Support

Support for business applications

Kaspersky Industrial CyberSecurity for Networks

Administration of Kaspersky Industrial CyberSecurity for Networks

Configuring Process Control

Process Control rules

Process Control rules learning mode

Kaspersky Industrial CyberSecurity for Networks
Нет результатов
Online Help
FAQ Download Forum Contact support Recovery tools Product videos

Process Control rules learning mode

March 22, 2024

ID 195603

Get as PDF

In Process Control rules learning mode, the application automatically generates Process Control rules with conditions for the values of tags. To generate rules, the application analyzes traffic to monitor the values of only those tags that have been added to the tags table.

Process Control rules that were automatically added in learning mode are called system rules. For these rules, the Origin parameter contains the System value. When system rules are automatically created, the default value of 6.0 is assigned to the Event score parameter.

Rules that were manually created are called User rules. For these rules, the Origin parameter contains the User value. If a system rule is manually changed, this rule also becomes a user rule.

Rules that are added in learning mode are in the Disabled state by default. If a system rule is updated in learning mode, it remains in the same state it was in before the update.

When adding or updating Process Control rules in learning mode, the application defines one of the following conditions for each of them:

  • Does not equal.

    This condition is defined when a rule is added (if no other system rule is found for the detected tag value) or when ten or less different tag values are received (except for tags with the bool or float data type).

  • Out of range.

    This condition replaces the previous condition in a rule if a new value for a tag with the float data type is received or if more than ten different values for a tag with the int data type are received.

  • Monotonic change violation.

    This condition replaces the previous condition in a rule if the detected tag values have only increased or only decreased, without any other variation. This condition replaces the previous condition in rules for tags with the int or float data type when learning mode ends.

In learning mode, the application also deletes system Process Control rules in the following cases:

  • The rule was created for a tag with the bool data type, and the detected and saved values do not match (comparisons are conducted only for the first ten detected values, and all other values are ignored).
  • The rule was created for a tag with the string data type, and more than ten different values are received.

Process Control rules learning mode must be enabled for a sufficient amount of time to detect all possible values of relevant tags. This amount of time depends on how frequently tags are circulated in traffic, how often devices are running in the industrial network, and other specifics of the industrial process. We recommend that you enable learning mode for at least one hour. In large industrial networks, learning mode can be enabled for a period ranging from one to several days to accumulate the maximum amount of data.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.