Using the configuration control jobs, you can conduct a security audit of monitored devices in terms of receiving, saving, and comparing device configurations. Configuration control jobs additionally let you upload data to Kaspersky Industrial CyberSecurity for Networks for device user control, device application and patch monitoring, and OT device hardware monitoring.
The application can monitor the following configuration types on devices:
You can manually run security audit jobs or configure a schedule to automatically run each job.
When a job is started, the application initiates a scan of devices covered by this job. If a device scan detects configuration changes for the device, the application registers an event. Depending on the configuration processing mode selected for the job, the event contains the comparison results of the received configuration with the previous configuration of the device or with its benchmark configuration.
The following configuration processing modes are provided for configuration control jobs:
You can scan devices to get the PLC configuration type only if you use Active Poll connectors. The following device polling methods are provided for getting the remaining configuration types:
You can use this method if the Endpoint Agent software component is installed on the devices selected for the job and integration between the EPP application and Kaspersky Industrial CyberSecurity for Networks is configured. This method is used for scanning using Endpoint Agent on each device.
Use this method if the devices selected for the job do not have the Endpoint Agent software component installed, but it is possible to connect to these devices via protocols that ensure secure management and data transfer. The method is supported for getting the Linux operating system and Network devices configuration types. For this method, in the job settings specify one of the nodes with the installed application components from which connection to the devices is established. Also, specify the credentials for remote connections (credentials are stored in the application as secrets).
On devices running Linux operating systems, scans are performed using the commands to run standard diagnostic utilities for Linux devices.
To receive the PLC configuration type, the application must scan devices using the Active poll connector added to the application. In the job for the PLC configuration type, specify the data for connecting the connector (account credentials secret and other necessary data). The built-in Active Poll connector type supports receiving the configurations of Siemens SIMATIC S7-300 and S7-400 series devices and Schneider Electric Modicon series devices: M580, M340.
You can manage configuration control jobs on the Configuration control tab in the Security audit section. If the Active poll connector or the Remote connection method is used to scan devices, you can create secrets with the necessary credentials under Settings → Secrets.
After the jobs are run and the device scans are completed, you can view information about the received device configurations in the device details area on the Configurations tab. The options for comparing configurations and assigning a benchmark configuration are also available on this tab.
You can view information about registered events when connected to the Server through the web interface.