Integration with Kaspersky Industrial CyberSecurity for Networks

Kaspersky Industrial CyberSecurity for Networks is designed to protect the infrastructure of industrial enterprises from information security threats and to ensure the continuity of technological processes. Kaspersky Industrial CyberSecurity for Networks analyzes industrial network traffic to detect deviations in the values of technological parameters, detect signs of network attacks, and monitor the operation and current state of devices on the network. The application is a part of the Kaspersky Industrial CyberSecurity solution. For full information about Kaspersky Industrial CyberSecurity for Networks, please refer to the Kaspersky Industrial CyberSecurity for Networks Help.

Kaspersky Industrial CyberSecurity for Nodes supports integration with Kaspersky Industrial CyberSecurity for Networks. Data about events on the device, received by Kaspersky Industrial CyberSecurity for Nodes, is sent to Kaspersky Industrial CyberSecurity for Networks server. Integration between the applications enhances Kaspersky Industrial CyberSecurity for Networks capabilities to investigate and respond to threats in industrial networks.

Kaspersky Industrial CyberSecurity for Nodes configurations for integration with Kaspersky Industrial CyberSecurity for Networks

The following configurations are possible:

• [KICS+built-in agent]. In this configuration, Kaspersky Industrial CyberSecurity for Nodes acts as both the application that ensures the security of the computer and the application for working with Kaspersky Industrial CyberSecurity for Networks. The built-in agent is available in Kaspersky Industrial CyberSecurity for Nodes starting with version 4.2.
• [Third-party EPP+Endpoint Agent configuration]. In this configuration, the security of the IT infrastructure is provided by the third-party Endpoint Protection Platform (EPP). Integration with Kaspersky Industrial CyberSecurity for Networks is provided by Kaspersky Industrial CyberSecurity for Nodes in the Endpoint Agent configuration. The Endpoint Agent configuration is available in Kaspersky Industrial CyberSecurity for Nodes starting with version 4.2.

For integration of Kaspersky Industrial CyberSecurity for Nodes built-in agent with Kaspersky Industrial CyberSecurity for Networks, the following conditions must be satisfied:

• Kaspersky Industrial CyberSecurity for Networks must be deployed in the corporate IT infrastructure.
• Kaspersky Security Center 14.2 or later must be deployed in the corporate IT infrastructure.
• Application components that send data to Kaspersky Industrial CyberSecurity for Networks must be enabled and functioning: Exploit Prevention, Remediation Engine, Anti-Cryptor.

To integrate the Endpoint Agent configuration with Kaspersky Industrial CyberSecurity for Networks in the corporate IT infrastructure, the following must be deployed:

• Kaspersky Industrial CyberSecurity for Networks.
• Kaspersky Security Center version 14.2 or higher.

Support for previous versions of Kaspersky Industrial CyberSecurity for Nodes

Kaspersky Industrial CyberSecurity for Nodes 4.2 supports integration with Kaspersky Industrial CyberSecurity for Networks using the built-in agent or an Endpoint Agent configuration; you do not need to install Kaspersky Endpoint Agent.

If you are using Kaspersky Industrial CyberSecurity for Nodes older than 4.2 for integration with Kaspersky Industrial CyberSecurity for Networks, you must install Kaspersky Endpoint Agent separately.

Configuring integration with Kaspersky Industrial CyberSecurity for Networks

Integration with Kaspersky Industrial CyberSecurity for Networks involves the following steps:

1. Installing the Kaspersky Industrial CyberSecurity for Networks Integration component

   In installation package settings or in the Setup Wizard, or by changing the set of application components in the Windows Control Panel, at the step when you must select application components for installation, select the following:

   • Full functionality — Endpoint Agent — Integration with KICS for Networks for the built-in agent
   • Endpoint Agent — Integration with KICS for Networks for the Endpoint Agent configuration

   To finish changing the set of application components, you must restart the computer.

2. Activating the Kaspersky Industrial CyberSecurity for Networks Integration component

   Make sure that your license covers the Activating the Kaspersky Industrial CyberSecurity for Networks Integration functionality.

3. Enabling and configuring the Kaspersky Industrial CyberSecurity for Networks Integration component

   Kaspersky Industrial CyberSecurity for Nodes supports integration with KICS for Networks in a network with a data diode. A data diode is a unidirectional gateway for communication between protected network segments and external devices. The application supports a software MQTT server (for example, Mosquitto) as an MQTT broker. For communication through a data diode, Kaspersky Industrial CyberSecurity for Nodes uses the MQTT protocol. MQTT (Message Queuing Telemetry Transport) is a simplified network protocol that works over TCP/IP. This protocol follows the "publisher-subscriber" model. You can configure the application as a subscriber and as a publisher. When configured as an MQTT publisher, the application sends telemetry to the data diode.

   Telemetry sent to the MQTT broker server may contain confidential information. To control access to data, you must take steps to ensure the security of telemetry.

   On Windows XP computers, telemetry cannot be sent to the MQTT broker server.

   How to configure the integration with Kaspersky Industrial CyberSecurity for Networks in Kaspersky Security Center Administration Console

   1. In the Kaspersky Security Center Administration Console tree, select the Policies folder.
   2. Select the necessary policy and double-click to open the policy properties.
   3. Select the Telemetry collection servers section.
   4. In the Integration with KICS for Networks block, click the Settings button.

      The Integration with KICS for Networks window opens.

   5. Select the Integration with KICS for Networks check box.
   6. On the General tab, select the telemetry mode:
      • Send telemetry to KICS for Networks server. Kaspersky Industrial CyberSecurity for Nodes sends telemetry directly to the Kaspersky Industrial CyberSecurity for Networks server (standard mode).

        To send telemetry in standard mode, manage the following settings:

        • Address and Port. IP address and port of the Kaspersky Industrial CyberSecurity for Networks server to which you want to send telemetry.
        • Send sync request to KICS for Networks server every (min). Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Industrial CyberSecurity for Nodes sends information about modified application settings and tasks. The default value is 5 minutes.
        • Server connection settings. Manage the following settings:
          • Timeout (sec). Maximum server response timeout. After the timeout, Kaspersky Industrial CyberSecurity for Nodes re-connects to the server. The default setting is 10 seconds.
          • Server TLS certificate. TLS certificate for establishing a trusted connection with the Kaspersky Industrial CyberSecurity for Networks server. You can get a TLS certificate using the Kaspersky Industrial CyberSecurity for Networks management interface.
          • Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Industrial CyberSecurity for Networks. To use two-way authentication, you need to enable two-way authentication in the Kaspersky Industrial CyberSecurity for Networks settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. After configuring the Kaspersky Industrial CyberSecurity for Networks settings, you need to also enable two-way authentication in Kaspersky Industrial CyberSecurity for Nodes settings and load a password-protected crypto-container.

            The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

      • Send telemetry to a data diode as an MQTT publisher. Kaspersky Industrial CyberSecurity for Nodes sends telemetry to the MQTT broker server that is built into the software data diode (MQTT publisher).

        To send telemetry in MQTT publisher mode, manage the following settings:

        1. Enter credentials for authentication at the MQTT broker server.
        2. Enter the IP address and port of the MQTT broker server.
   7. Configure data transfer (see the table below).
   8. If necessary, configure telemetry in promiscuous mode.

      By default, Kaspersky Industrial CyberSecurity for Nodes collects network traffic arriving at network interfaces of the computer and addressed to the computer on which the application is installed. In promiscuous mode, the application collects network traffic for network interfaces of the computer coming from all available subnets. The application uses the collected traffic to generate extended telemetry.

      Not all network adapters support the Promiscuous mode. Extended telemetry collection does not work on these network adapters.

      1. On the Telemetry collection tab, select the Enable Promiscuous mode for the application and host network interfaces check box if you want to enable the promiscuous mode of network traffic collection from all available subnets for all network interfaces of the computer on which the application is installed.
      2. Select the Use in Promiscuous mode only host network interfaces configured for the specified subnets check box if you want to enable the promiscuous mode of network traffic collection from all available subnets for network interfaces configured for subnets from the list below.
      3. If necessary, create a list of subnets.
   9. Save your changes.

   How to configure the integration with Kaspersky Industrial CyberSecurity for Networks in Kaspersky Security Center Web Console

   1. In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
   2. Click the name of the Kaspersky Industrial CyberSecurity for Nodes policy.

      The policy properties window opens.

   3. Select the Application settings tab.
   4. Select the Telemetry collection servers section.
   5. In the Integration with KICS for Networks block, click the Configure button.

      The Integration with KICS for Networks window opens.

   6. Select the Integration with KICS for Networks check box.
   7. On the General tab, select the telemetry mode:
      • Send telemetry to KICS for Networks server. Kaspersky Industrial CyberSecurity for Nodes sends telemetry directly to the Kaspersky Industrial CyberSecurity for Networks server (standard mode).

        To send telemetry in standard mode, manage the following settings:

        • Address and Port. IP address and port of the Kaspersky Industrial CyberSecurity for Networks server to which you want to send telemetry.
        • Send sync request to KICS for Networks server every (min). Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Industrial CyberSecurity for Nodes sends information about modified application settings and tasks. The default value is 5 minutes.
        • Server connection settings. Manage the following settings:
          • Timeout (sec). Maximum server response timeout. After the timeout, Kaspersky Industrial CyberSecurity for Nodes re-connects to the server. The default setting is 10 seconds.
          • Server TLS certificate. TLS certificate for establishing a trusted connection with the Kaspersky Industrial CyberSecurity for Networks server. You can get a TLS certificate using the Kaspersky Industrial CyberSecurity for Networks management interface.
          • Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Industrial CyberSecurity for Networks. To use two-way authentication, you need to enable two-way authentication in the Kaspersky Industrial CyberSecurity for Networks settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. After configuring the Kaspersky Industrial CyberSecurity for Networks settings, you need to also enable two-way authentication in Kaspersky Industrial CyberSecurity for Nodes settings and load a password-protected crypto-container.

            The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

      • Send telemetry to a data diode as an MQTT publisher. Kaspersky Industrial CyberSecurity for Nodes sends telemetry to the MQTT broker server that is built into the software data diode (MQTT publisher).

        To send telemetry in MQTT publisher mode, manage the following settings:

        1. Enter credentials for authentication at the MQTT broker server.
        2. Enter the IP address and port of the MQTT broker server.
   8. Configure data transfer (see the table below).
   9. If necessary, configure telemetry in promiscuous mode.

      By default, Kaspersky Industrial CyberSecurity for Nodes collects network traffic arriving at network interfaces of the computer and addressed to the computer on which the application is installed. In promiscuous mode, the application collects network traffic for network interfaces of the computer coming from all available subnets. The application uses the collected traffic to generate extended telemetry.

      Not all network adapters support the Promiscuous mode. Extended telemetry collection does not work on these network adapters.

      1. On the Telemetry collection tab, select the Enable Promiscuous mode for the application and host network interfaces check box if you want to enable the promiscuous mode of network traffic collection from all available subnets for all network interfaces of the computer on which the application is installed.
      2. Select the Use in Promiscuous mode only host network interfaces configured for the specified subnets check box if you want to enable the promiscuous mode of network traffic collection from all available subnets for network interfaces configured for subnets from the list below.
      3. If necessary, create a list of subnets.
   10. Save your changes.

   How to configure the integration with Kaspersky Industrial CyberSecurity for Networks in the Application Console

   1. In the Application Console tree, select the Telemetry collection servers → Integration with KICS for Networks section.
   2. Click the Properties link in the results pane.

      The Properties: Integration with KICS for Networks window opens on the General tab.

   3. Select the Integration with KICS for Networks check box.
   4. On the General tab, select the telemetry mode:
      • Send telemetry to KICS for Networks server. Kaspersky Industrial CyberSecurity for Nodes sends telemetry directly to the Kaspersky Industrial CyberSecurity for Networks server (standard mode).

        To send telemetry in standard mode, manage the following settings:

        • Address and Port. IP address and port of the Kaspersky Industrial CyberSecurity for Networks server to which you want to send telemetry.
        • Send sync request to KICS for Networks server every (min). Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Industrial CyberSecurity for Nodes sends information about modified application settings and tasks. The default value is 5 minutes.
        • Server connection settings. Manage the following settings:
          • Timeout (sec). Maximum server response timeout. After the timeout, Kaspersky Industrial CyberSecurity for Nodes re-connects to the server. The default setting is 10 seconds.
          • Server TLS certificate. TLS certificate for establishing a trusted connection with the Kaspersky Industrial CyberSecurity for Networks server. You can get a TLS certificate using the Kaspersky Industrial CyberSecurity for Networks management interface.
          • Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Industrial CyberSecurity for Networks. To use two-way authentication, you need to enable two-way authentication in the Kaspersky Industrial CyberSecurity for Networks settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. After configuring the Kaspersky Industrial CyberSecurity for Networks settings, you need to also enable two-way authentication in Kaspersky Industrial CyberSecurity for Nodes settings and load a password-protected crypto-container.

            The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

      • Send telemetry to a data diode as an MQTT publisher. Kaspersky Industrial CyberSecurity for Nodes sends telemetry to the MQTT broker server that is built into the software data diode (MQTT publisher).

        To send telemetry in MQTT publisher mode, manage the following settings:

        1. Enter credentials for authentication at the MQTT broker server.
        2. Enter the IP address and port of the MQTT broker server.
   5. Configure data transfer (see the table below).
   6. If necessary, configure telemetry in promiscuous mode.

      By default, Kaspersky Industrial CyberSecurity for Nodes collects network traffic arriving at network interfaces of the computer and addressed to the computer on which the application is installed. In promiscuous mode, the application collects network traffic for network interfaces of the computer coming from all available subnets. The application uses the collected traffic to generate extended telemetry.

      Not all network adapters support the Promiscuous mode. Extended telemetry collection does not work on these network adapters.

      1. On the Telemetry collection tab, select the Enable Promiscuous mode for the application and host network interfaces check box if you want to enable the promiscuous mode of network traffic collection from all available subnets for all network interfaces of the computer on which the application is installed.
      2. Select the Use in Promiscuous mode only host network interfaces configured for the specified subnets check box if you want to enable the promiscuous mode of network traffic collection from all available subnets for network interfaces configured for subnets from the list below.
      3. If necessary, create a list of subnets.
   7. Save your changes.

   How to configure the integration with Kaspersky Industrial CyberSecurity for Networks on the command line

   To configure the integration on the command line, Password protection must be enabled.

   1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
   2. Using the cd command, navigate to the folder where the kavshell.exe file is located.

      For example, enter the command cd C:\Program Files (x86)\Kaspersky Lab\Kaspersky Industrial CyberSecurity for Nodes.4.5.0 and press ENTER.

   3. To configure the Kaspersky Industrial CyberSecurity for Nodes integration with Kaspersky Industrial CyberSecurity for Networks in standard mode, run the following command:

      KAVSHELL KICS /enable /servers:<address>:<port> [/pinned-certificate:<full path to the TLS certificate file>] [/client-certificate:<full path to the crypto-container>] [/client-password:<password for the crypto-container>] [/timeout:<maximum server response timeout>] [/sync-period:<synchronization request period>] [/events-sent-period:<maximum delay when sending events>] [/events-limit:<1|0>] [/events-per-hour:<maximum number of events per hour>] [/virtual-span-enable] [/virtual-span-disable] [/virtual-span-add-rules:<subnet IDs>] [/virtual-span-remove-rules:<subnet IDs>] [/login:<name of the current user account>] [/pwd:</login password or KLAdmin password if /login is not specified>]

   4. To configure the Kaspersky Industrial CyberSecurity for Nodes integration with Kaspersky Industrial CyberSecurity for Networks in MQTT publisher mode, run the following command:

      KAVSHELL KICS /enable /kics-mode:mqtt-publisher /mqtt-server:<address>:<port> [/mqtt-user:<login name for authorization at the MQTT broker>] [/mqtt-password:<password for authorization at the MQTT broker>] [/login:<name of the current user account>] [/pwd:</login password or KLAdmin password if /login is not specified>]

      Settings for integration between Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Industrial CyberSecurity for Networks

      Parameter	Description
      KICS	Required argument. Specifies Kaspersky Industrial CyberSecurity for Networks as the application to integrate with.
      /<enable|disable|show>	Required argument. Allows enabling, disabling, and viewing the status of the integration between Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Industrial CyberSecurity for Networks.
      /servers:<address>:<port>	Required argument. Allows you to specify the address and port of the Kaspersky Industrial CyberSecurity for Networks server or the address of an MQTT publisher.
      /kics-mode:<telemetry|mqtt-publisher>	Optional argument. Allows selecting the integration mode of the application with Kaspersky Industrial CyberSecurity for Networks. telemetry sends telemetry directly to the Kaspersky Industrial CyberSecurity for Networks server. mqtt-publisher is the mode to be used for sending telemetry to the MQTT broker server. The default value is telemetry.
      /pinned-certificate:<full path to the TLS certificate file>	Optional argument. Allows you to add a TLS certificate for connecting Kaspersky Industrial CyberSecurity for Nodes with the Kaspersky Industrial CyberSecurity for Networks server.
      /client-certificate:<full path to the crypto-container>	Optional argument. Allows you to add a crypto-container that stores an encrypted client certificate for protecting the connection between Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Industrial CyberSecurity for Networks server.
      /client-password:<password for the crypto-container>	Required if /CLIENT-CERTIFICATE is passed. Lets you specify a password for the crypto-container.
      /timeout:<maximum server response timeout>	Optional argument. Lets you specify the maximum response timeout in seconds of the Kaspersky Industrial CyberSecurity for Networks server. When the timeout runs out, Kaspersky Industrial CyberSecurity for Nodes attempts to connect to another Industrial CyberSecurity for Networks server if there is more than one.
      /sync-period:<synchronization request period>	Optional argument. Lets you specify the period in minutes for sending synchronization requests with the Kaspersky Industrial CyberSecurity server. During synchronization, the application sends information about modified application and task settings.
      /events-sent-period:<maximum delay when sending events>	Optional argument. Lets you specify the maximum delay when sending events to the Kaspersky Industrial CyberSecurity for Networks server. When the specified time expires, the application tries to connect to the same server again or connects to the next server in the list, if there are multiple servers.
      /events-limit:<1|0>	Optional argument. Lets you limit the number of events being sent. If the number of events exceeds the configured limits, the application stops sending events.
      /events-per-hour:<maximum number of events per hour>	Required if /EVENTS-LIMIT:1 is passed. Lets you specify the maximum number of events to be sent per hour.
      /pwd:<password>	Optional argument. Lets you specify the password of the KLAdmin user or a user with sufficient permissions to configure integration. If this option is not specified, the application prompts you for the password on the next line.
      /login:<user name>	Optional argument. Lets you specify a user name with sufficient permissions to configure integration. If this option is not specified, the application prompts you for the user name on the next line. You do not need to enter this value if you entered the KLAdmin password.
      /virtual-span-enable	Optional argument. Enables the promiscuous mode of telemetry. By default, Kaspersky Industrial CyberSecurity for Nodes collects network traffic arriving at network interfaces of the computer and addressed to the computer on which the application is installed. In promiscuous mode, the application collects network traffic for network interfaces of the computer coming from all available subnets. The application uses the collected traffic to generate extended telemetry. Not all network adapters support the Promiscuous mode. Extended telemetry collection does not work on these network adapters.
      /virtual-span-disable	Optional argument. Disables the promiscuous mode of telemetry.
      /virtual-span-add-rules:<IPv4 addresses of the computer's network interfaces>	Optional argument. Lets you add subnets as addresses of the computer's network interfaces (the application identifies the corresponding subnets by the subnet mask of the network interface) or addresses of network interfaces with subnets in the IPv4 format. The application collects network traffic in promiscuous mode only for network interfaces configured for the specified subnets. For example: /VIRTUAL-SPAN-ADD-RULES:198.51.100.0; 198.51.100.0/24.
      /virtual-span-remove-rules:<subnet IDs>	Optional argument. Lets you delete subnets with specified IDs. The list of added subnets and their IDs can be displayed using the /VIRTUAL-SPAN-SHOW command.
      /mqtt-subscriber-enable	Optional argument. Enables the MQTT subscriber mode for receiving telemetry from the data diode. By default, the MQTT subscriber mode is disabled.
      /mqtt-subscriber-disable	Optional argument. Disables the MQTT subscriber mode.
      /mqtt-server:<address>:<port>	Required parameter if the /kics-mode:mqtt-publisher or /mqtt-subscriber:enable. parameter is passed. Specifies the address and port of the MQTT broker. The default port for the MQTT broker is 1883.
      /mqtt-user:<login name>	Required parameter of login and password authorization is configured on the MQTT broker. Specifies the login name for authorization at the MQTT broker.
      /mqtt-password:<password>	Required parameter of login and password authorization is configured on the MQTT broker. Specifies the password for authorization at the MQTT broker.

   As the MQTT subscriber, the application receives telemetry from the data diode to send it on to KICS for Network.

   Delivery of messages received from the Kaspersky Industrial CyberSecurity for Nodes via the data diode is not guaranteed when there is no connection with the KICS for Networks server.

   How to configure the application as an MQTT subscriber in the Kaspersky Security Center Administration Console

   1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node and select the group to which the computer belongs.
   2. In the results pane, select the Devices tab.
   3. Double-click to open the computer properties window.
   4. Go to the Applications section.
   5. In the list of Kaspersky applications installed on the computer, select Kaspersky Industrial CyberSecurity for Nodes and double-click to open the application properties.
   6. Select the Telemetry collection servers section.
   7. In the Integration with KICS for Networks block, click the Settings button.

      The Integration with KICS for Networks window opens.

   8. Select the Integration with KICS for Networks check box.
   9. On the General tab, select Send telemetry to KICS for Networks server.
   10. Manage the following settings:
       • Address and Port. IP address and port of the Kaspersky Industrial CyberSecurity for Networks server to which you want to send telemetry.
       • Send sync request to KICS for Networks server every (min). Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Industrial CyberSecurity for Nodes sends information about modified application settings and tasks. The default value is 5 minutes.
       • Server connection settings. Manage the following settings:
         • Timeout (sec). Maximum server response timeout. After the timeout, Kaspersky Industrial CyberSecurity for Nodes re-connects to the server. The default setting is 10 seconds.
         • Server TLS certificate. TLS certificate for establishing a trusted connection with the Kaspersky Industrial CyberSecurity for Networks server. You can get a TLS certificate using the Kaspersky Industrial CyberSecurity for Networks management interface.
         • Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Industrial CyberSecurity for Networks. To use two-way authentication, you need to enable two-way authentication in the Kaspersky Industrial CyberSecurity for Networks settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. After configuring the Kaspersky Industrial CyberSecurity for Networks settings, you need to also enable two-way authentication in Kaspersky Industrial CyberSecurity for Nodes settings and load a password-protected crypto-container.

           The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

       • Select the Receive telemetry from a data diode as an MQTT subscriber check box.
       • Enter credentials for authentication at the MQTT broker server.
       • Enter the IP address and port of the MQTT broker server.
   11. Configure data transfer (see the table below).
   12. If necessary, configure telemetry in promiscuous mode.

       By default, Kaspersky Industrial CyberSecurity for Nodes collects network traffic arriving at network interfaces of the computer and addressed to the computer on which the application is installed. In promiscuous mode, the application collects network traffic for network interfaces of the computer coming from all available subnets. The application uses the collected traffic to generate extended telemetry.

       Not all network adapters support the Promiscuous mode. Extended telemetry collection does not work on these network adapters.

       1. On the Telemetry collection tab, select the Enable Promiscuous mode for the application and host network interfaces check box if you want to enable the promiscuous mode of network traffic collection from all available subnets for all network interfaces of the computer on which the application is installed.
       2. Select the Use in Promiscuous mode only host network interfaces configured for the specified subnets check box if you want to enable the promiscuous mode of network traffic collection from all available subnets for network interfaces configured for subnets from the list below.
       3. If necessary, create a list of subnets.
   13. Save your changes.

   How to configure the application as an MQTT subscriber in the Kaspersky Security Center Web Console

   1. In the main window of the Web Console, select Assets (Devices) → Managed devices.
   2. Click a computer name.
   3. In the displayed computer properties window, select the Applications tab.
   4. Click Kaspersky Industrial CyberSecurity for Nodes (4.5.0).
   5. Select the Application settings tab.
   6. Select the Telemetry collection servers section.
   7. In the Integration with KICS for Networks block, click the Configure button.

      The Integration with KICS for Networks window opens.

   8. Select the Integration with KICS for Networks check box.
   9. On the General tab, select Send telemetry to KICS for Networks server.
   10. Manage the following settings:
       • Address and Port. IP address and port of the Kaspersky Industrial CyberSecurity for Networks server to which you want to send telemetry.
       • Send sync request to KICS for Networks server every (min). Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Industrial CyberSecurity for Nodes sends information about modified application settings and tasks. The default value is 5 minutes.
       • Server connection settings. Manage the following settings:
         • Timeout (sec). Maximum server response timeout. After the timeout, Kaspersky Industrial CyberSecurity for Nodes re-connects to the server. The default setting is 10 seconds.
         • Server TLS certificate. TLS certificate for establishing a trusted connection with the Kaspersky Industrial CyberSecurity for Networks server. You can get a TLS certificate using the Kaspersky Industrial CyberSecurity for Networks management interface.
         • Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Industrial CyberSecurity for Networks. To use two-way authentication, you need to enable two-way authentication in the Kaspersky Industrial CyberSecurity for Networks settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. After configuring the Kaspersky Industrial CyberSecurity for Networks settings, you need to also enable two-way authentication in Kaspersky Industrial CyberSecurity for Nodes settings and load a password-protected crypto-container.

           The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

       • Select the Receive telemetry from a data diode as an MQTT subscriber check box.
       • Enter credentials for authentication at the MQTT broker server.
       • Enter the IP address and port of the MQTT broker server.
   11. Configure data transfer (see the table below).
   12. If necessary, configure telemetry in promiscuous mode.

       By default, Kaspersky Industrial CyberSecurity for Nodes collects network traffic arriving at network interfaces of the computer and addressed to the computer on which the application is installed. In promiscuous mode, the application collects network traffic for network interfaces of the computer coming from all available subnets. The application uses the collected traffic to generate extended telemetry.

       Not all network adapters support the Promiscuous mode. Extended telemetry collection does not work on these network adapters.

       1. On the Telemetry collection tab, select the Enable Promiscuous mode for the application and host network interfaces check box if you want to enable the promiscuous mode of network traffic collection from all available subnets for all network interfaces of the computer on which the application is installed.
       2. Select the Use in Promiscuous mode only host network interfaces configured for the specified subnets check box if you want to enable the promiscuous mode of network traffic collection from all available subnets for network interfaces configured for subnets from the list below.
       3. If necessary, create a list of subnets.
   13. Save your changes.

   How to configure the application as an MQTT subscriber in the Application Console

   1. In the Application Console tree, select the Telemetry collection servers → Integration with KICS for Networks section.
   2. Click the Properties link in the results pane.

      The Properties: Integration with KICS for Networks window opens on the General tab.

   3. Select the Integration with KICS for Networks check box.
   4. On the General tab, select Send telemetry to KICS for Networks server.
   5. Manage the following settings:
      • Address and Port. IP address and port of the Kaspersky Industrial CyberSecurity for Networks server to which you want to send telemetry.
      • Send sync request to KICS for Networks server every (min). Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Industrial CyberSecurity for Nodes sends information about modified application settings and tasks. The default value is 5 minutes.
      • Server connection settings. Manage the following settings:
        • Timeout (sec). Maximum server response timeout. After the timeout, Kaspersky Industrial CyberSecurity for Nodes re-connects to the server. The default setting is 10 seconds.
        • Server TLS certificate. TLS certificate for establishing a trusted connection with the Kaspersky Industrial CyberSecurity for Networks server. You can get a TLS certificate using the Kaspersky Industrial CyberSecurity for Networks management interface.
        • Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Industrial CyberSecurity for Networks. To use two-way authentication, you need to enable two-way authentication in the Kaspersky Industrial CyberSecurity for Networks settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. After configuring the Kaspersky Industrial CyberSecurity for Networks settings, you need to also enable two-way authentication in Kaspersky Industrial CyberSecurity for Nodes settings and load a password-protected crypto-container.

          The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

      • Select the Receive telemetry from a data diode as an MQTT subscriber check box.
      • Enter credentials for authentication at the MQTT broker server.
      • Enter the IP address and port of the MQTT broker server.
   6. Configure data transfer (see the table below).
   7. If necessary, configure telemetry in promiscuous mode.

      By default, Kaspersky Industrial CyberSecurity for Nodes collects network traffic arriving at network interfaces of the computer and addressed to the computer on which the application is installed. In promiscuous mode, the application collects network traffic for network interfaces of the computer coming from all available subnets. The application uses the collected traffic to generate extended telemetry.

      Not all network adapters support the Promiscuous mode. Extended telemetry collection does not work on these network adapters.

      1. On the Telemetry collection tab, select the Enable Promiscuous mode for the application and host network interfaces check box if you want to enable the promiscuous mode of network traffic collection from all available subnets for all network interfaces of the computer on which the application is installed.
      2. Select the Use in Promiscuous mode only host network interfaces configured for the specified subnets check box if you want to enable the promiscuous mode of network traffic collection from all available subnets for network interfaces configured for subnets from the list below.
      3. If necessary, create a list of subnets.
   8. Save your changes.

   How to configure the application as an MQTT subscriber on the command line

   To configure the integration on the command line, Password protection must be enabled.

   1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
   2. Using the cd command, navigate to the folder where the kavshell.exe file is located.

      For example, enter the command cd C:\Program Files (x86)\Kaspersky Lab\Kaspersky Industrial CyberSecurity for Nodes.4.5.0 and press ENTER.

   3. Execute the following command:

      KAVSHELL KICS /enable /servers:<address>:<port> [/pinned-certificate:<full path to the TLS certificate file>] [/client-certificate:<full path to the crypto-container>] [/client-password:<password for the crypto-container>] [/timeout:<maximum server response timeout>] [/sync-period:<synchronization request period>] [/events-sent-period:<maximum delay when sending events>] [/events-limit:<1|0>] [/events-per-hour:<maximum number of events per hour>] [/virtual-span-enable] [/virtual-span-disable] [/virtual-span-add-rules:<subnet IDs>] [/virtual-span-remove-rules:<subnet IDs>] /mqtt-subscriber-enable /mqtt-server:<address>:<port> [/mqtt-user:<login name for authorization at the MQTT broker>] [/mqtt-password:<password for authorization at the MQTT broker>] [/login:<name of the current user account>] [/pwd:</login password or KLAdmin password if /login is not specified>]

      Settings for integration between Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Industrial CyberSecurity for Networks

      Parameter	Description
      KICS	Required argument. Specifies Kaspersky Industrial CyberSecurity for Networks as the application to integrate with.
      /<enable|disable|show>	Required argument. Allows enabling, disabling, and viewing the status of the integration between Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Industrial CyberSecurity for Networks.
      /servers:<address>:<port>	Required argument. Allows you to specify the address and port of the Kaspersky Industrial CyberSecurity for Networks server or the address of an MQTT publisher.
      /kics-mode:<telemetry|mqtt-publisher>	Optional argument. Allows selecting the integration mode of the application with Kaspersky Industrial CyberSecurity for Networks. telemetry sends telemetry directly to the Kaspersky Industrial CyberSecurity for Networks server. mqtt-publisher is the mode to be used for sending telemetry to the MQTT broker server. The default value is telemetry.
      /pinned-certificate:<full path to the TLS certificate file>	Optional argument. Allows you to add a TLS certificate for connecting Kaspersky Industrial CyberSecurity for Nodes with the Kaspersky Industrial CyberSecurity for Networks server.
      /client-certificate:<full path to the crypto-container>	Optional argument. Allows you to add a crypto-container that stores an encrypted client certificate for protecting the connection between Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Industrial CyberSecurity for Networks server.
      /client-password:<password for the crypto-container>	Required if /CLIENT-CERTIFICATE is passed. Lets you specify a password for the crypto-container.
      /timeout:<maximum server response timeout>	Optional argument. Lets you specify the maximum response timeout in seconds of the Kaspersky Industrial CyberSecurity for Networks server. When the timeout runs out, Kaspersky Industrial CyberSecurity for Nodes attempts to connect to another Industrial CyberSecurity for Networks server if there is more than one.
      /sync-period:<synchronization request period>	Optional argument. Lets you specify the period in minutes for sending synchronization requests with the Kaspersky Industrial CyberSecurity server. During synchronization, the application sends information about modified application and task settings.
      /events-sent-period:<maximum delay when sending events>	Optional argument. Lets you specify the maximum delay when sending events to the Kaspersky Industrial CyberSecurity for Networks server. When the specified time expires, the application tries to connect to the same server again or connects to the next server in the list, if there are multiple servers.
      /events-limit:<1|0>	Optional argument. Lets you limit the number of events being sent. If the number of events exceeds the configured limits, the application stops sending events.
      /events-per-hour:<maximum number of events per hour>	Required if /EVENTS-LIMIT:1 is passed. Lets you specify the maximum number of events to be sent per hour.
      /pwd:<password>	Optional argument. Lets you specify the password of the KLAdmin user or a user with sufficient permissions to configure integration. If this option is not specified, the application prompts you for the password on the next line.
      /login:<user name>	Optional argument. Lets you specify a user name with sufficient permissions to configure integration. If this option is not specified, the application prompts you for the user name on the next line. You do not need to enter this value if you entered the KLAdmin password.
      /virtual-span-enable	Optional argument. Enables the promiscuous mode of telemetry. By default, Kaspersky Industrial CyberSecurity for Nodes collects network traffic arriving at network interfaces of the computer and addressed to the computer on which the application is installed. In promiscuous mode, the application collects network traffic for network interfaces of the computer coming from all available subnets. The application uses the collected traffic to generate extended telemetry. Not all network adapters support the Promiscuous mode. Extended telemetry collection does not work on these network adapters.
      /virtual-span-disable	Optional argument. Disables the promiscuous mode of telemetry.
      /virtual-span-add-rules:<IPv4 addresses of the computer's network interfaces>	Optional argument. Lets you add subnets as addresses of the computer's network interfaces (the application identifies the corresponding subnets by the subnet mask of the network interface) or addresses of network interfaces with subnets in the IPv4 format. The application collects network traffic in promiscuous mode only for network interfaces configured for the specified subnets. For example: /VIRTUAL-SPAN-ADD-RULES:198.51.100.0; 198.51.100.0/24.
      /virtual-span-remove-rules:<subnet IDs>	Optional argument. Lets you delete subnets with specified IDs. The list of added subnets and their IDs can be displayed using the /VIRTUAL-SPAN-SHOW command.
      /mqtt-subscriber-enable	Optional argument. Enables the MQTT subscriber mode for receiving telemetry from the data diode. By default, the MQTT subscriber mode is disabled.
      /mqtt-subscriber-disable	Optional argument. Disables the MQTT subscriber mode.
      /mqtt-server:<address>:<port>	Required parameter if the /kics-mode:mqtt-publisher or /mqtt-subscriber:enable. parameter is passed. Specifies the address and port of the MQTT broker. The default port for the MQTT broker is 1883.
      /mqtt-user:<login name>	Required parameter of login and password authorization is configured on the MQTT broker. Specifies the login name for authorization at the MQTT broker.
      /mqtt-password:<password>	Required parameter of login and password authorization is configured on the MQTT broker. Specifies the password for authorization at the MQTT broker.

Data transfer settings

Parameter	Description
Maximum events transmission delay (sec)	The application synchronizes with the server to send events after the specified time. The default setting is 30 seconds.
Enable throttling	This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Industrial CyberSecurity for Nodes stops sending events.
Maximum number of events per hour	The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Industrial CyberSecurity for Nodes resumes sending events after an hour. The default setting is 3000 events per hour. If the application is installed on a server, the telemetry data stream is higher. For servers, it is recommended to increase the value to 60 000 events per hour.
Percentage of event limit excess	The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Industrial CyberSecurity for Nodes resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.

Page top