About Kaspersky Industrial CyberSecurity for Networks
5 February 2024
Kaspersky Industrial CyberSecurity for Networks is an application designed to protect the infrastructure of industrial enterprises from information security threats, and to ensure uninterrupted process flows. Kaspersky Industrial CyberSecurity for Networks analyzes industrial network traffic to identify deviations in the values of process parameters, detect signs of network attacks, and monitor the operation and current device states on the network. The application is part of the solution known as Kaspersky Industrial CyberSecurity.
Kaspersky Industrial CyberSecurity for Networks performs the following functions:
- Protects company assets by monitoring its industrial network devices. Detects device activity and device information based on data received from network packet analysis and/or from Kaspersky applications that perform functions to protect workstations and servers.
- Controls devices and interaction between them with respect to their MAC addresses or IP addresses affiliation with address spaces.
- Scans communications between industrial network devices to check their compliance with defined Interaction Control rules. Interaction Control rules can be generated automatically by running the application in learning mode.
- Displays interactions between industrial network devices as a network interaction map. Displayed objects are visually distinguished based on various attributes (for example, objects with issues).
- Displays a diagram of the physical connections between devices in an industrial network as a topology map. Displayed objects are visually distinguished by various attributes (for example, by the status).
- Detects risks based on traffic analysis and received information on devices.
- Allows running active polling of devices using connectors to obtain the most accurate and complete information about devices and their configuration.
- Allows you to conduct a device security audit to assess device compliance with the security standards and perform other checks.
- Extracts the parameter values of the technological process controlled by the Industrial Control System (hereinafter referred to as the "ICS") from network packets and checks the acceptability of those values based on the defined Process Control rules. Process Control rules can be generated automatically by running the application in learning mode.
- Monitors traffic to detect system commands that are transmitted or received by devices involved in process automation. Provides notifications regarding detected unauthorized system commands or situations that could be signs of industrial network security violations.
- Monitors project read and write operations for programmable logic controllers, saves the obtained information about projects, and compares this information to previously obtained information.
- Analyzes industrial network traffic for signs of attacks without affecting the industrial network or drawing the attention of a potential attacker. Uses defined Intrusion Detection rules and embedded algorithms to scan for anomalies in network packets and detect signs of attacks.
- Registers network sessions created by the devices for connecting with other devices.
- Registers events and relays information about them to recipient systems and to Kaspersky Security Center.
- Analyzes registered events and, upon detecting certain sequences of events, registers incidents based on embedded correlation rules. Incidents group events that have certain common traits or that are associated with the same process.
- Saves traffic associated with registered events in the database. Traffic can be saved automatically (if autosave is enabled for the traffic of events) or by requesting to download traffic.
- Receives and processes data from the applications that are part of the Endpoint Protection Platform (EPP). Registers events and risks when data is received from EPP applications. Displays information about threat development chains in the events that are Endpoint Detection and Response incidents.
- Provides the capability to trigger response actions for the devices with Kaspersky Endpoint Agent installed.
- Provides reports on the device status and system security, as well as the results of a security audit.
- Provides the capability to download traffic from the storages of the traffic dump files. Both the internal node storage (created automatically) and the external node storage, if connected on the node, can be used to download traffic.
- Can be used to work with both the GUI and API.
- Provides data for centralized monitoring of systems with Kaspersky Industrial CyberSecurity for Networks from the Kaspersky Security Center Web Console.