Configuring industrial protocol traffic filtering

You can use the Kaspersky IoT Secure Gateway Network Protector application to configure rules for blocking and filtering industrial protocol traffic in the Kaspersky IoT Secure Gateway 1000 configuration settings. Industrial traffic filtering uses packet analysis rules and includes the following checks:

• filtering of commands in the MQTT and Modbus protocols;
• Scanning for MQTT and Modbus traffic anomalies.

For Kaspersky IoT Secure Gateway Network Protector to work, you need to configure it first. When started without a completed configuration, Kaspersky IoT Secure Gateway 1000 enters emergency mode, as it cannot receive traffic filtering rules to ensure a secure state.

To configure traffic filtering rules for industrial protocols:

1. Use Kaspersky Update Utility to download files with lists of supported network packet analysis rules:
   • The industrial_commands.rules file contains a list of supported command filtering rules for industrial protocols.
   • The industrial_anomalies.rules file contains a list of supported traffic anomaly detection rules for industrial protocols.

   The identifier (sid) 90000001 is used for internal purposes and cannot be assigned to any rule.

   For detailed information on using the utility, refer to the Kaspersky Update Utility documentation.

2. If required, select from these files the rules that you want to apply to industrial protocol traffic filtering.
3. Encode the lists of command filtering and anomaly detection rules as two separate Base64 strings.
4. Stop Kaspersky IoT Secure Gateway Network Protector if running.

   While Kaspersky IoT Secure Gateway Network Protector is stopped, transit traffic on the device will be blocked to ensure the security of connected devices.

5. In the menu in the left part of the web interface screen, select Settings → Configuration.
6. In the configuration field under kaspersky.kisg.netprotector, add "APP_CONFIGURATION": {} .
7. Inside APP_CONFIGURATION, specify the following settings to enable and configure industrial protocol traffic filtering:
   • Add an "industrial_commands_rules": "" parameter and specify a list of Base64-encoded rules for filtering commands at industrial protocol level.
   • Add an "industrial_anomaly_rules": "" parameter and specify a list of Base64-encoded rules for detecting traffic anomalies at industrial protocol level.

   As a result, the settings configuration under kaspersky.kisg.netprotector will appear as shown below:

   "APP_CONFIGURATION": {

   "industrial_commands_rules": " <Base64 encoded rules> ",

   "industrial_anomaly_rules": " <Base64-encoded rules>"

   }

   For Kaspersky IoT Secure Gateway Network Protector to work, define at least one configuration setting, or else Kaspersky IoT Secure Gateway 1000 will enter emergency mode after you start it, as it cannot receive traffic filtering rules to ensure a secure state. You can disable only one of the settings by putting empty quotation marks "" as the parameter value.

   After adding APP_CONFIGURATION and its settings, you cannot delete it, as it is required for the application to work.

8. Click Save to apply the configuration settings.
9. Start Kaspersky IoT Secure Gateway Network Protector.

Industrial protocol traffic will be filtered using the specified rules. If the rule is triggered, traffic that matches the rule is blocked, and the IP address where the traffic originated is added to the IP address denylist. The information that the IP address was blocked is sent to the Kaspersky IoT Secure Gateway 1000 firewall. The traffic blocking event is recorded in the audit log.