Asset Management methods and modes

The following methods are used for asset management in Kaspersky Industrial CyberSecurity for Networks:

• Device Activity Detection. This method lets you monitor the activity of devices in industrial network traffic based on the obtained MAC- and/or IP addresses of devices.
• Device Information Detection. This method lets you automatically get and update information about devices known to the application, using data received from traffic or other sources as the basis.
• PLC Project Control This method lets you detect information about PLC projects in traffic, save this information in the application, and compare it to previously obtained information.
• Risk Detection. This method lets you detect information security risks based on information about devices and their interactions.
• Network Session Detection This method analyzes industrial network traffic to detect network sessions created by devices for the purpose of connecting to other devices.

You can enable and disable the use of individual asset management methods.

About the device activity detection method

The following modes are available for the device activity detection method:

• Learning mode. This mode is intended for temporary use. In this mode, all devices whose activity is detected in traffic are considered to be authorized by the application. You can enable learning mode only for the device activity detection method. The device activity detection method can be applied together with other asset management methods.
• Monitoring mode. This mode is intended for continual use. In this mode, when activity of devices is detected, the application considers only those devices that have been assigned the Authorized status as authorized.

Depending on the selected mode, the application automatically assigns statuses to devices.

In learning mode, the application does not register events when it detects activity of devices or when device information is automatically updated.

You can configure the learning mode for the device activity detection method. Asset management learning mode must be enabled for a sufficient amount of time to detect the activity of relevant devices. This amount of time depends on the number of devices in the industrial network and how frequently they operate and are serviced. We recommend that you enable learning mode for at least one hour. In large industrial networks, learning mode can be enabled for a period from one to several days to detect the activity of all required devices.

The received MAC- and IP addresses of devices are processed with the following special considerations:

• A router indicator must be set for devices that perform functions of a network switch between industrial network segments. If this indicator is not defined automatically by the application, it must be set manually. Otherwise, the application may fail to populate the devices table with devices that interact through this routing device in different industrial network segments. After the indicator is set, interacting devices will be added to the devices table when there is corresponding traffic involving them.
• If only the device IP address is detected in traffic (the IP address cannot be matched to a specific MAC address), this IP address is checked against the list of subnets known to the application. The device activity detection method ignores IP addresses that belong to Public subnets only.

About the device information detection method

When the device information detection method is enabled, the application automatically updates information about known devices. For example, the application can update the name of the operating system installed on a device as it detects updated data in the traffic of the device.

By default, automatic update is enabled for all information. For some types of information, in the device settings, you can disable automatic update in the following cases: adding a device manually, merging devices, and changing the device information.

To automatically get information about devices, the application can use:

• Built-in rules for detection of information about devices and device communication protocols.

  After installation, the application uses the default rules for identifying information about devices and the protocols of communication between devices. To increase the accuracy of identifying information, Kaspersky experts regularly update the databases containing the sets of rules. You can update rules by installing updates.

• Data from EPP applications containing information about the devices.

  The application processes data from EPP applications, which contain information about devices (for example, equipment information).

• Data from EPP applications processed according to the rules from the Kaspersky ICS CERT vulnerabilities database for SCADA.

  Rules from the Kaspersky ICS CERT vulnerabilities database for SCADA provide for additional analysis of data received from EPP applications. Based on the analysis results, the application can indirectly determine some information about the devices (for example, the device category). The Kaspersky ICS CERT vulnerabilities database for SCADA is a system-based set of security audit rules. These rule set is supplied and updated together with the database and application module updates. Therefore, to use the rules from this set, install the updates.

About events registered when applying methods

In monitoring mode, the application registers the corresponding events based on Asset Management technology. Depending on the applied methods, events may be registered in the following cases:

• Detection of activity of unknown devices or devices that have a status of Archived.
• Automatic change of device information.
• Detection of read/write operations with projects and PLC project blocks.
• Detection of Vulnerability risks and changes related to these risks.

When PLC Project Control is enabled, the application may register a large number of events associated with the detection of read/write operations with projects or blocks. Normally, a large number of events are registered at the initial stage when this method is used. To reduce the total number of registered events, the PLC Project Control method is disabled by default after the application is installed. You can enable this method at any time.

Page top