Overview

Monitor mode

Cisco Cyber Vision provides Monitor mode, a monitoring tool that detects changes inside industrial networks. Because a network architecture (PLC, switch, SCADA) is constant and its behaviors tend to be stable over time, an established and configured network is predictable. However, some behaviors are unpredictable and can even compromise a network's operation and security. Monitor mode shows the evolution of the behaviors of a network, predicted or not, based on presets. Behavior changes are noted as differences in Monitor mode. Using Monitor mode is particularly convenient for large networks, as a preset shows a network fragment and changes are highlighted and managed separately in the views of Monitor mode.

Baselines as Preset's normal states

A Preset is a set of criteria which shows a detailed fragment of a network. To monitor a network, set a preset, and define what would be its normal, stable state. This represents the baseline of the preset. A state relies on a period because a network fragment is subject to several states. It is possible to create several, planned, controlled and time-framed baselines per preset and to monitor the whole network. For example, a normal state of the network can be a typical weekday operating mode, in which numerous processes are performed iteratively. During weekends, these processes may be slowed down, different, or even stopped. Save any network phase as a baseline by selecting the time span in which it occurs and is monitored. Other examples of baselines are: a regular maintenance period, a degraded mode, a weekend and night mode. Create a baseline by "framing" a normal operating process in which all network behaviors (components, activities, properties, tags, variable accesses) are considered.

Review and assignment of differences

A difference is defined as a new or changed behavior happening within a fragment of a network. Monitor mode detects and highlights any differences. Monitor mode contains the following three views:

  • Map View

  • Component List View

  • Activity List View

You can report or acknowledge these view issues, depending on whether you consider them as normal or not, and their level of criticality. You can include these changes into your baseline if it is part of a normal network development process, or take action, in case of suspicious behavior. Therefore, each baseline gets refined bit by bit over time and become more compliant with your needs.

Monitor mode's views

Like in Explore mode, Monitor mode offers several views of data so you can see them through different representations. In Monitor mode, new and changed detected elements are highlighted in red.

For more information about the views listed below, refer to the Explore chapter.

Map View

Component List View

Activity List View

Each view contains the following:

  • Panel with a summary of the detected elements in Monitor mode

  • The time period of the baseline

  • The last time this baseline was checked

  • The preset it belongs to and the list of criteria selected

Modify the baseline settings using the Explore button that redirects you to the corresponding preset in Explore mode.

Check one of the elements marked as new in the Activity List View to see the following:

  • Information about the activity, such as the two components it belongs to

  • The date of the first and the last activity

  • Its tags

  • Buttons to perform several actions. See Review differences actions.

Click Show details for more information. The example below shows the activity tags with the category they belong to and their description.

Click Collapse to return to the initial view.

To deeply analyze, click Investigate with flows.

New and changed differences

When Monitor mode detects a difference, it appears in red. There are two types of differences: new and changed. A component, an activity, a tag, a property, and a variable access can appear (new) or evolve (change). Below are a few examples of how Monitor mode represents differences.

A new component (plain red) and a changed component (hyphenated red)

Changed properties of a component, with the former crossed out property

New and changed component and activity tags

New and changed variable access of the activity list

Review each difference to identify a potential threat and refine the baseline. Refer to the section Review differences.