Release Notes

Kaspersky Industrial CyberSecurity for Networks 3.0

Application version: 3.0.0.473 released on 2021-04-19

Application version designed for running in the Astra Linux SE 1.6 operating system: 3.0.1.24 released on 06/03/2021

Document revision date: 2024-03-28

Kaspersky Industrial CyberSecurity for Networks is an application designed to protect the infrastructure of industrial enterprises from information security threats, and to ensure uninterrupted process flows. Kaspersky Industrial CyberSecurity for Networks analyzes industrial network traffic to identify deviations in the values of process parameters, detect signs of network attacks, and monitor the operation and current device states on the network. The application is part of the solution known as Kaspersky Industrial CyberSecurity.

BASIC FEATURES

Kaspersky Industrial CyberSecurity for Networks performs the following functions:

• Protects company assets by monitoring its industrial network devices. Detects the activity of devices and device information based on data received in network packets.
• Scans communications between industrial network devices to check their compliance with defined Interaction Control rules. Interaction Control rules can be generated automatically by running the application in learning mode.
• Displays the network interactions between industrial network devices depicted as a network map. Displayed objects are visually distinguished based on various attributes (for example, objects with issues).
• Detects vulnerabilities of devices based on saved device information.
• Extracts the parameter values of the technological process controlled by the Industrial Control System (hereinafter referred to as the "ICS") from network packets and checks the acceptability of those values based on the defined Process Control rules. Process Control rules can be generated automatically by running the application in learning mode.
• Monitors traffic to detect system commands that are transmitted or received by devices involved in process automation. Provides notifications regarding detected unauthorized system commands or situations that could be signs of industrial network security violations.
• Monitors project read and write operations for programmable logic controllers, saves the obtained information about projects, and compares this information to previously obtained information.
• Analyzes industrial network traffic for signs of attacks without affecting the industrial network or drawing the attention of a potential attacker. Uses defined Intrusion Detection rules and embedded algorithms to scan for anomalies in network packets and detect signs of attacks.
• Registers events and relays information about them to recipient systems and to Kaspersky Security Center.
• Analyzes registered events and, upon detecting certain sequences of events, registers incidents based on embedded correlation rules. Incidents group events that have certain common traits or that are associated with the same process.
• Saves traffic associated with registered events in the database. Traffic can be saved automatically (if autosave is enabled for the traffic of events) or by requesting to download traffic.
• Can be used to work with both the GUI and API.

WHAT'S NEW

Kaspersky Industrial CyberSecurity for Networks 3.0 has the following new capabilities and refinements:

• Optimized installation and removal of application components – initial configuration of the application is performed in a special section on the web interface page, there are new scripts for local installation and local removal of application components, and sensors can be added or removed when connected through the web interface without having to reinstall application components.
• Expanded functionality of the Server web interface – when connected to the Server through the web interface, the user can configure all application functions. New widgets with display configuration capabilities were added for system monitoring in online mode.
• Monitoring vulnerabilities of devices – the application can now detect vulnerabilities of devices based on the available device information.
• Expanded functionality for industrial process control – the application has new functions for automatically detecting Process Control settings and learning rules, and has an expanded list of tag values that can be monitored.
• Device Control functionality is now part of Asset Management functionality – and the limit on the maximum number of devices was increased, the list of supported device categories was augmented, and the capabilities for automatic detection of device information were expanded. Asset Management functionality now includes subnet processing, automatic grouping of devices by criteria, and new import and export functions using various formats.
• Expanded and improved network map functionality – the maximum number of nodes that can be displayed has been increased, there are newly added capabilities for displaying nodes and links on the network map based on information in selected events or incidents (you can navigate directly from the Events section to the Network Map section and objects will be filtered accordingly), and devices displayed on the network map can be automatically grouped based on specific criteria (subnet, device category and vendor) for all nodes or for nodes of a selected group.
• Common list of allow rules – allow rules for events were added to Interaction Control rules (formerly known as "Network Control rules"). There are new rule templates that define the initial values of parameters. Interaction Control takes into account the subnets known to the application.
• Improved implementation of the application programming interface (API) – the REST (Representational State Transfer) architectural style of interaction is used when handling requests through the Kaspersky Industrial CyberSecurity for Networks API. Interaction with the application is secured by encrypting connections over the HTTPS protocol.
• Implemented connector functionality – recipient systems can connect to Kaspersky Industrial CyberSecurity for Networks through connectors that ensure secure and controlled data exchange with the application using the Kaspersky Industrial CyberSecurity for Networks API. When forwarding events to recipient systems, connectors take the place of the recipients that were used in previous versions. The application can also use connectors to forward application messages and audit logs to recipient systems.
• Expanded set of data in a security policy – an application security policy contains data arranged into sections that can be selected when exporting or importing a policy.
• Extended support for application layer protocols and devices for process control – there are now additional capabilities for analyzing traffic of supported protocols and devices, and new supported protocols and devices have been added. The set of supported protocols and devices may be further expanded when updates are installed.
• Newly implemented detection of security issues in encryption protocols – the application registers events when it detects obsolete versions of encryption protocols, weak algorithms, or issues with certificates in use.

Kaspersky Industrial CyberSecurity for Networks version 3.0.1 has the following new capabilities and improvements:

• Implemented support for operations in the Astra Linux SE 1.6 operating system.
• Expanded functionality for processing Intrusion Detection rules – added support for internal IDs of rules, and the capability to apply individual rules from sets that contain errors in some of the rules.
• Added utility for exporting events to XML files – these files store data that can be used in GosSOPKA, which is the Russian government system for the detection, prevention, and mitigation of computer attacks.
• Added script for verifying the integrity of files installed from application distribution kit packages.
• Added script for changing the validity period for connection sessions with the Server through the web interface and for authentication tokens in the Kaspersky Industrial CyberSecurity for Networks API.

UPDATING APPLICATION MODULES AND DATABASES

After installing the latest updates to improve operation of the application and remove limitations, the following changes are implemented:

• Expanded list of supported types of external projects for importing configurations of devices and tags into the application.
• [4918300] Fixed: after importing configurations of devices supporting the GOOSE protocol of the IEC 61850 standard, receipt of traffic involving these devices may cause the application to register the following events: "Mismatch detected (DataSet NOT FOUND)" and "Mismatch detected (TRAFFIC DOES NOT MATCH DEVICE MODEL)".
  • After the latest updates are installed, the application searches for configurations of devices that support the GOOSE protocol of the IEC 61850 standard, including based on domain identifiers.
• Fixed: the application may incorrectly process some fields in messages of the Sampled Values protocol of the IEC 61850 standard.
• [4883804] Fixed: unknown tag detection for the OPC UA Binary protocol fails to determine the values of detected tags.
• Fixed: the application does not monitor tags transmitted over the Yokogawa Vnet/IP protocol to UDP port 9940.
• Schneider Electric Modicon series M580 and M340 devices now have IEC 60870-5-104 protocol support.
• Added functionality for identifying the RADIUS over UDP and MQTT over TCP protocols.
• [5098190] Fixed: unknown tag detection over the DMS protocol for ABB AC 700F devices could disrupt the filter process in some cases.
• [5066226] Fixed: when analyzing traffic over the GOOSE protocol of the IEC 61850 standard, the application registers "Mismatch detected (GOOSE INCORRECT SEQUENCE)" events, including in cases when the values of counters in GOOSE messages are changed in accordance with the standard.
  • After installation of the latest updates: the application takes into account the changed values of modification counters and retransmission counters in GOOSE messages according to the rules of the IEC 61850 standard.
• [4909862] Fixed: when configuring Process Control settings for the PROFINET IO protocol, the value entered into the "Frame type" field is not verified for compliance with values from the device profile file.
• [5112186] Fixed: when importing tags of the Siemens S7comm protocol from a universal-format project, the application fails to load the values of the Length parameter, which defines the string length for string-type tags.
• Added support for the BSAP, General Electric EGD, and PNU20 protocols and for devices that use these protocols.
• [5210146] Added support for the CODESYS V3 Gateway over TCP and CODESYS V3 Gateway over UDP protocols for BECKHOFF CX series devices.
• Implemented function for monitoring read/write of PLC projects for the Allen-Bradley EtherNet/IP protocol.
• Expanded list of supported system commands for the OMRON FINS protocol.
• [5199476] For devices that use the GOOSE and MMS protocols of the IEC 61850 standard, you can now select these protocols in process control settings.
• [5199488] Added unknown tag detection functionality for the MMS protocol of the IEC 61850 standard.
• [5171192] Fixed: when analyzing traffic over the Siemens S7comm-plus protocol, the application may register "Error (PARSING ERROR: WRONG PACKET FORMAT)" events if system commands are transmitted in network packets containing fragmented data from protocols of various layers.
• [5161095] Fixed: values are not displayed for some fields of structure tags transmitted over the TASE.2 protocol.
• [5198729] Fixed: after the application is restarted, the application temporarily fails to monitor the values of tags received over the MMS protocol of the IEC 61850 standard using dynamic reports.
• [5202889] Fixed: for imported configurations of devices and tags, in some cases the application may delete defined process control settings for a device if the address information of this device is manually changed.
• [5281319] Fixed: for tags of the Siemens S7comm protocol, the application may incorrectly display the values of physical addresses of tags in DB and DBB memory areas.
• [5338551] Fixed: when importing configurations of devices and tags from a universal-format project, the ProductServer system process malfunctions if an unsupported data type is indicated for some tag in the project.
• [5355473] Fixed: when automatically detecting process control settings, the Siemens S7comm protocol processing module may incorrectly identify the functional roles of the SCADA system server and PLCs. This will result in the erroneous creation of multiple configurations containing the address information of the device acting as the SCADA system server without creating correct configurations containing the address information of devices serving as PLCs.
• [5371269] Fixed: when analyzing traffic containing fragmented packets with subscriptions over the Honeywell Experion CDA protocol, the application fails to process some of the values of transmitted tags.
• Expanded list of supported system commands for the Emerson DeltaV protocol.
• Added basic support for the KNXnet/IP and DTS protocols and for devices that use these protocols.
• Added statistics-based unknown tag detection functionality for the Modbus TCP and Siemens S7comm protocols.
• [5481876] The Modbus TCP processing module now supports the data transfer format used by FloBoss S600+ hardware.
• [5504778] The Schneider Electric UMAS protocol processing module now supports tags with dynamic addressing in PLC memory.
• [5422966] Fixed: the application fails to track some system commands for managing Schneider Electric Modicon M580 devices when these commands are transmitted over the UMAS protocol.
• [5458978] Fixed: in some cases, the application fails to detect when a tag is written to a device over the Allen-Bradley EtherNet/IP protocol (for example, when using the ICS operator interface).
• [5388203] Fixed: when analyzing traffic over the Allen-Bradley EtherNet/IP protocol, the filter process may be periodically disrupted and the node's monitoring points may remain in the "Enabling" state for a prolonged period of time.
• [4897486] Fixed: when analyzing traffic over the IEC 60870-5-104 standard protocol, the system does not account for the capability to transmit the same tags using different types of ASDU frames (differing only in the availability or lack of a time tag and its format). For example, if a tag with the "<13> M_ME_NC" data type has been added to the application and the application then detects this tag with the "<14> M_ME_TC" or "<36> M_ME_TF" data type (types of ASDU frames with a time tag), the application registers a mismatch detection event.
  • After installing the latest updates: when the application detects unknown tags over the IEC 60870-5-104 standard protocol, by default the detected tags are assigned the data type corresponding to ASDU frame types that have a CP56Time2a time tag. These data types are generic and enable correct processing of tags if they are transmitted in ASDU frames that either have a time tag in a different format or do not have a time tag. If a generic data type is not assigned to a tag, you can manually specify this data type (in the provided example, you can indicate the "<36> M_ME_TF [13/14/36]" data type for a tag).
• [4900084] For tags of the IEC 60870-5-104 standard protocol, data types can now be displayed as the identifiers of ASDU frame types and names of operations or as data types for specific values (for example, <01> M_SP_NA and bool). The designations for data types based on the protocol standard and based on values are displayed in different columns of the tags table.
• The functionality for importing external projects from CSV files was improved to account for the specific features of exporting data from CIMPLICITY projects.
• [5641122] Fixed: if several hundreds of thousands of tags have been added to the application and traffic containing the values of an even larger number of tags is being received at a rate of around 100 Mbit/s, the filter process may be disrupted if Unknown Tag Detection technology is enabled.
• For the DTS protocol, the application now supports system commands that make it possible to determine the type of messages being transmitted.
• [5524211] Device configurations and tags can be supported from Siemens TIA Portal V17 projects. To import a TIA Portal V17 project, it needs to be converted into a universal format comprised of comma-delimited text files (CSV files). To convert a TIA Portal V17 project into the universal format, you can contact Kaspersky experts.
• Added functionality to determine the version of the SSL (versions 2 and 3) and TLS (versions 1.0, 1.1, 1.2 and 1.3) protocols.
• Added support for getting information about PLC projects for Emerson DeltaV devices.
• Improved algorithm for processing values ​in timestamps according to the MMS protocol of the IEC 61850 standard.
• When importing a project type obtained by means of the ABB Freelance 2016 Engineering software, the application considers situations when the same addresses are specified for several tags.
• Fixed: when loading process control rules that were automatically added in learning mode, a rule processing error occurs for the rules that were created for tags using the Siemens S7comm and Modbus TCP protocols, if the string values of the tags contained unsupported characters.
• [5844754] Fixed: when manually adding a tag for the GOOSE or MMS protocol of the IEC 61850 standard, the application does not check the address of the specified tag.
• [5880966] Fixed: when importing device and tag configurations, the application does not check the uniqueness of the names for the added devices. The application may work incorrectly if the names of imported devices are the same as the names of previously added devices.
• Application performance is improved in terms of traffic processing and analysis.
• [5948444] Fixed: the filter process may fail due to an out-of-memory error when analyzing traffic transmitted over the MMS protocol of IEC 61850 standard.
• [5951219] Fixed: the filter process may fail if the intensity of traffic arriving to the monitoring point is too high.
• Support for the INA2000 protocol and the B&R devices that use this protocol is added.
• [5546625] The function for determining network equipment manufacturers for the devices by MAC addresses has been improved for better manufacturer recognition.
• [5931154] Fixed: when adding tags using the methods of Kaspersky Industrial CyberSecurity for Networks API, the value specified as the length of the string data type is not checked.
• Added support for the PK4 protocol and the devices that use this protocol.
• Added the limit on the maximum number of imported tags from an external project.
• Added unknown tag detection functionality for the PNU20 protocol.
• Added descriptions of errors that lead to non-execution of system commands over the Honeywell Experion EpicMo protocol. Received error codes and their descriptions are saved in events about non-executed system commands.
• [6343424] Fixed: when analyzing traffic over the Siemens S7comm protocol, the application may register "Error (PARSING ERROR: WRONG PACKET SIZE)" and "Error (PARSING ERROR: BUFFER NOT VALID)" events if network packets contain variables of unsupported syntax.
• [6343032] Fixed: in some cases, the application may save data about seizures of exclusions in the log of the filter process, mistakenly identifying this data as error messages, rather than diagnostic messages.
• Added basic support for the communication protocol between the Siemens SICAM PAS and SICAM SCC (based on SIMATIC WinCC) systems and for the devices using this protocol.
• Loading of the rules for detection of information about devices and device communication protocols is improved. During the loading, corrupted rules and rules in unsupported formats (for example, created for new versions of the application modules) are ignored by the application and do not hinder device information detection.
• The application of the rules for detection of information about devices and device communication protocols is optimized. This optimization improves the application performance when detecting protocols.
• The support for receiving information about PLC projects for Siemens devices of the SIPROTEC 4 series and SIMATIC S7-1200, S7-1500 series is added.
• The support of the automated radiation monitoring systems (ARMS) protocol and devices using this protocol is added.
• [6645875] Fixed: During network interaction, the application may incorrectly detect the protocol being used as the Emerson ControlWave Designer protocol.
• [6612007] Fixed: When using the IEDScout software tool to read device configurations, the application does not detect unknown tags transmitted in the IEDScout session via the MMS IEC 61850 protocol.
  • After installing the latest updates: To detect and save information about unknown tags after the IEDScout session ends, restart the Server computer and then restart reading device configurations in IEDScout.
• [7093998] Added support for detection of the following device communication protocols: SuiteLink, SCIYON default, CIMPLICITY-Historian, CIMPLICITY-HMI/SCADA, HL7 v2/v3, DICOM, RTSP, ONVIF.
• When importing device configurations and tags from YARD config files, the application makes allowance for possible dots and zero-size tags in device location data.
• [7119255] Fixed: PK4 protocol tag scaling not supported.
• [7120738] Fixed: the application incorrectly defines the device category as "Engineering Workstation" for certain Siemens SIMATIC PLC models.
• [7339727] Fixed: when automatically detecting process control settings for devices that communicate with other devices via LDAP, the application may incorrectly detect the type of process control device and the protocol used. In particular, when analyzing the network communications of a Windows domain controller, the application may add process control parameters for this device that set the device type to "Modbus TCP device" or "UMAS device".
• [7396410] Fixed: during network interaction, the application may incorrectly detect the protocol being used as the ARMS control protocol..

DISTRIBUTION KIT

The distribution kit of Kaspersky Industrial CyberSecurity for Networks 3.0 includes the following files:

• Application components centralized installation script: kics4net-deploy-<application version number>.bundle.sh
• Script for local installation of application components: kics4net-install.sh.
• Script for local removal of application components: kics4net-remove.sh
• Packages for installing application components in the CentOS operating system:
  • Package for installing the Server and sensors: kics4net-<application version number>.x86_64.rpm.
  • Package for installing system connectors: kics4net-connectors-<application version number>.x86_64.rpm.
  • Package for installing the full-text search system: kics4net-fts-<application version number>.x86_64.rpm.
  • Package for installing the DBMS: kics4net-postgresql-<DBMS version number>.x86_64.rpm.
  • Package for installing the Intrusion Detection system: kics4net-suricata-<system version number>.x86_64.rpm.
  • Package for installing a web server for an application sensor: kics4net-websensor-<application version number>.x86_64.rpm
  • Package for installing a web server for the Application Server: kics4net-webserver-<application version number>.x86_64.rpm.
  • Package for installing Network Agent from the Kaspersky Security Center distribution kit: klnagent64-<Network Agent version number>.x86_64.rpm
• Packages for installing the Kaspersky Industrial CyberSecurity for Networks Administration Plug-in for Kaspersky Security Center: kics4net-sc-plugin_<plug-in version number>_<localization code>.msi
• Package containing documentation describing requests for the Kaspersky Industrial CyberSecurity for Networks API: publicapi_doc.tar.gz
• Package containing descriptions of the specifications for the Kaspersky Industrial CyberSecurity for Networks API: publicapi_swagger.tar.gz
• Files containing the text of the End User License Agreement in English and in Russian
• Files containing the text of the Privacy Policy in English and in Russian
• Files containing information about the version (Release Notes) in English and in Russian

The distribution kit for Kaspersky Industrial CyberSecurity for Networks 3.0.1 is specified in the application data sheet.

HARDWARE AND SOFTWARE REQUIREMENTS

Hardware requirements

Kaspersky Industrial CyberSecurity for Networks has the following minimum hardware requirements for computers where application components will be installed:

• Computer that will perform Server functions:
  • CPU: Intel Core i7.
  • RAM: 32 GB.
  • Free space on the hard drive: 750 GB and an additional 250 GB for each monitoring point on this computer.
• Computer that will perform sensor functions:
  • CPU: Intel Core™ i5 / i7.
  • RAM: 4 GB, and an additional 2 GB for each monitoring point on this computer.
  • Free space on the hard drive: 50 GB and 250 GB for each monitoring point on this computer.

When using sensors, the bandwidth of the dedicated Kaspersky Industrial CyberSecurity network between the Server and each sensor must be at least 50% of the cumulative incoming traffic at the sensor (for all monitoring points of the sensor).

Software requirements for Kaspersky Industrial CyberSecurity for Networks 3.0

Kaspersky Industrial CyberSecurity for Networks 3.0 has the following software requirements for computers on which application components will be installed:

• CentOS operating system version 8.3.2011 or later.
• The same version of operating system must be installed on all computers where application components are installed.
• To install application components in the CentOS operating system, the following conditions must be fulfilled:
  • Chrony time synchronization package version 3.1 or later is installed.
  • The SELinux access control enforcement system is disabled.
  • The dnf-utils package is installed.
  • Python interpreter version 2.7 is installed.
  • A symbolic link to the installed version of the python2 package is configured.
  • The python2-pyyaml package is installed.
• To ensure proper functioning of application components on the computer that will perform Server functions, the following conditions must also be fulfilled in the CentOS operating system:
  • Python interpreter version 3.6 or later is installed, as well as the following packages supporting the operation of connectors and data conversion scripts: python3-tqdm, python3-certifi, python3-dateutil, python3-pyyaml, python3-pytz, python3-urllib3, python3-psycopg2, python3-cffi (if connectors will also operate on other computers, the listed packages must also be installed on those computers).
  • A Postfix mail server (Mail Transfer Agent – MTA) for sending emails through the email connector is installed.
  • Perl interpreter version 5.10 or later is installed (if Kaspersky Security Center Network Agent is being installed).

To install the Kaspersky Industrial CyberSecurity for Networks Administration Plug-in for Kaspersky Security Center, the Windows update KB2999226 must be installed on the computer hosting the Kaspersky Security Center Administration Server. Installation of this update is required if the problems fixed by this update are relevant for the installed version of the operating system and configuration of the installed software on the computer hosting the Administration Server (please refer to the description of the specific update).

You can use the following browsers to connect through the web interface:

• Google Chrome™ version 89 or later.
• Mozilla™ Firefox™ version 86 or later.
• Microsoft® Edge version 89 or later.

Kaspersky Industrial CyberSecurity for Networks 3.0 is compatible with Kaspersky Security Center version 11 and 12.

Software requirements for Kaspersky Industrial CyberSecurity for Networks 3.0.1

Kaspersky Industrial CyberSecurity for Networks 3.0.1 has the following software requirements for computers on which application components will be installed:

• Astra Linux SE 1.6 operating system with the 20200722SE16 update installed.
• The same version of operating system must be installed on all computers where application components are installed.
• To install application components in the Astra Linux SE 1.6 operating system, the following conditions must be fulfilled:
  • The standard operating system components "Internet tools" and "Network services" are installed (in addition to the standard components that are installed by default in the operating system).
  • The operating system has an active firewall implemented by the UFW network security configuration application (for automatic configuration of network filtering).
  • Repositories containing up-to-date stable versions of installation packages are connected in the operating system (for example, connected repositories on discs containing an update of the installation disc for the operating system and an update of the disc containing development tools).
  • Python interpreter version 2.7 is installed.
  • The libcap2-bin package is installed.
  • A symbolic link to the installed version of the python2 package is configured.
  • The python2-pyyaml package is installed.
  • The python-apt package is installed.
  • The SSH server package is installed (for centralized installation of application components).
  • The en_US.utf8 locale is enabled (on the computer from which the centralized installation of application components will be performed).
• To ensure proper functioning of application components on all computers that will perform Server and sensor functions, the following conditions must be fulfilled in the Astra Linux SE 1.6 operating system:
  • Information streams are allowed without limitations from the capability-based access restriction mechanism (a null capability marker is set for all access objects).
  • The closed software environment mechanism is disabled in the operating system.
• To ensure proper functioning of application components on the computer that will perform Server functions, the following conditions must also be fulfilled in the Astra Linux SE 1.6 operating system:
  • Python interpreter version 3.5 is installed, as well as the following packages supporting the operation of connectors and data conversion scripts: python3-urllib3 python3-yaml python3-tz python3-dateutil python3-psycopg2 python3-cffi (if connectors will also operate on other computers, the listed packages must also be installed on those computers).
  • A mail server (Mail Transfer Agent – MTA) for sending emails through the email connector is installed and configured.
  • Perl interpreter version 5.10 or later is installed (if Kaspersky Security Center Network Agent is being installed).

To install the Kaspersky Industrial CyberSecurity for Networks Administration Plug-in for Kaspersky Security Center, the Windows update KB2999226 must be installed on the computer hosting the Kaspersky Security Center Administration Server. Installation of this update is required if the problems fixed by this update are relevant for the installed version of the operating system and configuration of the installed software on the computer hosting the Administration Server (please refer to the description of the specific update).

You can use the following browsers to connect through the web interface:

• Google Chrome version 89.
• Mozilla Firefox version 86.
• Microsoft® Edge version 89.
• Chromium for Astra Linux version 83.

Kaspersky Industrial CyberSecurity for Networks 3.0.1 is compatible with Kaspersky Security Center version 11 and 12.

FIXED ISSUES

Installation

• [1807458] Fixed: cannot change the names and addresses of the Server and sensors without reinstalling application components on nodes.

User interface

• [3217584] Fixed: if the details area was forcibly closed in the events table (using the button in the upper-right corner), this area will not appear when you select or clear check boxes next to events or incidents.
• [3294936] Fixed: the protocol stack tree cannot be automatically expanded during a search in the protocol filtering window (for example, to filter by the Protocol column in the events table). Search results may be hidden in collapsed tree elements.
• [3728329] Fixed: the Application Console window used for entering user account credentials may be collapsed into the button on the taskbar. In this case, the main window of the Console remains unavailable.
• [3754605] Fixed: in the Application Console, when editing fields containing numeric values in the "Manage logs" window, the cursor moves to the rightmost position in the entry field after each action taken when editing a value.

Events and incidents

• [2444775] Fixed: the Application Console provides the capability to configure the alert regenerate timeout for certain system event types that are not suppressed (for example, test events based on technologies). The defined alert regenerate timeouts for such events are not applied.
• [3370474] Fixed: when you enable filtering of the events table based on a specific period (for example, by disabling automatic update of the table), the start and end boundaries of the period are taken from the time of the computer from which the connection is established through a web browser. If this time is not synchronized and lags behind the time of the Server (without accounting for the difference in time zones), events that are registered within the time difference between the computer and Server are not loaded in the table.
• [3388315] Fixed: the same monitoring point is always indicated for incidents regardless of which monitoring points are specified for embedded events.
• [1946917] Fixed: for Network Control events, there is no capability to enable or disable registration of individual event types.

Asset management

• [3092206] Fixed: in the Microsoft Edge web browser, objects may be moved unevenly when dragging the network map image.

Deep Packet Inspection

• [3079632] Fixed: when registering events associated with the detection of communications between devices over the Yokogawa Vnet/IP protocol, in some cases the address information of the destination of network packets in an event is registered as the multicast IP address instead of the IP address of the process control device in the security policy. This is caused by the specific features of relaying process management commands over this protocol.
• [1809642] Fixed: for all PLCs, you can select any tag data type regardless of whether or not the selected data type is supported by the PLC.
• [3780909] Fixed: after an unknown tag is saved in the detected tag storage, the application does not update information about the parameters of this tag (for example, when the tag data type is changed).
• [3924316] Fixed: there is limited support for Honeywell C300 devices for Experion PKS / PlantCruise control systems: process parameter values are not monitored.
• [1956116] Fixed: the application does not support certain data types of tags.

External

• [1268342] Fixed: when forwarding events to a SIEM system, only the TCP protocol is supported.

Application maintenance

• [2588631] Fixed: if the hard drive runs out of free disk space, the application Console may show the message "Error removing traffic dump metadata file".
• [3365890] Fixed: the time displayed in the "Effective uptime" field on the "Tags" section page of the application web interface includes not only the time of normal operation of the application (without problems) but also includes the time when the application was running with the "Error occurred" status.
• [3779902] Fixed: if the installation of updates on a sensor computer failed due to the unavailability of one of the application processes (for example, the filter process), the next startup of the postponed update will occur only after successfully restarting the kics4net service.

LIMITATIONS AND KNOWN ISSUES

Installation

• The kics4net-deploy-<application version number>.bundle.sh script for centralized installation of application components cannot work without the application installation packages.
  • Solution: it is recommended to save the distribution package of the installed version of the application in the same folder as the kics4net-deploy-<application version number>.bundle.sh script for the purpose of making changes to the installation settings.
• Only self-signed SSL connection certificates are used for connections between nodes of Kaspersky Industrial CyberSecurity for Networks and for connecting through the API.
• [3369804] For a new centralized installation of application components without any changes to the settings (nodes for installing components are not added and other settings are not configured), the kics4net-deploy-<application version number>.bundle.sh script does not show any warnings about undefined settings. In this case, application components are not installed, but the script displays a message about successful installation after it finishes.
  • Solution: centrally install the application components with configured settings, add nodes for the Server and sensors, and configure other installation settings if necessary.
• [3385870] After complete centralized removal of application components, the list of removal settings does not contain anything about the removal of Network Agent if advanced settings were not configured in the Removal Settings menu.
  • Solution: when configuring the settings for full removal of the application, select the Removal Settings menu item and specify the necessary action at the Remove Network Agent prompt (this prompt is displayed if an installed Network Agent is detected).
• [4808342] After centralized installation of a sensor, you can connect to the sensor through the web interface only by using the IP address that was specified for this node when the installation settings were configured.
  • Solution: if you want to connect to a sensor through the web interface at any IP address accessible on the sensor node, you can install the sensor by using the kics4net-install.sh script for local installation of application components.

User interface

• Descriptions of device vulnerabilities are provided in English regardless of the specific localization language of the application.
• Descriptions of MITRE ATT&CK techniques in events and incidents are provided in English regardless of the specific localization language of the application.
• [2494064] You must use a colon (:) to separate the bytes of a MAC address. Use of a dash (-) is not supported.
• [4799248] In some cases, when device groups are deleted and the remaining groups are automatically merged, devices from these groups may be moved to the top level of the hierarchy within the device group tree.
• [4519524] When the tags table is filtered based on the "Devices" column, filtering is applied only based on the names of devices (the indicated addresses of devices are not taken into account when filtering).
• [3200916] If the header of a column in the events table does not show the full name (due to insufficient column width), a tooltip may not be displayed for this name when you move the mouse cursor over it.
  • Solution: increase the width of the column.
• [4803787] When configuring connector settings, if the address input field contains a value that does not match the address template, the tooltip for this field will present the value template as a regular expression.
• [4343928] When operations with device groups are performed, the settings in audit entries might not contain any values if there is no data available for these values (for example, an audit entry will have an empty value for the name of the new parent group when a group is moved to the top level of the hierarchy in the device group tree).

Events and incidents

• When a security policy is applied on the Server, the application closes all previously registered events and saves the date and time when the policy was applied in the End column (unless this column was not empty for the event). All these events can be registered again, just like when the Server is restarted.
• [4800699] If saving of traffic is enabled and configured only for the "Incident" event type (event type code 8000000001) and it is not enabled for types of events that may be included in incidents, in some cases traffic might not be saved for some events of an incident. Saving of traffic is influenced by various factors, including delayed registration of an incident relative to the occurring events it contains, the settings for saving traffic dump files, and the rate of incoming traffic.
  • Solution: to better ensure that traffic is loaded, it is recommended to enable saving of traffic for the relevant event types and configure the settings for saving traffic in the database in accordance with the rate of traffic and registration of events.
• [3344303] When loading traffic for multiple events, the time value in the names of files of the received archive may differ from the time of registration of events on the Server (the time from a different time zone is indicated).
• [3951845] The names of files inside downloaded archives containing traffic for events may be presented in a localization language that is different from the specific localization of archive file names.
• [3091037] If an incident has embedded incidents, the parent incident may stop being displayed when you scroll through the structure of embedded elements in the events table.
• [3391289] When ARP spoofing detection events are registered, the start time in the descriptions of events is specified according to the UTC standard.

Asset Management

• [3338215] When you merge devices whose address information includes only IP addresses, the date and time when last visible is not saved.
• [4768430] Devices that have an assigned IP address from a "Public" subnet and whose MAC address is known may be displayed as unknown devices on the network map. When the application detects interactions between such devices with IP addresses from private subnets, it does not include these devices into a WAN node.
• [3371248] When attempting to save a device containing multiple network interfaces that have the same IP address and only the first interface does not contain a MAC address, a missing MAC address error is displayed for all interfaces except the first one.
• [3296453] If a node on the network map is moved to a position overlaying the line of a connection with other nodes, this overlay is not always automatically rectified (by optimizing the position of unpinned nodes).
• [4727899] While searching for the optimal location for an unpinned node on the network map, the node may move around in the vicinity of its current location for several seconds.
• If a device is added when importing a configuration from an external project that does not contain address information, the application assigns the IP address 0.0.0.0 to the device. When importing a configuration from a subsequent external project that also contains no address information for devices, information about the first device may be replaced. In this case, not all data from the external project will be imported into the application.
  • Solution: after importing a configuration of devices and tags from an external project, check the address information of devices that were added during the import and correct this information if necessary.

Network Integrity Control

• [3021344] For communications over the SNMP protocol, the application can only detect communications and identify this protocol without detecting system commands and tags.

Deep Packet Inspection

• [1842016] In dense traffic, after operation is disrupted and the application restarts, Kaspersky Industrial CyberSecurity for Networks may create duplicates of recent events.
  • Solution: you can ignore duplicated events.
• [1789024] The application incorrectly processes the most significant bit of the uint64 tag.
  • Solution: for tags with the uint64 data type, create rules only for values within the range of -2^62 to 2^62-1.
• [4756136] For tags with the bool or string data type, you can configure scaling (however, the defined scaling settings are not applied for these tags).
• [4717099] In descriptions of events for the detection of system commands over the MMS and GOOSE protocols of the IEC 61850 standard, the delimiters used in the names of logical node instances are $ characters instead of dots.
• [2487647] Support of the BDUBus protocol is limited: when using an encrypted connection over this protocol, system commands are not monitored after the connection is established.
• [1838543] Two different situations in IEC 60870-5-104 protocol traffic invoke the same event - REGISTER ADDRESS MISMATCH.
• [2528058] There is limited support for ABB Relion 670 devices: on some devices (for example, ABB REL670 with embedded software version 2.0.0), the ABB SPA-Bus protocol is not used, while an encrypted option (TLS) is used for the FTP protocol. Therefore, for these devices, only the system command "INITIALIZE CONNECTION" received over the FTP protocol is monitored. After a connection is established, the application can register PARSING ERROR: UNKNOWN COMMAND events.
• [2487474] Support of EKRA 243 devices is limited: depending on the version of the installed software on these devices, certain system commands might not be monitored.
• [3094764] When DMS protocol communications over the UDP transport protocol are detected, the application does not monitor the values of tags that are transmitted by the server as part of a client subscription to receive up-to-date values of those tags.
• [4756649] When Process Control settings are automatically detected by the application, the settings added for a device can only come from one of the supported protocols, which is the protocol whose traffic was detected earlier.
  • Solution: if a Process Control device communicates over multiple protocols, you can manually add the settings of the protocols that were not detected automatically.
• [4757273] When Process Control settings are automatically detected and custom settings for one of the supported protocols are defined for a device, the application does not automatically add device settings that were detected for another supported protocol.
  • Solution: if a Process Control device communicates over multiple protocols, you can manually add the settings of the protocols that were not detected automatically.

External

• [1268351] The application transmits data to a SIEM system in CEF 20 format. Data is not converted to Syslog standard format.
  • Solution: when it is necessary to transmit data in Syslog standard format, you must configure data transmission in Syslog standard format instead of SIEM systems format.

Application maintenance

• [4788300] In data regarding the Server or sensor node, the value of the "Maximum volume of application data" parameter is an estimate. In some cases, application files may occupy more disk space than the specified volume.
• [2466729] When the filter process is disrupted, the application might not register all events corresponding to the period, or might create duplicate events.
• [3519607] If an error occurred when enabling a monitoring point, this state is retained even after the cause of the error is resolved (for example, if the network interface is enabled after enabling the monitoring point).
  • Solution: after resolving the cause of the error, disable the monitoring point and enable it again.
• [4805965] After a sensor is removed through the web interface or after the Server is returned to its initial state (using the kics4net-reset-to-defaults.sh script located in the /opt/kaspersky/kics4net/sbin/ folder), the application may continue to create traffic dump files on the sensor node.
  • Solution: to prevent the creation of traffic dump files, you can first disable monitoring points on the sensor node.

© 2023 AO Kaspersky Lab.

Page top