Overview of Kaspersky Industrial CyberSecurity for Networks functionality
Industrial network traffic analysis functionality
In Kaspersky Industrial CyberSecurity for Networks, industrial network traffic analysis is provided by the following functionality:
Asset Management. This functionality lets you monitor the activity of devices and track changes to device information based on data received in network packets. To automatically receive information about devices, the application analyzes industrial network traffic according to the rules for identifying information about devices and the protocols of communication between devices. The application can also define device settings for Process Control. In conjunction with Process Control functionality, read/write operations for programmable logic controllers are also monitored. For the purpose of Asset Management, the application generates a table containing information that is received automatically from traffic or information that is manually provided.
Interaction Control. This functionality lets you monitor interactions between devices of the industrial network. Detected interactions are checked to see if they match any Interaction Control allow rules. When the application detects an interaction that is described in an enabled rule, it considers this interaction to be allowed and does not register an event.
Deep Packet Inspection (hereinafter also referred to as "Process Control"). This functionality lets you monitor traffic to detect the values of process parameters and the systems commands transmitted or received by devices. Values of industrial process parameters are tracked with the aid of Process Control rules that are used by the application to detect unacceptable values. Lists of monitored system commands are generated when you configure the settings of Process Control devices.
Intrusion Detection. This functionality lets you monitor traffic to detect signs of attacks or unwanted network activity. Intrusion Detection rules and embedded network packet scan algorithms are used to detect such activity. When the conditions defined in an active Intrusion Detection rule are detected in traffic, the application registers a rule-triggering event. Using the embedded network packet scan algorithms, the application detects signs of falsified addresses in ARP packets and various anomalies in the TCP and IP protocols.
Only an application user with the Administrator role can configure industrial network traffic analysis functionality.
Functionality for performing common operator tasks
Application user accounts with the Operator role can be used to perform common tasks for monitoring the state of the industrial process and devices in Kaspersky Industrial CyberSecurity for Networks. These users can utilize the following functionality:
Display information for system monitoring in online mode. This functionality lets you view the most significant changes to the system that have occurred up to the current moment. When the system is being monitored in online mode, you can monitor hardware resource consumption, various dynamic data, and the main information about devices and events.
Displaying data on the network interactions map. This functionality lets you visually display detected interactions between devices of the industrial network. When viewing the network interactions map, you can quickly identify problematic objects or objects with other attributes and view information about these objects. To conveniently present information, you can arrange devices on the network interactions map automatically or manually.
Displaying data on the topology map. This functionality lets you visually display a diagram of the physical connections between devices in the industrial network. When viewing the topology map, you can study the structure of connections between devices via network equipment and view information about devices and their connections. To conveniently present information, you can arrange devices on the topology map automatically or manually.
Display information about events and incidents. This functionality lets you download registered events and incidents from the Server database and display this information as an events table or as interacting objects on a network interactions map. To provide the capability to monitor new events and incidents, by default the application loads events and incidents that occurred most recently. You can also load events and incidents for any period. When viewing the events table, you can change the statuses of events and incidents, copy and export data, load traffic, and perform other actions.
Display tag values in online mode. This functionality lets you view the current values of process parameters detected in traffic at the current point in time. Information about received values is displayed in the tags table generated for Process Control.
Display information about detected risks. This functionality let you detect risks that could affect information system resources. The application identifies risks based on the results of traffic analysis and the device information it receives. Information about risks can be viewed when managing devices or in the general risks table.
Display information for centralized monitoring in the Kaspersky Security Center Web Console. This functionality lets you view data on the security state of information systems that are running application components (including deployment scenarios involving multiple Kaspersky Industrial CyberSecurity for Networks Servers). When working with the Kaspersky Security Center Web Console, you can view information in web widgets and on component deployment maps, search devices and events in Kaspersky Industrial CyberSecurity for Networks, and quickly navigate from the Kaspersky Security Center Web Console directly to the web interface pages of Servers.
Functionality for managing operation of the application
To manage the application for the purpose of general configuration and control of its use, an application user with the Administrator role can use the following functionality:
Manage technologies. This functionality lets you enable and disable the use of technologies and methods for industrial network traffic analysis, and change the operating mode of technologies and methods. You can enable, disable, and change the operating mode of technologies and methods independently of each other.
Manage nodes and monitoring points. This functionality lets you add sensor nodes and monitoring points to the application to receive traffic from the industrial network. You can also use this functionality to temporarily pause and resume monitoring of industrial network segments by disabling and enabling the corresponding monitoring points (for example, while conducting preventative maintenance and adjustment operations for the ICS).
Manage address spaces. This functionality lets you control devices and interactions between them with respect to their MAC addresses or IP addresses affiliation with address spaces. You can also use this functionality to check detected IP addresses against the list of subnets of address spaces. You can configure the settings of rules and subnets of address spaces.
Performing active polling of devices. This functionality lets you run active polling of devices using connectors to obtain the most accurate and complete information about devices and their configurations directly from the devices themselves. Performing active polling of devices is only available after adding a license key to Kaspersky Industrial CyberSecurity for Networks. You can specify the information you want to get about devices using active polling, and you can also choose the method for obtaining that information.
Configure the receipt of data from EPP applications. This functionality lets you select the nodes with installed application components that will receive and process data from other Kaspersky applications that perform functions to protect workstations and servers. These applications are included in the Endpoint Protection Platform (EPP) and are installed to endpoint devices within the enterprise IT infrastructure. When data is received from EPP applications, Kaspersky Industrial CyberSecurity for Networks can register events, add devices, and update device information.
Distribute access to application functions. This functionality lets you restrict user access to application functions. Access is restricted based on the roles of application user accounts.
Monitor the state of the application. This functionality lets you monitor the current state of Kaspersky Industrial CyberSecurity for Networks, and view application messages and user activity audit entries for any period. Users with the Operator role can also access the log containing application messages.
Updating databases and application modules. This functionality lets you download and install updates, thereby improving the effectiveness of traffic analysis and ensuring maximum protection of the industrial network against threats. Update functionality is available after a license key is added to Kaspersky Industrial CyberSecurity for Networks or to Kaspersky Security Center. You can manually start installation of updates, or enable automatic installation of updates according to a defined schedule.
Configure the types of registered events. This functionality lets you generate and configure a list of event types for event registration in Kaspersky Industrial CyberSecurity for Networks, and for event transmission to recipient systems (for example, to a SIEM system) and to Kaspersky Security Center.
Manage logs. This functionality lets you change the settings for saving data in application logs. You can configure the settings for saving entries in logs and the settings for saving traffic and traffic dump files in the database. You can also change the logging levels for process logs.
Manage reports. This functionality lets you generate reports to obtain information about the state of information systems. You can add user-defined templates for generating reports, specify the recipients of reports, and configure a schedule for the automatic generation of reports. You can also generate reports manually Users with the Operator role can also manually start to generate reports, and have access to generated reports. You can also configure the settings for storing report files in the Server database.
Use the application programming interface. This functionality lets you use the set of functions implemented through the Kaspersky Industrial CyberSecurity for Networks API in external applications. Using the Kaspersky Industrial CyberSecurity for Networks API, you can obtain data on events and tags, send events to Kaspersky Industrial CyberSecurity for Networks, and perform other actions.