Detecting when new equipment connects to the industrial network is a very basic use case. Good practice: organize components
in an intelligible way, for example, according to the network topology per production chain. A network can be divided into
several areas, such as several production chains with different criticality levels. Place a Cisco Cyber Vision Sensor to capture and monitor its traffic. Create groups which represent a production chain and contain its components to
reflect that topology. Cisco Cyber Vision detects a new component and its related activities within a specific area to see
if a component connects with this production chain. Its related activities are also highlighted in Monitor mode.
Key Differences: New components and their related activities on the network.
Aim: Monitor the production line 2 of the industrial network.
Place a sensor on each production chain. Use the sensor filter to display each production chain. In the industrial network
example below, we are monitoring has three production lines on which we have positioned a sensor. We want to see and monitor
what is happening on production line 2. In Explore mode access the Preset All data. Select the filter SENSOR_Line2 (it is possible to rename sensors to identify which area of the network they are monitoring)
so only traffic captured on Production Line 2 appears.
Organize the components into groups, per function:
-
PLCs in Line 2
-
IT
-
Broadcast
-
Multicast
Result: A filtered and organized view of production chain 2.
Save the filtered and grouped network data selection as a new preset. Name it Line 2.
The preset Line 2 contains components and activities that are interacting in a normal way. Production line 2 is in normal operating state.
Save the normal state of the preset as a baseline. Name it Line 2 - Normal State.
Check Production Line 2. In Explore mode, we see 10 components instead of 9. Number of activities and events has increased, too. The baseline Line 2 - Normal State reports 3 alerts.
To understand exactly what happened, go to Monitor mode.
The left panel shows 1 new component and 2 new activities have been found.
Click the new component. The right side panel opens with the detailed properties of the component.
The component details show it is a controller with similar properties to other component characteristics. After visually confirming,
we discover that a new PLC was connected to the network to enlarge Production Line 2.
This new component behaves normally, looking at its activities. It has been identified because it has sent a broadcast packet
(probably ARP) and then has connected to the Weintek machine using a legitimate protocol. Actions like Read variable accesses look normal, too.
Since the component and activities are part of the normal operating process of Production Line 2, you can acknowledge and
include the baseline differences, if any change occurs.
Go to Explore mode and add the component into the Line 2 group.
Go to the Events page and see that all previous actions are reported here: the detection of a new component, activities on the network, and
adding the component into the group Line 2.