Application architecture

Kaspersky Industrial CyberSecurity for Networks includes the following components:

• The Server is the main component that receives data, processes it, and provides it to users of the application. The received information (such as events and device information) is saved on the Server in the database. Only one Server can be used in each Kaspersky Industrial CyberSecurity for Networks deployment scenario.
• A sensor is a component that is managed by the Server and receives and analyzes data from computer networks that are connected to the network interfaces of the sensor's computer. A sensor forwards the data analysis results to the Server. Based on the specific requests from the Server, the sensor can forward data in the same format in which the data was received for analysis (for example, traffic related to registered events). Sensors are installed on separate computers. A sensor cannot be installed on a computer that performs Server functions. The application can have up to 50 sensors.

The connections between the Server and sensors are secured by using certificates. Use of certificates also ensures the security of other connections with application components (for example, a connection to a component through a web interface or connections of recipient systems through specialized application modules called connectors).

If Kaspersky applications that perform workstation and server protection functions (EPP applications) are installed on the computers of the monitored network, you can configure integration with these applications in Kaspersky Industrial CyberSecurity for Networks. After configuring the integration, the Server and/or sensors receive data from EPP applications and can interact with them.

When using security audit jobs, the Server and/or sensors can remotely connect to the devices to scan and receive results.

The Kaspersky Industrial CyberSecurity for Networks Server performs the following functions:

• Manages sensors and receives from them the results of analyzing the received data.
• Processes and saves received information about devices and their interactions.
• Registers and saves events.
• Conducts an additional analysis of accumulated information to detect threats and incidents (for example, according to event correlation rules).
• Monitors application performance.
• Monitors the activities of application users.
• Processes incoming requests submitted through the web interface and connectors, and provides the requested data.

A Kaspersky Industrial CyberSecurity for Networks sensor performs the following functions:

• Analyzes incoming industrial network traffic:
  • Extracts information about device communications and process parameters from traffic.
  • Identifies signs of attacks in traffic.
• Registers events based on the results of data analysis.
• Relays events, information about traffic, device information, and process parameters to the Kaspersky Industrial CyberSecurity for Networks Server.

Application components receive a copy of industrial network traffic from monitoring points. Monitoring points can be used on sensors as well as on the Server. You can add monitoring points to network interfaces detected on nodes that have application components installed. Monitoring points must be added to network interfaces that relay traffic from the industrial network.

All network interfaces with added monitoring points must be connected to the industrial network in such a way that excludes any possibility of impacting the industrial network. For example, you can connect using ports on industrial network switches configured to transmit mirrored traffic (Switched Port Analyzer, SPAN).

The application has the following restrictions on the number of monitoring points:

• Total number of monitoring points: a maximum of 50
• Monitoring points on the Server: a maximum of four
• Monitoring points per sensor: a maximum of eight

When running integrated with Kaspersky SD-WAN, a maximum of 100 monitoring points can be used per node or in total on all nodes that have application components installed on them.

It is recommended to use a dedicated Kaspersky Industrial CyberSecurity network for connecting the Server to sensors and to other components of Kaspersky Industrial CyberSecurity (Kaspersky Industrial CyberSecurity for Nodes / Kaspersky Industrial CyberSecurity for Linux Nodes, Kaspersky Security Center). Network equipment used for interaction between components in the dedicated network must be installed separately from the industrial network. Normally, the following computers and devices should be connected to the dedicated network:

• Kaspersky Industrial CyberSecurity for Networks Server node.
• Kaspersky Industrial CyberSecurity for Networks sensor nodes.
• Computers for connecting to the Server and sensors through the web interface.
• Computers with Kaspersky Industrial CyberSecurity for Nodes / Kaspersky Industrial CyberSecurity for Linux Nodes and the Endpoint Agent software components.
• Devices to which remote connections are established for scanning as part of security audit jobs.
• Computers hosting connector application modules.
• Computer hosting Kaspersky Security Center.
• Network switch.

Page top