Kaspersky Industrial CyberSecurity for Networks can monitor the network interactions of devices in the industrial network. Interaction Control rules are used to define authorized and unauthorized network interactions. All detected network interactions that do not satisfy the active Interaction Control rules are considered to be unauthorized. The application registers the corresponding events when unauthorized interactions are detected.
An Interaction Control rule can be applied by one of the following technologies:
An Interaction Control rule contains the following information about interactions/communications:
Network interactions between devices are identified based on the MAC- and/or IP addresses of the devices. If additional address spaces were added to the application, you can configure Interaction Control rules for the addresses of relevant address spaces.
When analyzing network interactions for Network Integrity Control, the application also checks the IP addresses in these interactions to see if they belong to known subnets. The application checks the IP addresses for those interactions in which the MAC addresses of network packet sources and destinations could not be identified. If only the IP address is identified for one of the sides of network interaction, the application checks this interaction against the table of subnets for Interaction Control. The application then checks this interaction against Network Integrity Control rules (and registers the corresponding event if necessary) only if this interaction must be controlled according to the table.
Table of subnets for Interaction Control based on Network Integrity Control technology
Command Control technology is applied regardless of the specific subnet of the IP addresses of the sources and destinations of network packets containing system commands.
Interaction Control rules can be enabled or disabled.
By default, a rule is enabled after it is created and is applied to allow the described communications. The application does not register events when it detects interactions that are described in enabled rules.
Disabled rules are intended for describing unwanted network interactions. In learning mode for Interaction Control technologies, disabled rules prevent automatic creation of new enabled rules that describe the same network interactions. In monitoring mode, disabled rules are not taken into account.
The application processes Interaction Control rules based on Network Integrity Control and Command Control technologies if the use of these technologies is enabled.
The following methods are provided for creating a list of Interaction Control rules:
You can configure Interaction Control rules in the Allow rules section of the Kaspersky Industrial CyberSecurity for Networks web interface. This section contains a table with Interaction Control rules based on Network Integrity Control and Command Control technologies. This rules table may also contain allow rules created for events.
Events registered based on Network Integrity Control and Command Control technologies are categorized as system events.
You can view Interaction Control events in the table of registered events. Events registered based on Network Integrity Control technology have High severity. Events registered based on Command Control technology are assigned a severity that depends on the severity level defined for the detected system command.