Securing interactions when using the Kaspersky Industrial CyberSecurity for Networks API

Recipient apps obtain access to application functions by using the Kaspersky Industrial CyberSecurity for Networks API after establishing encrypted connections over the HTTPS protocol. Connections are secured by using certificates issued by the Kaspersky Industrial CyberSecurity for Networks Server. The Server issues certificates for the connectors that are used by recipient apps to connect to the Server.

A separate certificate must be created for each recipient app. A connection can be established through a connector only by using the specific certificate that was issued by the Server and saved in the communication data package for that connector. A connection cannot be established if a recipient app uses a certificate from a different connector or different Kaspersky Industrial CyberSecurity for Networks Server, or a certificate that is used for other connections (such as a sensor certificate).

After establishing an encrypted connection, the recipient app must request an authentication token for the connector that will be indicated by the recipient app in requests sent to the REST API server. Before issuing an authentication token, the Server verifies the current state of the application user account that was indicated when the connector was created. The Server will not issue an authentication token if the application user account has been deleted or blocked.

By default, an authentication token is valid for 10 hours after it is issued by the Server (in Kaspersky Industrial CyberSecurity for Networks 4.0.1, you can use the kics4net-params script to change the validity period of authentication tokens). If a token needs to be used for a longer period, the recipient app must request a time extension before the token expires.

For information on the requests and methods provided in the Kaspersky Industrial CyberSecurity for Networks Server API, please refer to the documentation for the Kaspersky Industrial CyberSecurity for Networks API.

When the Server receives requests from the recipient app during the validity period of the authentication token, the Server verifies the existence and current access rights of the application user account that was indicated when the connector was created. A method indicated in a request from a recipient app is not executed if the user account is not found (has been deleted from the application), or if the user account does not have sufficient rights to perform the operation (the user account role does not match the performed operation).

When processing requests from recipient apps, the application uses the audit log to store information about attempts to perform the following operations:

• Receive an authentication token.
• Extend the validity period for an authentication token.
• Add a device to the devices table.
• Edit device information.
• Delete a device.
• Query the audit log (when first reading audit entries through the connector after loading the web server).