands
You can use the following installation menu commands to manage installation of the Server:
- Add Server – adds a new node that will be assigned Server functions. This item is available if the Server has not yet been added. If you select this option, you need to specify the main settings for the Server when the following prompts appear:
- Enter the IP address of the node for installation – defines the IP address that will be used for connecting to the computer over the SSH protocol and installing the Server.
- Add the capability for application interaction with Kaspersky Security Center – adds the functionality that allows use of the Kaspersky Security Center Administration Server to receive a license key and download updates, and to relay events and application state to Kaspersky Security Center. You do not have to add this functionality to relay events to other recipient systems.
If the capability for application interaction with Kaspersky Security Center has been added, the Network Agent component of Kaspersky Security Center is installed when the application is installed. Kaspersky Security Center Network Agent is not installed if this component is being used by another Kaspersky application (to avoid disrupting the interaction between this application and the Kaspersky Security Center Administration Server). In addition, the functionality for interaction between Kaspersky Industrial CyberSecurity for Networks and Kaspersky Security Center may be limited if the version of the installed Network Agent differs from the version of this component provided in the distribution kit of Kaspersky Industrial CyberSecurity for Networks.
- Enable time synchronization between Server and sensors – enables automatic time synchronization between the Server and nodes on which sensors are installed (this is not applicable to Kaspersky Industrial CyberSecurity for Networks version 3.0.1).
- Change Server settings – modifies the settings of the added Server. You can use this menu item to change the main component settings that can be edited and to configure advanced settings. After selecting this item, you will see a submenu in which you can change the following settings:
- Specify an additional user to run the installation – defines an additional user account that will be used to run the installation on the Server node. An additional user account needs to be specified if the user name with root privileges on this node differs from the user name defined in the Change the user running the installation item. The passwords of all user accounts that will be used to run the installation must match.
- Enable hardware Watchdog – enables use of the hardware Watchdog. The hardware Watchdog is a hardware-implemented system for controlling system hangs. If a node has a hardware Watchdog, you can enable its use in Kaspersky Industrial CyberSecurity for Networks. If the use of a hardware Watchdog is enabled, specify its path in the Specify path to hardware Watchdog item.
- Add the capability for application interaction with Kaspersky Security Center – adds the functionality enabling the application to interact with Kaspersky Security Center (if this functionality was not already added). This menu item is analogous to the Add the capability for application interaction with Kaspersky Security Center item in the Add Server menu.
- Remove the capability for application interaction with Kaspersky Security Center – removes the functionality that lets the application interact with Kaspersky Security Center.
- Create database again – deletes the existing database and creates a new one during reinstallation of the application.
If you select this menu item, information in the existing database will be lost after Server installation.
- Remove Server – removes the Server node.
- Add Server – adds a new node that will be assigned Server functions. This item is available if the Server has not yet been added. If you select this option, you need to specify the main settings for the Server when the following prompts appear:
- Sensor installation management commands
You can use the following installation menu commands to manage installation of sensors:
- Add sensor – adds a new node that will be assigned sensor functions. If you select this option, you need to specify the main settings for the sensor when the Enter the IP address of the node for installation prompt appears. In this prompt, you can define the IP address that will be used for connecting to the computer over the SSH protocol and installing the sensor.
- Change sensor settings – modifies the settings of the added sensor. You can use this menu item to change the main sensor settings that can be edited and to configure advanced settings. Selecting this menu item displays a list of nodes on which sensors have been added. After selecting a node, you will see a submenu in which you can change the following settings:
- Specify an additional user to run the installation – defines an additional user account that will be used to run the centralized installation on the sensor node. An additional user account needs to be specified if the user name with root privileges on this node differs from the user name defined in the Change the user running the installation item. The passwords of all user accounts that will be used to run the installation must match.
- Enable hardware Watchdog – enables use of the hardware Watchdog. The hardware Watchdog is a hardware-implemented system for controlling system hangs. If a node has a hardware Watchdog, you can enable its use in Kaspersky Industrial CyberSecurity for Networks. If the use of a hardware Watchdog is enabled, specify its path in the Specify path to hardware Watchdog item.
- Remove sensor – removes the sensor node. Selecting this item displays a list of nodes on which sensors have been added.
- General installation commands
General installation menu commands include the following commands:
- Change the user running the installation – defines the user name with root privileges that runs the centralized installation of application components. The same password for the user accounts that will run the installation must be set on all computers. The password must be entered during installation of components.
- View application installation settings – displays the list of installation settings and their values.
- Installation menu exit commands
You can use the following commands to exit the centralized installation menu:
- Save settings and start installation – install the Kaspersky Industrial CyberSecurity for Networks application components according to the defined installation settings. The defined settings are saved in the installation settings file. The application centralized installation script saves the installation settings file on each computer on which the script is run.
- Save settings and exit without installing – save changes to the installation settings file, terminate the application centralized installation script, and exit without installing components.
- Exit without saving settings – terminate the application centralized installation script without saving changes to the installation settings file.