Application architecture

Kaspersky Industrial CyberSecurity for Networks includes the following components:

• The Server is the main component that receives data, processes it, and provides it to users of the application. The received information (such as events and device information) is saved on the Server in the database. Only one Server can be used in each Kaspersky Industrial CyberSecurity for Networks deployment scenario.
• A sensor is a component that is managed by the Server and receives and analyzes data from computer networks that are connected to the network interfaces of the sensor's computer. A sensor forwards the data analysis results to the Server. Based on the specific requests from the Server, the sensor can forward data in the same format in which the data was received for analysis (for example, traffic related to registered events). Sensors are installed on separate computers. A sensor cannot be installed on a computer that performs Server functions. The application can use up to 32 sensors in Kaspersky Industrial CyberSecurity for Networks version 4.0 and up to 50 sensors in Kaspersky Industrial CyberSecurity for Networks version 4.0.1.

The connections between the Server and sensors are secured by using certificates. Use of certificates also ensures the security of other connections with application components (for example, a connection to a component through a web interface or connections of recipient systems through specialized application modules called connectors).

The Kaspersky Industrial CyberSecurity for Networks Server performs the following functions:

• Manages sensors and receives the results of their analysis of data received from computer networks.
• Processes and saves received information about devices and their interactions.
• Uses connections to other computer networks to receive data from Kaspersky applications that perform functions to protect workstations and servers (EPP applications).
• Registers and saves events.
• Conducts an additional analysis of accumulated information to detect threats and incidents (for example, according to event correlation rules).
• Monitors application performance.
• Monitors the activities of application users.
• Processes incoming requests submitted through the web interface and connectors, and provides the requested data.

A Kaspersky Industrial CyberSecurity for Networks sensor performs the following functions:

• Analyzes incoming industrial network traffic:
  • Extracts information about device communications and process parameters from traffic.
  • Identifies signs of attacks in traffic.
• Uses connections to other computer networks to receive data from Kaspersky applications that perform functions to protect workstations and servers (EPP applications).
• Registers events based on the results of data analysis.
• Relays events, information about traffic, device information, and process parameters to the Kaspersky Industrial CyberSecurity for Networks Server.

Application components receive a copy of industrial network traffic from monitoring points. Monitoring points can be used on sensors as well as on the Server. You can add monitoring points to network interfaces detected on nodes that have application components installed. Monitoring points must be added to network interfaces that relay traffic from the industrial network.

You can add no more than 8 monitoring points on a sensor and no more than 4 monitoring points on the Server. The application can use no more than 32 monitoring points in Kaspersky Industrial CyberSecurity for Networks version 4.0, and no more than 50 monitoring points in Kaspersky Industrial CyberSecurity for Networks version 4.0.1.

All network interfaces with added monitoring points must be connected to the industrial network in such a way that excludes any possibility of impacting the industrial network. For example, you can connect using ports on industrial network switches configured to transmit mirrored traffic (Switched Port Analyzer, SPAN).

It is recommended to use a dedicated Kaspersky Industrial CyberSecurity network for connecting the Server to sensors and to other components of Kaspersky Industrial CyberSecurity (Kaspersky Industrial CyberSecurity for Nodes, Kaspersky Security Center). Network equipment used for interaction between components in the dedicated network must be installed separately from the industrial network. Normally, the following computers and devices should be connected to the dedicated network:

• Kaspersky Industrial CyberSecurity for Networks Server node.
• Kaspersky Industrial CyberSecurity for Networks sensor nodes.
• Computers for connecting to the Server and sensors through the web interface.
• Computers hosting Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Endpoint Agent.
• Computer hosting Kaspersky Security Center.
• Network switch.

Page top