Overview of Kaspersky Industrial CyberSecurity for Networks functionality

Industrial network traffic analysis functionality

In Kaspersky Industrial CyberSecurity for Networks, industrial network traffic analysis is provided by the following functionality:

• Asset Management. This functionality lets you monitor the activity of devices and track changes to device information based on data received in network packets. To automatically receive information about devices, the application analyzes industrial network traffic according to the rules for identifying information about devices and the protocols of communication between devices. The application can also define device settings for Process Control. In conjunction with Process Control functionality, read/write operations for programmable logic controllers are also monitored. For the purpose of Asset Management, the application generates a table containing information that is received automatically from traffic or information that is manually provided.
• Interaction Control. This functionality lets you monitor interactions between devices of the industrial network. Detected interactions are checked to see if they match any Interaction Control allow rules. When the application detects an interaction that is described in an enabled rule, it considers this interaction to be allowed and does not register an event.
• Deep Packet Inspection (hereinafter also referred to as "Process Control"). This functionality lets you monitor traffic to detect the values of process parameters and the systems commands transmitted or received by devices. Values of industrial process parameters are tracked with the aid of Process Control rules that are used by the application to detect unacceptable values. Lists of monitored system commands are generated when you configure the settings of Process Control devices.
• Intrusion Detection. This functionality lets you monitor traffic to detect signs of attacks or unwanted network activity. Intrusion Detection rules and embedded network packet scan algorithms are used to detect such activity. When the conditions defined in an active Intrusion Detection rule are detected in traffic, the application registers a rule-triggering event. Using the embedded network packet scan algorithms, the application detects signs of falsified addresses in ARP packets and various anomalies in the TCP and IP protocols.

Only an application user with the Administrator role can configure industrial network traffic analysis functionality.

Functionality for performing common operator tasks

Application user accounts with the Operator role can be used to perform common tasks for monitoring the state of the industrial process and devices in Kaspersky Industrial CyberSecurity for Networks. These users can utilize the following functionality:

• Display information for system monitoring in online mode. This functionality lets you view the most significant changes to the system that have occurred up to the current moment. When the system is being monitored in online mode, you can monitor hardware resource consumption, various dynamic data, and the main information about devices and events.
• Display data on the network map. This functionality lets you visually display detected interactions between devices of the industrial network. When viewing the network map, you can quickly identify problematic objects or objects with other attributes and view information about these objects. To conveniently present information, you can automatically or manually arrange devices on the network map.
• Display information about events and incidents. This functionality lets you download registered events and incidents from the Server database and display this information as an events table or as interacting objects on a network map. To provide the capability to monitor new events and incidents, by default the application loads events and incidents that occurred most recently. You can also load events and incidents for any period. When viewing the events table, you can change the statuses of events and incidents, copy and export data, load traffic, and perform other actions.
• Display tag values in online mode. This functionality lets you view the current values of process parameters detected in traffic at the current point in time. Information about received values is displayed in the tags table generated for Process Control.
• Display information about detected vulnerabilities of devices. This functionality lets you detect vulnerabilities in monitored devices on the industrial network. To detect vulnerabilities, the application compares the available device information to specific fields in the vulnerabilities database. Information about vulnerabilities can be viewed when managing devices or in the general vulnerabilities table.
• Display information for centralized monitoring in the Kaspersky Security Center Web Console. This functionality lets you view data on the security state of information systems that are running application components (including deployment scenarios involving multiple Servers of Kaspersky Industrial CyberSecurity for Networks). When working with the Kaspersky Security Center Web Console, you can view information in web widgets and on component deployment maps, search devices and events in Kaspersky Industrial CyberSecurity for Networks, and quickly navigate from the Kaspersky Security Center Web Console directly to the web interface pages of Servers.

Functionality for managing operation of the application

To manage the application for the purpose of general configuration and control of its use, an application user with the Administrator role can use the following functionality:

• Manage technologies. This functionality lets you enable and disable the use of technologies and methods for industrial network traffic analysis, and change the operating mode of technologies and methods. You can enable, disable, and change the operating mode of technologies and methods independently of each other.
• Manage nodes and monitoring points. This functionality lets you add sensor nodes and monitoring points to the application to receive traffic from the industrial network. You can also use this functionality to temporarily pause and resume monitoring of industrial network segments by disabling and enabling the corresponding monitoring points (for example, while conducting preventative maintenance and adjustment operations for the ICS).
• Configure the receipt of data from EPP applications. This functionality lets you select the nodes with installed application components that will receive and process data from other Kaspersky applications that perform functions to protect workstations and servers. These applications are included in the Endpoint Protection Platform (EPP) and are installed to endpoint devices within the enterprise IT infrastructure. When data is received from EPP applications, Kaspersky Industrial CyberSecurity for Networks can register events, add devices, and update device information.
• Distribute access to application functions. This functionality lets you restrict user access to application functions. Access is restricted based on the roles of application user accounts.
• Monitor the state of the application. This functionality lets you monitor the current state of Kaspersky Industrial CyberSecurity for Networks, and view application messages and user activity audit entries for any period. Users with the Operator role can also access the log containing application messages.
• Update databases and application modules. This functionality lets you download and install updates, thereby improving the effectiveness of traffic analysis and ensuring maximum protection of the industrial network against threats. Update functionality is available after a license key is added to Kaspersky Industrial CyberSecurity for Networks or to Kaspersky Security Center. You can manually start installation of updates, or enable automatic installation of updates according to a defined schedule.
• Configure the types of registered events. This functionality lets you generate and configure a list of event types for event registration in Kaspersky Industrial CyberSecurity for Networks, and for event transmission to recipient systems (for example, to a SIEM system) and to Kaspersky Security Center.
• Manage logs. This functionality lets you change the settings for saving data in application logs. You can configure the settings for saving entries in logs and the settings for saving traffic in the database. You can also change the logging levels for process logs.
• Use the application programming interface. This functionality lets you use the set of functions implemented through the Kaspersky Industrial CyberSecurity for Networks API in external applications. Using the Kaspersky Industrial CyberSecurity for Networks API, you can obtain data on events and tags, send events to Kaspersky Industrial CyberSecurity for Networks, and perform other actions.