Risk detection functionality lets you implement continuous (cyclical) management of risks in your information system. For risk management purposes, Kaspersky Industrial CyberSecurity for Networks provides information on detected risks that you can use to take the appropriate measures to eliminate or mitigate those risks.
The scenario for implementing the continuous risk management process consists of the following stages:
This stage is implemented by using the device activity detection and device information detection methods (these methods must be enabled). During this stage, the application automatically detects new devices and updates the device information. If the industrial network contains devices that have not been detected automatically, you need to manually add them or import them from external projects.
For all information that defines the classification and operating specifications of devices (such as information about the device model and software version), you must enable autoupdate in the settings of devices. If autoupdate of this information cannot be completed for some reason, this information should be manually updated.
The application passively scans devices for risks, utilizing the available device information. The application also detects risks by analyzing network interactions in industrial network traffic. Risk detection functionality is implemented by using the risk detection method (this method must be enabled).
You can also perform active polling of devices to quickly obtain information about these devices. When performing active polling of devices, you also can detect specific types of risks if the corresponding risk analysis methods are selected. To conduct active polling of devices, one or more Active poll connectors must be added to the application.
Vulnerability risks are detected automatically after the application database of known vulnerabilities is updated or after adding or modifying device information used for comparison (for example, after the information about the device model and software version is saved).
The application calculates a score value for each detected risk. This score determines the severity of the risk. Depending on the numerical value of its score, a risk may have a Low (score of 0.0–3.9), Medium (4.0–7.9), or High (8.0–10.0) severity.
You can classify detected risks based on their severities and scores, and also on other factors related to the operational specifics of the devices used in your information system. If you assess a risk as negligible, its status can be manually changed from the Active status (assigned to a detected risk by default) to the Accepted status. For instance, this could be necessary if the conditions for exploiting a vulnerability cannot be reproduced anyway. When changing the status of a risk, it is recommended to add or edit the comment for the risk.
All risks that require some additional actions should be left with the Active status.
At this stage, you need to take actions that help either eliminate the detected risks or minimize the threats associated with the potential realization of these risks. To do so, check all detected risks that have the Active status, beginning with the risks that have the highest scores. Perform the necessary actions in your information system (for example, to eliminate a device vulnerability, install the required software update or isolate this device from external networks if the update is impossible). Information about recommended mitigation measures is provided for certain risks (such as vulnerabilities).
Remediation actions for detected risks are performed without the involvement of Kaspersky Industrial CyberSecurity for Networks.
This stage is similar to risk detection through scanning. When this stage is completed, the risks table should no longer have any Active status risks.
Most risks detected by the application during passive scanning (such as vulnerabilities) are automatically assigned the Remediated status if the conditions under which these risks were detected are no longer met. For example, after the version of software on a device is changed, the application assigns the Remediated status to a Vulnerability risk that had been registered due to a previous vulnerable version of the software. The Remediated status is also assigned to risks that no longer have a description in the database of known vulnerabilities (for instance, if the description is deleted from the database after updates are uploaded).
When deleting devices, the application also deletes the risks that were associated with these devices.
If you have taken action to mitigate a risk but the risk detection conditions have not changed (for example, a vulnerable device has been isolated from external networks but the information about this device has not changed), you can manually assign the Accepted status to this risk. When changing the status of a risk, it is recommended to add or edit the comment for the risk.
Some risks cannot be automatically assigned the Remediated status (for example, the Remediated status cannot be assigned to risks that are detected during active polling of devices). For these types of risks, you also have to manually assign the Accepted status after conducting risk mitigation measures.
If a risk is associated with an event, you can assign the Accepted status to this risk simultaneously while changing the event status to Resolved.