The kics4net-deploy-<application version number>.bundle.sh script for centralized installation of application components cannot work without the application installation packages.
Solution: it is recommended to save the distribution package of the installed version of the application in the same folder as the kics4net-deploy-<application version number>.bundle.sh script for the purpose of making changes to the installation settings.
Only self-signed SSL connection certificates are used for connections between nodes of Kaspersky Industrial CyberSecurity for Networks and for connecting through the API.
[3369804] For a new centralized installation of application components without any changes to the settings (nodes for installing components are not added and other settings are not configured), the kics4net-deploy-<application version number>.bundle.sh script does not show any warnings about undefined settings. In this case, application components are not installed, but the script displays a message about successful installation after it finishes.
Solution: centrally install the application components with configured settings, add nodes for the Server and sensors, and configure other installation settings if necessary.
[5175379] If the firewall service firewalld is not active in the operating system, some phases of the script are not completed on this node when installing the application components.
Solution: before installing application components check the service status on all computers (for example, using the systemctl status firewalld command) and restart the service if necessary (for example, using the sudo systemctl restart firewalld command).
[4808342] After centralized installation of a sensor, you can connect to the sensor through the web interface only by using the IP address that was specified for this node when the installation settings were configured.
Solution: if you want to connect to a sensor through the web interface at any IP address accessible on the sensor node, you can install the sensor by using the kics4net-install.sh script for local installation of application components.
User interface
Descriptions of device vulnerabilities are provided in English regardless of the specific localization language of the application.
Descriptions of MITRE ATT&CK techniques in events and incidents are provided in English regardless of the specific localization language of the application.
[3200916] If the header of a column in the events table does not show the full name (due to insufficient column width), a tooltip may not be displayed for this name when you move the mouse cursor over it.
Solution: increase the width of the column.
[4803787] When configuring connector settings, if the address input field contains a value that does not match the address template, the tooltip for this field will present the value template as a regular expression.
Events and incidents
When a security policy is applied on the Server, the application closes all previously registered events and saves the date and time when the policy was applied in the End column (unless this column was not empty for the event). All these events can be registered again, just like when the Server is restarted.
[3344303] When loading traffic for multiple events, the time value in the names of files of the received archive may differ from the time of registration of events on the Server (the time from a different time zone is indicated).
[3951845] The names of files inside downloaded archives containing traffic for events may be presented in a localization language that is different from the specific localization of archive file names.
[3091037] If an incident has embedded incidents, the parent incident may stop being displayed when you scroll through the structure of embedded elements in the events table.
[3391289] When ARP spoofing detection events are registered, the start time in the descriptions of events is specified according to the UTC standard.
Asset Management
[3338215] When you merge devices whose address information includes only IP addresses, the date and time when last visible is not saved.
[4768430] Devices that have an assigned IP address from a "Public" subnet and whose MAC address is known may be displayed as unknown devices on the network map. When the application detects interactions between such devices with IP addresses from private subnets, it does not include these devices into a WAN node.
[3296453] If a node on the network map is moved to a position overlaying the line of a connection with other nodes, this overlay is not always automatically rectified (by optimizing the position of unpinned nodes).
If a device is added when importing a configuration from an external project that does not contain address information, the application assigns the IP address 0.0.0.0 to the device. When importing a configuration from a subsequent external project that also contains no address information for devices, information about the first device may be replaced. In this case, not all data from the external project will be imported into the application.
Solution: after importing a configuration of devices and tags from an external project, check the address information of devices that were added during the import and correct this information if necessary.
Network Integrity Control
[3021344] For communications over the SNMP protocol, the application can only detect communications and identify this protocol without detecting system commands and tags.
Deep Packet Inspection
[1842016] In dense traffic, after operation is disrupted and the application restarts, Kaspersky Industrial CyberSecurity for Networks may create duplicates of recent events.
Solution: you can ignore duplicated events.
[1789024] The application incorrectly processes the most significant bit of the uint64 tag.
Solution: for tags with the uint64 data type, create rules only for values within the range of -2^62 to 2^62-1.
[2487647] Support of the BDUBus protocol is limited: when using an encrypted connection over this protocol, system commands are not monitored after the connection is established.
[1838543] Two different situations in IEC 60870-5-104 protocol traffic invoke the same event - REGISTER ADDRESS MISMATCH.
[2528058] There is limited support for ABB Relion 670 devices: on some devices (for example, ABB REL670 with embedded software version 2.0.0), the ABB SPA-Bus protocol is not used, while an encrypted option (TLS) is used for the FTP protocol. Therefore, for these devices, only the system command "INITIALIZE CONNECTION" received over the FTP protocol is monitored. After a connection is established, the application can register PARSING ERROR: UNKNOWN COMMAND events.
[2487474] Support of EKRA 243 devices is limited: depending on the version of the installed software on these devices, certain system commands might not be monitored.
[3094764] When DMS protocol communications over the UDP transport protocol are detected, the application does not monitor the values of tags that are transmitted by the server as part of a client subscription to receive up-to-date values of those tags.
Intrusion Detection
[5171270] After a restart, the application may register events for the detection of ARP spoofing indicators when analyzing network packets over the IEC 61850 standard GOOSE protocol if these packets were received while the application was restarting.
External
[1268351] The application transmits data to a SIEM system in CEF 20 format. Data is not converted to Syslog standard format.
Solution: when it is necessary to transmit data in Syslog standard format, you must configure data transmission in Syslog standard format instead of SIEM systems format.
Application maintenance
[4788300] In data regarding the Server or sensor node, the value of the "Maximum volume of application data" parameter is an estimate. In some cases, application files may occupy more disk space than the specified volume.
[4878306] In some cases, when you open the list of notifications about application operating problems by using the button in the Server web interface menu, the list contains the "No problems detected in the operation of the application" notification even though a yellow icon is displayed next to the button for opening the list. This notification and icon together indicate a situation that could possibly lead to problems (for example, if free disk space has decreased to 20%).
[2466729] When the filter process is disrupted, the application might not register all events corresponding to the period, or might create duplicate events.
Solution: after resolving the cause of the error, disable the monitoring point and enable it again.