Kaspersky Industrial CyberSecurity for Networks employs the following methods:
You can enable and disable the use of individual asset management methods.
The following modes are available for asset management methods:
In learning mode, the application assigns the Authorized status to all detected assets. The application does not register events when it detects activity of assets or when asset information is automatically updated.
Asset management learning mode must be enabled for a sufficient amount of time to detect the activity of new devices. This amount of time depends on the number of devices in the industrial network and how frequently they operate and are serviced. We recommend that you enable learning mode for at least one hour. In large industrial networks, learning mode can be enabled for a period ranging from one to several days to detect the activity of all new devices.
In monitoring mode (when the asset activity detection method is enabled), the application assigns the Unauthorized status to all devices that have showed activity and are either unknown to the application or are assets that have the Archived status. The application assigns the Archived status to assets that have not shown activity and whose information has not changed in a long time (30 days or more).
When the asset information detection method is enabled, the application automatically updates information about assets. For example, the application can automatically update the name of the operating system installed on an asset as it detects updated data in the traffic of the asset. The application updates data for which automatic updates are enabled in the settings of assets.
To automatically receive information about assets, the application analyzes industrial network traffic according to the rules for identifying information about devices and the protocols of communication between devices. These rules are embedded in the application and are applied independent from the security policy loaded in the Console or applied on the Server.
After installation, the application uses the default rules for identifying information about devices and the protocols of communication between devices. In most cases, these rules generate correct results. However, there can be situations when information is incorrectly identified due to the technical specifics of devices (for example, when identifying the category of some devices). To increase the accuracy of identifying information, Kaspersky experts regularly update the databases containing the sets of rules. You can update rules by installing updates.
In monitoring mode, the application registers the corresponding events based on Asset Management technology. Depending on the applied methods, events may be registered in the following cases:
When PLC Project Control is enabled, the application may register a large number of events associated with the detection of read/write operations with projects/blocks. Normally, a large number of events are registered at the initial stage when this method is used. To reduce the total number of registered events, the PLC Project Control method is disabled by default after the application is installed. You can enable this method at any time.
Page top