Connecting Kaspersky Industrial CyberSecurity for Networks to an industrial network via data diode

To connect Kaspersky Industrial CyberSecurity for Networks to an industrial network, you can additionally use special devices that provide unidirectional transmission of data from the industrial network. These devices are called data diodes.

Receiving industrial network traffic via data diodes

To transmit industrial network traffic to Kaspersky Industrial CyberSecurity for Networks, data diodes must support unfiltered transmission of network packets for all link layer protocols, including service protocols. Data diodes are installed on the connection links of Kaspersky Industrial CyberSecurity for Networks monitoring points and on SPAN ports of network switches.

The figure below shows a deployment scenario with a connection to a monitoring point on the Server via a data diode. The data diode transfers traffic from a SPAN port of a network switch in an industrial network. In this scenario, the Server is installed without external sensors.

Diagram illustrating the connection of a data diode on the communication channel between the SPAN port of a network switch in an industrial network of an enterprise and a monitoring point on the Application Server. The application receives network traffic only through this data diode.

Standard scenario for connecting the Server via a data diode

The figure below shows a deployment scenario where several Kaspersky Industrial CyberSecurity for Networks sensors are connected via data diodes. The data diodes transfers traffic from SPAN ports of network switches in an industrial network. In this scenario, the Server is installed with three sensors.

Diagram illustrating the connection of data diodes on each communication channel between SPAN ports of network switches in an industrial network of an enterprise and monitoring points on application sensors. The application receives network traffic only through these data diodes.

Standard scenario for connecting sensors via data diodes

If you want to additionally separate the segments of the industrial network where the sensors are installed, from the segment of the Kaspersky Industrial CyberSecurity dedicated network where the Server is installed, you can use a firewall on the connection links between the sensors and the Server.

Receiving industrial network traffic and Integrating with EPP applications via data diodes

For integration with EPP applications, support for data transfer over diodes is required both on the diode side and within the EPP applications.

The figure below shows a deployment scenario where Kaspersky Industrial CyberSecurity for Networks sensors receive network traffic via SPAN ports on network switches and telemetry from EPP applications deployed across several sites.

A diagram that illustrates connection of EPP applications and SPAN ports of network switches to application sensors via data diodes. Data diodes with different functional capabilities are used for telemetry and network traffic.

Diagram of EPP application traffic and data acquisition by sensors

Network traffic from SPAN ports on network switches is routed to the monitoring points of Kaspersky Industrial CyberSecurity for Networks sensors through data diodes, which support unfiltered transmission of network packets for all link layer protocols, including service protocols.

Sensors receive telemetry data from EPP applications via network interfaces which are not used as monitoring points. Because this data is transmitted via MQTT, the data diodes require MQTT broker functionality to enable transmission. Subscriber computers with installed EPP applications are used to receive and process incoming MQTT messages.

Endpoint Agent software components handle the sending and receiving of telemetry data via MQTT messages. For more information about configuring EPP applications for this telemetry transmission scenario, contact your technical account manager (TAM).

Industrial site segments and the demilitarized zone (DMZ) network segment are separated by a firewall.

Page top