Tags

Tags are the main objects of observation in Kaspersky MLAD. A tag is a process parameter transmitted within the industrial network (for example, a controlled temperature). Measurements of physical parameters, as well as setpoints, commands, or states of control systems can be transmitted as tags. The values of tags are transmitted and received by the assets over specific protocols. The values of tags are displayed on graphs in the History and Monitoring sections and are also used to detect incidents.

Kaspersky MLAD provides the following types of tags:

Source tags
The values of these tags are received by Kaspersky MLAD directly from the monitored asset if the Stream Processor service is disabled.

Source tags are displayed in the monitored asset hierarchical structure.
Tags processed by the Stream Processor service
Tag values received as a result of the processing of the input tag stream by the Stream Processor service.

The Stream Processor service can convert an input tag stream to a UTG. For each node in the uniform sequence, the Stream Processor service calculates the tag values for the output stream. Depending on how many input observations have been accumulated for each node and how long ago the observations were last received, the Stream Processor service can calculate output tag values by aggregation (calculating a tag value based on multiple tag observations accumulated for the corresponding node of the uniform sequence) or imputation (restoring the tag value for an empty node of the uniform sequence based on the values of this tag received earlier).

The Stream Processor service can also calculate derivative tags based on incoming telemetry data. For example, the Stream Processor service can calculate a moving average or an average for a group of tags.

Tags processed by the Stream Processor service are displayed in the monitored asset hierarchical structure.

Kaspersky MLAD supports several methods for obtaining telemetry data (tags). Depending on the monitored asset attributes and the tag transmission capabilities, you can select one of the following methods for receiving tags:

Use the connectors of Kaspersky Industrial CyberSecurity for Networks that analyze mirrored traffic and send tags to Kaspersky MLAD in online mode. Kaspersky MLAD sends back information about detected incidents.
Use the OPC UA Connector if the monitored asset provides the capability to transmit tags from ICS over the OPC UA protocol in the online mode.
Use the MQTT Connector if the monitored asset provides the capability to transmit tags over the MQTT protocol and receive alerts about incident registration in the online mode.
Use the AMQP Connector if the monitored asset has the capability to transmit tags over the AMQP protocol and receive alerts about incident registration in online mode.
Use the WebSocket Connector if the monitored asset provides the capability to transmit tags over the WebSocket protocol and receive alerts about incident registration in the online mode.
Use the CEF Connector if the monitored asset provides the capability to transmit tags using the CEF Connector technology and receive alerts about incident registration in the online mode.
If the first four methods of tag transmission are not available, you can write a tag export script for using the HTTP Connector to configure a scheduled export of tags as CSV files over HTTP (for example, once per hour or once per minute).