Kaspersky Industrial CyberSecurity for Networks 3.0 UPDATING APPLICATION MODULES AND DATABASES Revision date: 2025-07-22 After installing the latest updates, the application will have improved performance and reduced limitations due to the following changes: • Expanded list of supported types of external projects for importing configurations of devices and tags into the application. • [4918300] Fixed: after importing configurations of devices supporting the GOOSE protocol of the IEC 61850 standard, receipt of traffic involving these devices may cause the application to register the following events: "Mismatch detected (DataSet NOT FOUND)" and "Mismatch detected (TRAFFIC DOES NOT MATCH DEVICE MODEL)". о After the latest updates are installed, the application searches for configurations of devices that support the GOOSE protocol of the IEC 61850 standard, including based on domain identifiers. • Fixed: the application may incorrectly process some fields in messages of the Sampled Values protocol of the IEC 61850 standard. • [4883804] Fixed: unknown tag detection for the OPC UA Binary protocol fails to determine the values of detected tags. • Fixed: the application does not monitor tags transmitted over the Yokogawa Vnet/IP protocol to UDP port 9940. • Schneider Electric Modicon series M580 and M340 devices now have IEC 60870-5-104 protocol support. • Added functionality for identifying the RADIUS over UDP and MQTT over TCP protocols. • [5098190] Fixed: unknown tag detection over the DMS protocol for ABB AC 700F devices could disrupt the filter process in some cases. • [5066226] Fixed: when analyzing traffic over the GOOSE protocol of the IEC 61850 standard, the application registers "Mismatch detected (GOOSE INCORRECT SEQUENCE)" events, including in cases when the values of counters in GOOSE messages are changed in accordance with the standard. о After installation of the latest updates: the application takes into account the changed values of modification counters and retransmission counters in GOOSE messages according to the rules of the IEC 61850 standard. • [4909862] Fixed: when configuring Process Control settings for the PROFINET IO protocol, the value entered into the "Frame type" field is not verified for compliance with values from the device profile file. • [5112186] Fixed: when importing tags of the Siemens S7comm protocol from a universal-format project, the application fails to load the values of the Length parameter, which defines the string length for string-type tags. • Added support for the BSAP, General Electric EGD, and PNU20 protocols and for devices that use these protocols. • [5210146] Added support for the CODESYS V3 Gateway over TCP and CODESYS V3 Gateway over UDP protocols for BECKHOFF CX series devices. • Implemented function for monitoring read/write of PLC projects for the Allen-Bradley EtherNet/IP protocol. • Expanded list of supported system commands for the OMRON FINS protocol. • [5199476] For devices that use the GOOSE and MMS protocols of the IEC 61850 standard, you can now select these protocols in process control settings. • [5199488] Added unknown tag detection functionality for the MMS protocol of the IEC 61850 standard. • [5171192] Fixed: when analyzing traffic over the Siemens S7comm-plus protocol, the application may register "Error (PARSING ERROR: WRONG PACKET FORMAT)" events if system commands are transmitted in network packets containing fragmented data from protocols of various layers. • [5161095] Fixed: values are not displayed for some fields of structure tags transmitted over the TASE.2 protocol. • [5198729] Fixed: after the application is restarted, the application temporarily fails to monitor the values of tags received over the MMS protocol of the IEC 61850 standard using dynamic reports. • [5202889] Fixed: for imported configurations of devices and tags, in some cases the application may delete defined process control settings for a device if the address information of this device is manually changed. • [5281319] Fixed: for tags of the Siemens S7comm protocol, the application may incorrectly display the values of physical addresses of tags in DB and DBB memory areas. • [5338551] Fixed: when importing configurations of devices and tags from a universal-format project, the ProductServer system process malfunctions if an unsupported data type is indicated for some tag in the project. • [5355473] Fixed: when automatically detecting process control settings, the Siemens S7comm protocol processing module may incorrectly identify the functional roles of the SCADA system server and PLCs. This will result in the erroneous creation of multiple configurations containing the address information of the device acting as the SCADA system server without creating correct configurations containing the address information of devices serving as PLCs. • [5371269] Fixed: when analyzing traffic containing fragmented packets with subscriptions over the Honeywell Experion CDA protocol, the application fails to process some of the values of transmitted tags. • Expanded list of supported system commands for the Emerson DeltaV protocol. • Added basic support for the KNXnet/IP and DTS protocols and for devices that use these protocols. • Added statistics-based unknown tag detection functionality for the Modbus TCP and Siemens S7comm protocols. • [5481876] The Modbus TCP processing module now supports the data transfer format used by FloBoss S600+ hardware. • [5504778] The Schneider Electric UMAS protocol processing module now supports tags with dynamic addressing in PLC memory. • [5422966] Fixed: the application fails to track some system commands for managing Schneider Electric Modicon M580 devices when these commands are transmitted over the UMAS protocol. • [5458978] Fixed: in some cases, the application fails to detect when a tag is written to a device over the Allen-Bradley EtherNet/IP protocol (for example, when using the ICS operator interface). • [5388203] Fixed: when analyzing traffic over the Allen-Bradley EtherNet/IP protocol, the filter process may be periodically disrupted and the node's monitoring points may remain in the "Enabling" state for a prolonged period of time. • [4897486] Fixed: when analyzing traffic over the IEC 60870-5-104 standard protocol, the system does not account for the capability to transmit the same tags using different types of ASDU frames (differing only in the availability or lack of a time tag and its format). For example, if a tag with the "<13> M_ME_NC" data type has been added to the application and the application then detects this tag with the "<14> M_ME_TC" or "<36> M_ME_TF" data type (types of ASDU frames with a time tag), the application registers a mismatch detection event. о After installing the latest updates: when the application detects unknown tags over the IEC 60870-5-104 standard protocol, by default the detected tags are assigned the data type corresponding to ASDU frame types that have a CP56Time2a time tag. These data types are generic and enable correct processing of tags if they are transmitted in ASDU frames that either have a time tag in a different format or do not have a time tag. If a generic data type is not assigned to a tag, you can manually specify this data type (in the provided example, you can indicate the "<36> M_ME_TF [13/14/36]" data type for a tag). • [4900084] For tags of the IEC 60870-5-104 standard protocol, data types can now be displayed as the identifiers of ASDU frame types and names of operations or as data types for specific values (for example, <01> M_SP_NA and bool). The designations for data types based on the protocol standard and based on values are displayed in different columns of the tags table. • The functionality for importing external projects from CSV files was improved to account for the specific features of exporting data from CIMPLICITY projects. • [5641122] Fixed: if several hundreds of thousands of tags have been added to the application and traffic containing the values of an even larger number of tags is being received at a rate of around 100 Mbit/s, the filter process may be disrupted if Unknown Tag Detection technology is enabled. • For the DTS protocol, the application now supports system commands that make it possible to determine the type of messages being transmitted. • [5524211] Device configurations and tags can be supported from Siemens TIA Portal V17 projects. To import a TIA Portal V17 project, it needs to be converted into a universal format comprised of comma-delimited text files (CSV files). To convert a TIA Portal V17 project into the universal format, you can contact Kaspersky experts. • Added functionality to determine the version of the SSL (versions 2 and 3) and TLS (versions 1.0, 1.1, 1.2 and 1.3) protocols. • Added support for getting information about PLC projects for Emerson DeltaV devices. • Improved algorithm for processing values ​in timestamps according to the MMS protocol of the IEC 61850 standard. • When importing a project type obtained by means of the ABB Freelance 2016 Engineering software, the application considers situations when the same addresses are specified for several tags. • Fixed: when loading process control rules that were automatically added in learning mode, a rule processing error occurs for the rules that were created for tags using the Siemens S7comm and Modbus TCP protocols, if the string values of the tags contained unsupported characters. • [5844754] Fixed: when manually adding a tag for the GOOSE or MMS protocol of the IEC 61850 standard, the application does not check the address of the specified tag. • [5880966] Fixed: when importing device and tag configurations, the application does not check the uniqueness of the names for the added devices. The application may work incorrectly if the names of imported devices are the same as the names of previously added devices. • Application performance is improved in terms of traffic processing and analysis. • [5948444] Fixed: the filter process may fail due to an out-of-memory error when analyzing traffic transmitted over the MMS protocol of IEC 61850 standard. • [5951219] Fixed: the filter process may fail if the intensity of traffic arriving to the monitoring point is too high. • Support for the INA2000 protocol and the B&R devices that use this protocol is added. • [5546625] The function for determining network equipment manufacturers for the devices by MAC addresses has been improved for better manufacturer recognition. • [5931154] Fixed: when adding tags using the methods of Kaspersky Industrial CyberSecurity for Networks API, the value specified as the length of the string data type is not checked. • Added support for the PK4 protocol and the devices that use this protocol. • Added the limit on the maximum number of imported tags from an external project. • Added unknown tag detection functionality for the PNU20 protocol. • Added descriptions of errors that lead to non-execution of system commands over the Honeywell Experion EpicMo protocol. Received error codes and their descriptions are saved in events about non-executed system commands. • [6343424] Fixed: when analyzing traffic over the Siemens S7comm protocol, the application may register "Error (PARSING ERROR: WRONG PACKET SIZE)" and "Error (PARSING ERROR: BUFFER NOT VALID)" events if network packets contain variables of unsupported syntax. • [6343032] Fixed: in some cases, the application may save data about seizures of exclusions in the log of the filter process, mistakenly identifying this data as error messages, rather than diagnostic messages. • Added basic support for the communication protocol between the Siemens SICAM PAS and SICAM SCC (based on SIMATIC WinCC) systems and for the devices using this protocol. • Loading of the rules for detection of information about devices and device communication protocols is improved. During the loading, corrupted rules and rules in unsupported formats (for example, created for new versions of the application modules) are ignored by the application and do not hinder device information detection. • The application of the rules for detection of information about devices and device communication protocols is optimized. This optimization improves the application performance when detecting protocols. • The support for receiving information about PLC projects for Siemens devices of the SIPROTEC 4 series and SIMATIC S7-1200, S7-1500 series is added. • The support of the automated radiation monitoring systems (ARMS) protocol and devices using this protocol is added. • [6645875] Fixed: During network interaction, the application may incorrectly detect the protocol being used as the Emerson ControlWave Designer protocol. • [6612007] Fixed: When using the IEDScout software tool to read device configurations, the application does not detect unknown tags transmitted in the IEDScout session via the MMS IEC 61850 protocol. о After installing the latest updates: To detect and save information about unknown tags after the IEDScout session ends, restart the Server computer and then restart reading device configurations in IEDScout. • [7093998] Added support for defining the following device communication protocols: SuiteLink, SCIYON default, CIMPLICITY-Historian, CIMPLICITY-HMI/SCADA, HL7 v2/v3, DICOM, RTSP, ONVIF. • When importing device configurations and tags from YARD config files, the application makes allowance for possible dots and zero-size tags in device location data. • [7119255] Fixed: PK4 protocol tag scaling not supported. • [7120738] Fixed: the application incorrectly defines the device category as "Engineering Workstation" for certain Siemens SIMATIC PLC models. • [7339727] Fixed: when automatically detecting process control settings for devices that communicate with other devices via LDAP, the application may incorrectly detect the type of process control device and the protocol used. In particular, when analyzing the network communications of a Windows domain controller, the application may add process control parameters for this device that set the device type to "Modbus TCP device" or "UMAS device". • [7396410] Fixed: during network interaction, the application may incorrectly detect the protocol being used as "ARMS control protocol". • [7902528, 7875825] Added support for the VNIIA and Telnet protocols and for devices that use these protocols. • [7880708] Expanded the set of supported protocols for the Prosoft-Systems Regul R500 device type. • [7562383] Fixed: in some cases, the application may incorrectly identify broadcast requests as network packets of the CODESYS V3 Gateway protocol, which leads to the registration of "Error (PARSING ERROR: WRONG PACKET SIZE)" events. • [7629347] Fixed: when downloading updates to sensors during high traffic intensity, the application may register an event after erroneously detecting the use of an outdated version of the SSL/TLS protocol in the network interaction between the Server and the sensor (due to the fact that the application layer protocol processing module incorrectly identifies the protocol version based on fragmented network packets). • [7800318] Fixed: when importing device configurations and tags from a Honeywell Control Builder project, errors occur if the ZIP archive contains several thousand files or if the project uses unsupported types of tag data. • [7852945] Fixed: when analyzing traffic over the Ethernet I protocol, the application may fail to trigger the device information detection rules designed to automatically obtain information (for example, information about the manufacturer, model and hardware version of the device). • [7937498] Fixed: when analyzing traffic over the Allen-Bradley EtherNet/IP protocol, the filter process may fail. • [8056572] Fixed: locally administered MAC addresses arbitrarily assigned by certain network device models to their virtual network interfaces and sent to other devices on the network via LLDP/CDP/MNDP are processed by the application as additional real MAC addresses for these network devices. For this reason, the application automatically adds network interfaces for these devices with the specified MAC addresses, and depending on the settings, the application may register a large number of device merge failure alerts due to the inability to update network interfaces. • [8104280] Fixed: when analyzing DHCP traffic on a sensor node, the filter process may fail due to an out-of-memory error. • [7586847] Added support for the CHINT MAS400 and MAS9600 device interaction protocols. • [7980074, 7980097] Added support for the ISaGRAF IXL, SNCP protocols and devices using these protocols (including Tecon MFK devices). • [8152754] The OPC UA Binary protocol processing module has been improved to support the features of using this protocol when transmitting system commands to Tecon MFK devices. • [7980102] Added support for the DLMS/COSEM protocol and the devices that use this protocol. • Expanded support for more tag data types and system commands for the Yokogawa Vnet/IP protocol (including messages containing different types of alarms). The application can now process return codes during tag operations. • [7910547] Fixed: to track system commands and tags via the Valmet DNA device interaction protocol, you have to load the device configuration file. o After installing the latest updates: the application automatically determines the necessary operating settings for the Valmet DNA protocol processing module without the need to load the device configuration file. • [8362427] Fixed: after importing device configurations and tags from a Honeywell Control Builder project, the application may incorrectly track tags that are transmitted over Honeywell Experion protocols. Tracking errors are caused by insufficient data in the configurations exported from the Control Builder application. o After installing the latest updates: export the data to the Honeywell Control Builder project as described under "How to prepare data for import" in the import settings window for this project type (using Microsoft SQL Server Management Studio instead of the Control Builder application), then perform the procedure for clearing the process control settings for Honeywell devices and import the configurations from the resulting project. © 2025 AO Kaspersky Lab