The following methods are used for asset management in Kaspersky Industrial CyberSecurity for Networks:
You can enable and disable the use of individual asset management methods.
About the device activity detection method
The following modes are available for the device activity detection method:
Depending on the selected mode, the application automatically assigns statuses to devices.
In learning mode, the application does not register events when it detects activity of devices or when device information is automatically updated.
You can configure the learning mode for the device activity detection method. Asset management learning mode must be enabled for a sufficient amount of time to detect the activity of relevant devices. This amount of time depends on the number of devices in the industrial network and how frequently they operate and are serviced. We recommend that you enable learning mode for at least one hour. In large industrial networks, learning mode can be enabled for a period from one to several days to detect the activity of all required devices.
The received MAC- and IP addresses of devices are processed with the following special considerations:
About the device information detection method
When the device information detection method is enabled, the application automatically updates information about known devices. For example, the application can update the name of the operating system installed on a device as it detects updated data in the traffic of the device.
By default, automatic update is enabled for all information. For some types of information, in the device settings, you can disable automatic update in the following cases: adding a device manually, merging devices, and changing the device information.
To automatically get information about devices, the application can use:
After installation, the application uses the default rules for identifying information about devices and the protocols of communication between devices. To increase the accuracy of identifying information, Kaspersky experts regularly update the databases containing the sets of rules. You can update rules by installing updates.
The application processes data from EPP applications, which contain information about devices (for example, equipment information).
Rules from the Kaspersky ICS CERT vulnerabilities database for SCADA provide for additional analysis of data received from EPP applications. Based on the analysis results, the application can indirectly determine some information about the devices (for example, the device category). The Kaspersky ICS CERT vulnerabilities database for SCADA is a system-based set of security audit rules. These rule set is supplied and updated together with the database and application module updates. Therefore, to use the rules from this set, install the updates.
About events registered when applying methods
In monitoring mode, the application registers the corresponding events based on Asset Management technology. Depending on the applied methods, events may be registered in the following cases:
When PLC Project Control is enabled, the application may register a large number of events associated with the detection of read/write operations with projects or blocks. Normally, a large number of events are registered at the initial stage when this method is used. To reduce the total number of registered events, the PLC Project Control method is disabled by default after the application is installed. You can enable this method at any time.
Page top