Application architecture

Kaspersky Industrial CyberSecurity for Networks includes the following components:

• The Server is the main component that receives and processes industrial network traffic information, saves it and provides data (for example, events and asset information). The application may have only one Server.
• The Web Server provides the interface for connecting to the Server through a web browser (web interface). Application users can use the web interface to view data provided by the Server and manage operation of the application. The web server is installed on the computer that acts as the Server. Certificates are used for a secure connection with the Web Server.
• The Console provides the graphical interface for connecting to the Server. Application users can use the Console to configure the functionality that cannot be configured through the web interface. The Console is installed on the computer that acts as the Server.
• A sensor receives a copy of industrial network traffic, processes the obtained data and relays it to the Server. Sensors are installed on separate computers (not on a computer that performs Server functions). The application can have up to 32 sensors.

The Kaspersky Industrial CyberSecurity for Networks Server performs the following functions:

• Receives traffic information from Kaspersky Industrial CyberSecurity for Networks sensors and/or independently receives a copy of industrial network traffic.
• Registers events and saves them in the database.
• Monitors application performance.
• Monitors the activities of application users.
• Processes incoming requests from the Web Server and the Console, and provides the requested data.
• Transmits events to Kaspersky Security Center and recipient systems (for example, to a SIEM system).

The Web Server interacting with the Server provides the following capabilities to an application user:

• View information about assets, events, and process parameters in online mode.
• View and process registered events.
• View and modify information about controlled assets.
• View information about interactions between assets.
• Configure application functions.
• View information about application operation.
• View user activity audit entries.

The Console provides the following capabilities to an application user:

• Configure Process Control rules.
• Create a list of registered event types.
• Configure transmission of events to recipient systems.
• Configure Intrusion Detection rules.
• Configure updates of application modules and databases.

A Kaspersky Industrial CyberSecurity for Networks sensor performs the following functions:

• Processes incoming industrial network traffic.
  • Extracts information about device communications and process parameters from industrial network traffic.
  • Identifies signs of attacks in industrial network traffic.
• Registers events based on the results of industrial network traffic processing.
• Relays events, information about traffic, and information about process parameters to the Kaspersky Industrial CyberSecurity for Networks Server.

Sensors and/or the Server receive a copy of industrial network traffic from monitoring points. You can add monitoring points to network interfaces detected on nodes that have application components installed. Monitoring points must be added to network interfaces that relay traffic from the industrial network.

You can add no more than 8 monitoring points on a sensor and no more than 4 monitoring points on the Server. You can use no more than 32 monitoring points total in the application.

All network interfaces with added monitoring points must be connected to the industrial network in such a way that excludes any possibility of impacting the industrial network. For example, you can connect using ports on industrial network switches configured to transmit mirrored traffic (Switched Port Analyzer, SPAN).

Application users can connect to the Server through the web interface or the Console on a computer that performs Server functions, or connect remotely. However, only a remote desktop system can be used to work remotely with the Console.

It is recommended to use a dedicated Kaspersky Industrial CyberSecurity network for the connections between nodes that have installed components of Kaspersky Industrial CyberSecurity for Networks and other components of Kaspersky Industrial CyberSecurity (Kaspersky Industrial CyberSecurity for Nodes, Kaspersky Security Center). Network equipment used for interaction between components in the dedicated network must be installed separately from the industrial network. Normally, the following computers and devices should be connected to the dedicated network:

• Kaspersky Industrial CyberSecurity for Networks Server node.
• Kaspersky Industrial CyberSecurity for Networks sensor nodes.
• Computers for connecting to the Server through the web interface.
• Computer hosting Kaspersky Industrial CyberSecurity for Nodes.
• Computer hosting Kaspersky Security Center.
• Network switch.

Page top