In response to the increased challenges and escalating threats facing operational technologies and critical infrastructure, Kaspersky has enhanced its Kaspersky Industrial CyberSecurity (KICS), a native XDR Platform for industrial enterprises, and streamlined Managed Detection and Response (MDR) for Industrial Control Systems (ICS), a service that helps to perform key SOC functions for organizations that may lack dedicated personnel.
The new reality for owners and operators of industrial infrastructures is shaped by IT-OT convergence, high regulatory requirements, and the rise of cyberattacks in the industrial sector. According to Kaspersky ICS CERT, malicious objects were blocked on almost one quarter (23.5%) of ICS computers in the second half of 2024. This highlights the persistent and significant level of threats, underscoring the need for companies to prioritize their cybersecurity strategy and implement comprehensive, reliable solutions to protect all their assets and processes. To meet this growing demand, Kaspersky has tailored its key solutions specifically designed to safeguard industrial companies.
The first significant update concerns Kaspersky Industrial CyberSecurity (KICS), a native XDR Platform[1] designed specifically for industrial enterprises. It is certified to protect OT and critical infrastructure equipment and networks from cyber-initiated threats. Designed to comprehensively secure the industrial automation and control systems, it consists of KICS for Nodes, which focuses on endpoints in distributed control systems, and KICS for Networks, which monitors automation system network security and protects automation system equipment from network-initiated threats.
With the new release, the platform introduces the following enhanced capabilities:
1. Improved configuration and change management for OT infrastructure
KICS enables security settings inspection and change monitoring through agent-based or agentless polling for Windows and Linux hosts, network devices, and PLCs to collect configurations. A predefined set of configurations is provided out of the box for all supported asset types and can be collected manually or in scheduled mode. The accumulated configuration archive is always available for review, and can be used to monitor change and analyze identified discrepancies.
2. New asset types for enhanced context during incident investigations
KICS for Networks now supports the reception and aggregation of additional types of assets including installed software, patches, local users and discovered executables. When KICS for Nodes is installed on a host (both in Windows and Linux), it automatically transmits this information to KICS for Networks with periodic updates. This provides automatic change management and alerts when deviations are detected. The aggregated lists of software and users greatly simplify the incident investigation process, allowing security professionals to easily identify all hosts with suspicious executables or find specific user actions in registered events.
3. Scheduled active polling and automated network topology visualization
KICS provides a topology map that displays real-time information about asset connections and manages security state changes for devices without installed agents, such as computers and switches. Active polling tasks now support scheduling, to automate the creation of this map and keep connection data, asset attributes and security settings up to date. Each scheduled run is supplemented with a detailed report, including query results and any identified issues.
4. Increased capabilities to detect anomalies in digital substations
KICS for Networks now supports the import of SCD (substation configuration description) files[2] to analyze configurations, the extraction of asset attributes, and the review of IEC 61850 settings. It also provides a report of identified errors and misconfigurations. By monitoring substation networks based on reference configurations it enables the detection of unauthorized network connections, anomalous activity, and failures or errors in IEC 61850 communications. This indicates improper operation or equipment misconfigurations.
5. SD-WAN sensor for monitoring OT networks traffic at geographically distributed sites
The updated KICS provides a new architecture for geographically distributed infrastructures, enabling support for up to 100 monitoring points on a single KICS for Networks node. When KICS for Networks sensors cannot be placed at remote sites due to the equipment size or connectivity limits, traffic from remote sites can be transferred directly to a KICS for Networks node located at a central office. SD-WAN technologies provide unlimited options to establish new software-defined wide area networks between company branches allowing industrial traffic copies to be delivered from the source switch to the monitoring node.
6. Updated Portable Scanner with improved audit, inventory and inspection capabilities
The KICS Portable Scanner expands host inspection capabilities with new scanning technologies such as host inventory, vulnerability, compliance and security settings inspection scans, and traffic capturing, which can also be configured to a classic anti-virus scan on the USB drive writing stage. The portable Scanner now also supports anti-malware scanning of Windows 2000 SP4 hosts.
Kaspersky MDR for ICS to perform cybersecurity functions in case of limited in-house security operations
Another update concerns Kaspersky Managed Detection and Response, a service that supports industrial companies experiencing staff shortages or skill gaps. Enterprises can now outsource the key cybersecurity functions such as threat monitoring, detection, threat hunting, and incident analysis to Kaspersky experts. This provides organizations with access to necessary expertise and reliable cybersecurity solutions. The service also allows the organizations to effectively counter the growing volume and complexity of cyberattacks on critical infrastructure, and effectively allows them to optimize their internal resources, when these resources are limited.
“We are always aiming to help customers build more reliable and converged protection of their IT and OT assets. With the new KICS release, we introduced new features that can help to strengthen critical infrastructure, drastically improve visibility and control over assets in industrial networks, improve user experience, situational awareness and deployment flexibility for geographically distributed OT networks. Moreover, we streamlined our MDR service, enabling businesses to engage with experts from our internal SOC to analyze incidents, prevent attacks, and receive relevant recommendations,” comments Andrey Strelkov, Head of the Industrial Cybersecurity Product Line at Kaspersky.
[1] XDR Platform = Extended Detection and Response Platform
[2] SCD files are created on the substation design phase and describe complete substation configuration – IEDs, computers, network communication settings, process control values and more.