Support

Support for business applications

Kaspersky Industrial CyberSecurity Endpoint Detection and Response

Response actions

About network isolation

Kaspersky Industrial CyberSecurity Endpoint Detection and Response
Online Help
FAQ Download Forum Contact support Recovery tools Product videos

About network isolation

September 9, 2022

ID 231331

Kaspersky Industrial CyberSecurity Endpoint Detection and Response provides the ability to isolate devices from the network on demand (manually) or as an automatic action to respond to detected threats.

In case of automatic response, the corresponding commands will be executed on the devices without confirmation from the operator. Despite the use of standard operating system mechanisms, unforeseen problems may occur. They can be caused by incorrect or highly-focused configuration of devices, compatibility problems, or errors in the software of devices or industrial-control systems (ICS), which do not appear during normal use. For example, the following problems may occur: turning off the device, loss of communication with the device, inoperability of the device, other failures in the operation of the solution and equipment. Also, unintentional impact on the ICS operation is possible.

When performing automated response at a node, you are fully responsible for the impact of response tasks on the operation stability of the ICS and the technological process.

After enabling network isolation, the application breaks all active TCP/IP connections and blocks all new TCP/IP network connections on the devices, except for the connections listed below:

  • connections specified as network isolation exclusions;
  • connections initiated by Kaspersky Industrial CyberSecurity for Nodes services;
  • connections initiated by Kaspersky Security Center Network Agent.

You can apply device network isolation manually in Kaspersky Industrial CyberSecurity for Nodes settings on the device or in the alert details. It can also be applied automatically as a result of alert response actions when the IOC Scan task is performed. You can unlock an isolated device manually from the alert details, in Kaspersky Industrial CyberSecurity for Nodes settings on the device or from the command line. You can also configure the period after which to disable network isolation automatically.

You can configure network isolation exclusions. Network connections that meet the conditions of the specified exclusion will not be blocked on the devices after network isolation is enabled.

For more details on how to manage network isolation manually using the application settings on the device, refer to Kaspersky Endpoint Agent Help.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.