Overview of Kaspersky Industrial CyberSecurity for Networks functionality
Industrial network traffic analysis functionality
In Kaspersky Industrial CyberSecurity for Networks, industrial network traffic analysis is provided by the following functionality:
Asset Management. This functionality lets you monitor the activity of assets and track changes to asset information based on data received in network packets. To automatically receive information about assets, the application analyzes industrial network traffic according to the rules for identifying information about devices and the protocols of communication between devices. In conjunction with Process Control functionality, read/write operations for programmable logic controllers are also monitored. For the purpose of Asset Management, the application generates a table containing information that is received automatically from traffic or information that is manually provided. Asset Management can be configured when working with the assets table. Some configuration capabilities are also available when working with the network map.
Network Control. This functionality lets you monitor interactions between assets of the industrial network. Detected interactions are checked to see if they match defined Network Control rules. When the application detects an interaction that is described in an active Network Control rule, it considers this interaction to be allowed and does not register an event.
Deep Packet Inspection (hereinafter also referred to as "Process Control"). This functionality lets you monitor traffic to detect the values of process parameters and the systems commands transmitted or received by assets. Values of industrial process parameters are tracked with the aid of Process Control rules that are used by the application to detect unacceptable values. Lists of monitored system commands are generated when you configure the settings of Process Control devices.
Intrusion Detection. This functionality lets you monitor traffic to detect signs of attacks or unwanted network activity. Intrusion Detection rules and embedded network packet scan algorithms are used to detect such activity. When the conditions defined in an active Intrusion Detection rule are detected in traffic, the application registers a rule-triggering event. Using the embedded network packet scan algorithms, the application detects signs of falsified addresses in ARP packets and various anomalies in the TCP and IP protocols.
Only an application user with the Administrator role can configure industrial network traffic analysis functionality.
Functionality for performing common operator tasks
Application user accounts with the Operator role can be used to perform common tasks for monitoring the state of the industrial process in Kaspersky Industrial CyberSecurity for Networks. These users can utilize the following functionality:
Display information for system monitoring in online mode. This functionality lets you view the most significant changes to the system that have occurred up to the current moment. When monitoring the system in online mode, you can view information about assets requiring attention, and information about events and incidents with the most recent time of last occurrence.
Display data on the network map. This functionality lets you visually display detected interactions between assets of the industrial network. When viewing the network map, you can quickly identify problematic objects or objects with other attributes and view information about these objects. To conveniently present information, you can automatically or manually arrange assets on the network map.
Display information about events and incidents. This functionality lets you load registered events and incidents from the Server database. To provide the capability to monitor new events and incidents, by default the application loads events and incidents that occurred most recently. You can also load events and incidents for any period. When viewing the events table, you can change the statuses of events and incidents, copy and export data, load traffic, and perform other actions.
Display information for monitoring process parameters. This functionality lets you view the values of process parameters detected in traffic at the current time. Information about settings is presented in the form of a table whose values are automatically updated.
Functionality for managing operation of the application
To manage the application for the purpose of general configuration and control of its use, an application user with the Administrator role can use the following functionality:
Manage monitoring points. This functionality lets you add monitoring points to the application to receive traffic from the industrial network. You can also use this functionality to temporarily pause and resume monitoring of industrial network segments by disabling and enabling the corresponding monitoring points (for example, while conducting preventative maintenance and adjustment operations for the ICS).
Manage technologies. This functionality lets you enable and disable the use of technologies and methods for industrial network traffic analysis, and change the operating mode of technologies and methods. You can enable, disable, and change the operating mode of technologies and methods independently of each other.
Distribute access to application functions. This functionality lets you restrict user access to application functions. Access is restricted based on the roles of application user accounts.
Monitor the state of the application. This functionality lets you monitor the current state of Kaspersky Industrial CyberSecurity for Networks, and view application messages and user activity audit entries for any period. Users with the Operator role can also access the log containing application messages.
Updating databases and application modules. This functionality lets you download and install updates, thereby improving the effectiveness of traffic analysis and ensuring maximum protection of the industrial network against threats. Update functionality is available after a license key is added to Kaspersky Industrial CyberSecurity for Networks or to Kaspersky Security Center. You can manually start installation of updates, or enable automatic installation of updates according to a defined schedule.
Configure the types of registered events. This functionality lets you generate and configure a list of event types for event registration in Kaspersky Industrial CyberSecurity for Networks, and for event transmission to recipient systems (for example, to a SIEM system) and to Kaspersky Security Center. When configuring event types, you can also add event types for event registration using methods of the Kaspersky Industrial CyberSecurity for Networks API.
Manage logs. This functionality lets you change the settings for saving data in application logs. You can configure the settings for saving entries in logs and the settings for saving traffic in the database. You can also change the log levels for process logs.
Use the application programming interface. This functionality lets you use the set of functions implemented through the Kaspersky Industrial CyberSecurity for Networks API in external applications. Using the methods provided by the Kaspersky Industrial CyberSecurity for Networks API, you can obtain data on events and tags, send events to Kaspersky Industrial CyberSecurity for Networks API, and perform other actions.