A preset is a set of criteria. Think of a preset as a "magnifying glass" in which you can see details of a big network by choosing the metadata processed by Cisco Cyber Vision that meets your business requirements. We created presets to help you navigate through the data. For example, if you are interested in knowing which PLCs are writing variables, access one Preset (e.g., OT) and select two criteria (e.g., PLC and Write Var). Several types of views are available to give you full visibility on the results and from different perspectives.

Generic presets are available by default. They were created according to the recommendations and categories listed in Cisco Cyber Vision playbooks. The following default presets are available:

• Basics: To see all data, or filter data to IT or OT components.

• Asset management: To identify and inventory all assets associated with OT systems, OT process facilities, and IT components.

• Control Systems Management: To check the state of industrial processes.

• IT Communication Management: To see flows according to their nature (OT, IT, IT infrastructure, IPV6 communications, and Microsoft flows).

• Security: To control remote accesses and insecure activities.

• Network Management: To see network detection issues.

My Preset contains customized presets. You can create presets using criteria to meet your own business logic.

Note	Customized presets are persistent and impact other users.

To access the filters, follow these steps:

1. From the main menu choose Explore.

2. Click the drop-down arrow in the top navigation bar and click All Data under Basics.

3. Click the drop-down arrow in the third filter of the top navigation bar and click Dashboard.

Create presets using the following filters:

Criteria

Enter keyword(s) in the field to apply the search function. Use Select All, Reject All, or Default to modify the list.

• Risk score: device individual risk

• Networks: device IPs

• Device tags: devices

• Activity tags: activities

• Groups: devices

• Sensors: device “location”

Filters work differently whether they are affecting devices or activities. Their combination limits the scope of data visualized in the different views for a preset. Each category allows you to define a subset of the components, or activities for the Activity filter. If filters are defined by several categories, the resulting dataset is the intersection of the selections for each category. Parameter and filter usage is explained below.

Risk Score

Use the Risk Score to filter devices based on their score or a range of Risk scores. Risk scores can be inclusive or exclusive filters. All devices will be filtered based on this range.

Networks

Define a filter based on two network settings: IP range or VLAN ID. This filter will have an impact on the Activity List. The result will be “all activities with one end belonging to this network.” Activities with at least one device in the corresponding network are selected.

Regarding the Device list, only the devices with at least one IP address in the corresponding network range are selected.

For instance, use exclusion and combination for this result:

Network filter – negative filter

Multiple negative selections are not supported on 4.0.0.

Filter combination

You can define filters in several categories simultaneously. The preset will be calculated first by filtering the activities with all the activity-based filters. Then, the devices will be filtered with their own filter criteria. The result is the preset dataset. This preset dataset is used to precompute the view that Cyber Vision presents to you. Select a time frame to further filter the preset dataset.

Device tag filters

Device tags are used to select components. Device tag filters are inclusive or exclusive. The combination of several device tags selects all the components with at least one of the selected device tags. If the device tag filter is exclusive, the system will ignore all components with the selected device tags. For example:

Device tag filters

When devices are filtered the Device view only presents the devices corresponding to the filter. For the other displays like activity list or map, the devices which are communicating with the selected devices will be displayed too (all engineering stations or HMI in our example).

It will give the following results:

Device tag filter, example of Controllers – list of devices

In the associated map, all the components which communicate with the controllers will also be displayed. These other components are shadowed to be recognized:

Device tag filter, example of Controllers - map

Activity Tags

Filtering on Activity tags will not have the same behavior than a filter based on Devices. Inclusive activity tag filters will be the same, but exclusive activity tag filters will remove activities only when all activity tags are included in the set of excluded tags. For example, if an activity has two tags, both tags need to be excluded to hide the activity.

For example, if an activity has two tags, both tags need to be excluded to hide the activity.

Activity filter – negative filter 1

In the example above, several activities show because the ARP tag is present, as well as other Activity tags. There is no exact match. The activity below is hidden.

filter 2

To remove broadcast and ARP activities, select both activity tags, as shown below.

Activity filter – negative filter 3

For very specific use cases, combine inclusive and exclusive tags. The above rules, for positive and negative selection, are combined, resulting in the following logic:

• Activities are selected as soon as at least one tag is in the set of included tags

• From this selection, activities which all tags are in the set of included AND excluded tags are hidden

Groups

Filter devices by Groups. Each group or sub-group could be added as an inclusive or exclusive filter.

Group filter

In the example above, only the devices belonging to the selected groups will be selected. Activities always involve two end points and are selected if either end point is part of a selected group, and none are part of an excluded group.

Sensors

Filter Activities based on the sensor that analyzed the associated packets. For tags, use inclusive and exclusive filters. Usually, either option is used but not both. Inclusive: selects data coming from a set of sensors. Exclusive: Ignore the data from a set of sensors.

Sensor filter

Keyword

A keyword can be used to filter devices using the “Search” section of the GUI. This keyword will be used to select devices based on their name, properties, IP, MAC and tags.

Keyword = 4c:71:0d

Keyword =siemens

Filter combination

The user can define filters in several categories simultaneously. The preset will be calculated first by filtering the activities with all the activity-based filters. Then, the devices will be filtered with their own filter criteria. The result is the preset dataset. This preset dataset is used to precompute the view that is proposed to the user. The user can select a time frame to further filter the preset dataset.

In version 4.0.0, we introduced Device, an aggregation of components. This changed how data is processed and presented. A component is an object of the industrial network. It can be the network interface of a PLC, a PC, a SCADA station, etc., or a broadcast or multicast address. In the GUI, a component is as an icon in a box, either the manufacturer icon (if detected), or a more specific icon (a known PLC model), a default cogwheel, a planet for a public IP, etc.

Some examples of icons:

Components are grouped under a device. In the UI map, you see a device's components with a single border on the right side panel and technical sheet. Components that don't belong to any device display as an icon with a double border.

For more information, refer to the Device section.

Components are detected from the MAC address of the properties and (if applicable) the IP address.

Note	MAC addresses are all physical interfaces inside the network. IP addresses rely on the network configuration.

Cisco Cyber Vsion works by detecting network activity (emission or reception) by an object. Cyber Vision uses Deep Packet Inspection (DPI) technology to collate detailed information about a component. Information like IP address, MAC address, manufacturer, first and last activity, tags, OS, Model, and Firmware version depends on the data retrieved from the network. Data originates from the communications (i.e., flows) exchanged between the components.

Click a component on the map or a list. A side panel with the detailed component information opens.

The term Device is an aggregation of components with similar properties. In Cisco Cyber Vision, a Device is a physical machine of the industrial network such as a switch, an engineering station, a controller, a PC, a server, etc. Devices simplify data presentation, especially on the map. Devices enhance performance because a single device shows in place of multiple components. Devices comply with the logic of management and inventory, focusing on your needs.

A device shows as an icon in a double border, either the manufacturer icon (if detected), or a more specific icon (i.e., a known PLC model). If no icon is available in Cisco Cyber Vision database yet, a default cogwheel displays.

Components can share same characteristics such as the same IP address, MAC address, NetBIOS name, etc. In addition, tags and properties which are found in protocols are associated to define the type of device. Aggregation of components into a device and definition of the device type are based on a large set of rules with priorities that can be more or less complex. For example:

Click on a Schneider controller. A right side panel opens showing its components.

Devices can have a red counter badge. This is the number of vulnerabilities detected. For more information, refer to Vulnerabilities.

The list of a Rockwell Controller device's components (technical sheet > Basics > Components):

All these device's components have in common activity time, IPs, MACs, and tags. The Controller tag -which is a level 2 device tag, also considered as top priority in aggregation rules to define device type- detected on one of the components is applied at the device level and define the device type as Controller. The Rockwell Automation tag is a system tag which together with other properties is detected as the brand of the device.

For detailed information about which types of devices are detected per Level, see Tags.

An activity is the representation of the communications exchanged between devices or components. It is recognizable on the map by a line (or an arrow if the source and destination components are known) which links one component to another.

To access the map, choose Explore > Control Systems Management > OT Activities from the main menu. Click a component on the map to view its details.

An activity between two components is actually a simplified view of the flows exchanged. You can have many types of flows going in both directions inside an activity, represented in the map.

When you click on an activity in the map, a right side panel opens, containing:

• The date of the first and last communication between the two components.

• Details about the components (name, IP, MAC and, if applicable, the group they are part of, and their criticality).

• The tags on the flows.

• The number of flows.

• The number of packets.

• The volume of data exchanged.

• The number of events.

• A button to access the technical sheet that shows more details about tags and flows.

  

Devices or components with no activity does not mean that they did not have any interaction. In fact, a component can only be detected if it has been involved in a network activity (communication emission/reception). Lack of activity can mean that the other linked component is not part of the preset selected and so doesn't display.

Aggregated activities or conduits

When devices and components are placed inside groups, activities are aggregated to enhance visibility. Aggregated activities are called conduits.

Use the Show network activities button at the lower left side of the map to turn on/off the simplified view of the activities between groups. This feature is turned on by default.

A flow is a single communication exchanged between two components. A group of flows forms an activity, which is identifiable on the Map by a line that links one component to another.

To access a flow: click a component on the map. The side panel appears. Click the Technical sheet icon > Activity. Or, click the Flows tile from the right side panel.

The Activity tab contains a list of flows which gives you detailed information about each single flow: number of flows in the activity, source and destination components (if known), ports used, first and last activity, and tags which characterize each flow.

The number of flows can be very important (there could be thousands). Consequently, filters are available in the table to sort flows by typing a component, a port, selecting tags, etc.

You can click on each flow in the list to have access to the flow's technical sheet for further information about the flow's properties and tags.

An external communication is a communication initiated between a component/device inside a monitored network and an external component/device.

External communications are stored and listed in Cisco Cyber Vision, but not the external components/devices, nor their flows, to not obstruct the system. As a result, Cisco Cyber Vision's performances are increased, the GUI is cleared from unecessary data, and the license device count and risk scores are limited to inner devices and more accurate.

By default, external communications are defined as such through the detection of external components' IP addresses that do not meet with private IP address formats.

IP addresses that meet with private formats are considered as internal by default and are processed under stored components or devices and are displayed in Cisco Cyber Vision.

However, because sometimes public IP addresses are used in a private network of an industrial site, it is possible to manually define communications by declaring IP ranges as internal or external through the Network Organization administration page. For more information, refer to Cisco Cyber Vision GUI Administration Guide.

It is also possible to declare as external all or part of a private subnetwork. For example to filter some IT components/devices which are not relevant for Cisco Cyber Vision.

In the GUI, a component with external communications is shown as an icon bordered in orange, or a double orange border for a device.

A device with external communications in the Map:

If you click on this component, its right side panel will appear. The External Communications button with the number of external communications will open the component's technical sheet directly on the external communications list.

The device's right side panel and the External Communications button:

The external communications list in the device's technical sheet:

The list shows details about external communications such as source and destination IPs, destination port, hostname, protocol, whether they are inbound or outbound, etc.

It is possible to export this list using the Export to CSV button.

Cisco Cyber Vision is a real-time monitoring solution. The views are continuously updated with network data. You can view the network activity during a defined period of time by selecting a time span. Use time span to filter data, based on the time you select. This feature is available on each preset's view.

To access the timespan settings, follow these steps:

• From the main menu, choose Explore > All data.

• Click the dropdwn arrow at the top center of the page.

• Select Device list from the drop-down list.

• To set a time span, click the pencil icon.

  The TIMESPAN SETTING window appears.

• To set a Duration, click the drop-down arrow and select duration time (from 10 seconds to 1 day) or a custom period up to the present.

• To set a Time window, select a start date and (optionally) an end date.

  Note	If you don't select an end date, the end date will set to now.

  Set a time window to see everything that has happened during the selected period of time, such as historical data or to check the network activity (in case of on-site intrusion or accident).

• Click Refresh to compute network data.

Note	No data display is often due to a time span set on an empty period. Remember to first set a long period of time (such as 12 months) before troubleshooting.

Recommendations:

Generally, you can set the time period to 1 or 2 days. This setting is convenient to have an overall view of most supervised standard network activities. This includes daily activities such as maintenance checks and backups.

Adjust the time frame for the following:

• Set a period of a few minutes to have more visibility on what is currently happening on the network.

• Set a period of a few hours to have a view of the daily activity or set a time to see what has happened during the night, the weekend, etc.

• Set limits to view what happened during the night/weekend.

• Set limits to focus on a time frame close to a specific event.

Definition of Tags

Tags are metadata on devices and activities. Tags are generated according to the properties of components. There are two types of tags:

• Device tags describe the functions of the device or component and are correlated to its properties. A device tag is generated at the component level and synthesized at the device level (which is an aggregation of components).

• Activity tags describe the protocols used and are correlated to its properties. An activity tag is generated at the flow level and synthesized at the activity level (which is a group of flows between two components).

Each tag is classified under categories, located in the filtering area.

The device tags categories (Device - Level 0-1, Device - Level 2, etc.) and some tags (IO Module, Wireless IO Module) in the filtering area:

Note	Device levels are based on the definitions from the ISA-95 international standard.

Tag Use

Use Cisco Cyber Vision tags primarily to explore the network. Criteria set on presets are significantly based on tags to filter the different views.

Use tags to define behaviors (i.e., in the Monitor mode) inside an industrial network when combined with information like source and destination ports and flow properties.

Tag Location

Find tags almost everywhere in Cisco Cyber Vision, from criteria, which are based on tags to filter network data, to the different views available. Views filter and use tags differently. For example, the dashboard shows the preset's results, showing tags over other correlated data. The device list highlights devices, over data like tags. For more information, see the different types of view in Dashboard.

For detailed information about a tag, see the Basic tab inside a technical sheet.

Below is an example of tag definitions.

Property Definition

Properties are information such as IP and MAC addresses, hardware and firmware versions, serial number, etc. that qualify devices, components and flows. The sensor extracts flow properties from the packets captured. The Center then deduces components properties and then devices properties out of flow properties. Some properties are normalized for all devices and components and some properties are protocol or vendor specific.

Property Use

Properties provide details about devices, components and flows, and are crucial in Cisco Cyber Vision in generating tags. A combination of properties and tags are used to define behaviors (i.e., in the Monitor mode) inside the industrial network.

Property Location

View Properties from devices and components right side panels and technical sheets under the Basics tab.

Below is an example of a technical sheet with normalized properties on the left column, and protocol and vendor specific properties on the right column.

Note	Protocol and vendor-specific properties evolve as more protocols are supported by Cisco Cyber Vision.

Definition of Vulnerabilities

Vulnerabilities are weaknesses detected on devices that can be exploited by a potential attacker to perform malevolent actions on the network.

Cisco Cyber Vision detects Vulnerabilities in the rules stored in the Knowledge database. These rules are sourced from several CERTs (Computer Emergency Response Team), manufacturers and partner manufacturers (Schneider, Siemens, etc.). Vulnerabilities are generated from the correlation of the Knowledge database rules and normalized device and component properties. A vulnerability is detected when a device or a component matches a Knowledge database rule.

Important

Always update the Knowledge database in Cisco Cyber Vision as soon as possible after notification of a new version. This protects your network against vulnerabilities. See Knowledge DB to update knowledge database.

Vulnerability Use

Below is an example of a Siemens component's vulnerability. See the technical sheet, Security tab.

1. Information displayed about vulnerabilities includes the following: vulnerability type and reference, possible consequences, and solutions or actions to take on the network. Often, upgrading the device firmware alleviates a vulnerability. Links to the manufacturer website are also available.

2. A score reports the severity of the vulnerability. The score is calculated upon criteria from the Common Vulnerability Scoring System (CVSS). Criteria examples are: the ease of attack, its impacts, the importance of the component on the network, and whether actions can be taken remotely or not. Scores range from 0 to 10, with 10 being the most critical score.

3. Acknowledge a vulnerability if you don't want to be notified about it anymore. For example: a PLC is detected as vulnerable but a firewall or a security module is placed ahead. The vulnerability is mitigated. Cancel an Acknowledgment at any time. Only the Admin, Product, and Operator users can access Vulnerabilities Acknowledgment/Cancelation.

Vulnerability Location

Access Vulnerabilities in any of the following ways: click Explore > All Data > Vulnerabilities, use Vulnerability dashboard of a preset, or through the Device list. Use the Sort arrows to view the vulnerability column.

Find vulnerabilities on the map by a device or a component with a red counter badge. Click the badge (4) and the side panel opens with the number of vulnerabilities shown in red.

Click the Vulnerabilities in red (5) and the device or component's technical sheet opens.

Events

An Events occurs if a device or component gets detected as vulnerable. You receive a notification. One event is generated per vulnerable component. An event is also generated each time a vulnerability is acknowledged or not vulnerable anymore.

Credentials are logins and passwords that circulate between components over the network. Such sensitive data sometimes carry cleartext passwords when unsafe. If credentials are visible on Cisco Cyber Vision, then they are potentially visible to anyone on the network. Credential visibility triggers awareness and actions to be taken to properly secure the protocols used on a network.

Below is a Details panel of a component showing the number of credentials detected.

Credential frames are extracted from the network in Deep Packet Inspection. Use the technical sheet of a compoent to access Credentials. Click the Security tab.

1. The number of credentials found.

2. The protocol used.

3. The user name and password. If a password appears in clear text, then action should be taken to secure it whether it is hashed or not.

4. How to reveal the credentials.

An unsafe password:

A hashed password:

Variable Definition

A Variable is a container that holds information on equipment such as a PLC or a data server (i.e., OPC data server) for process control and supervision purposes. There are many different types of variables depending on the PLC or the server used. Access a variable by using a name or a physical address in the equipment memory. Variables can be read or written in any equipment, according to need.

For example, a variable can be the ongoing temperature of an industrial oven. This value is stored in the oven's PLC and can be controlled by another PLC or accessed and supervised by a SCADA system. The same value can be read by another PLC which controls the heating system.

Variable Use

Reading and writing variables inside a network is strictly controlled. Pay close attention if an unplanned change occurs, especially if it is a new, written variable. Such behavior could be an attacker attempting to take control of the process. Cisco Cyber Vision reports the variables' messages detected on the equipment of the industrial network.

Find details on Variable accesses in a component's technical sheet. Use Sort arrows to see a table containing the following:

• The name of the variable

• Its type (READ or WRITE) but not the value itself

• Which component accessed the variable

• The first and last time the component accessed the variable

  

The entry "2 different accesses" (1) indicates that two components have read the variable.

Variable Location

View the number of variable accesses per component on the component list view. Sort the var column by ascending or descending number.

For component details, click a component. The right panel opens.

For a detailed list of variable accesses, see the component's technical sheet (see the first figure above) and use the Automation tab or see the PLC reports.

Active Discovery is a feature to enforce data enrichment on the network. Active Discovery is an optional feature that explores traffic in an active way. All components are not found by Cisco Cyber Vision because those devices have not been communicating from the moment the solution started to run on the network. Some information, like firmware version, can be difficult to obtain because it is not exchanged often between components.

With Active Discovery enabled, broadcast and/or unicast messages are sent to the targeted subnetworks or devices through sensors, to speed up network discovery. Returned responses are analyzed and tagged as Active Discovery. Components and activitiesare clarified with additional and more reliable information than may be found through passive DPI. The following table lists the supported protocols.

Active Discovery is available on the following devices:

• Cisco Catalyst IE3300 10G Rugged Series Switch

• Cisco Catalyst IE3400 Rugged Series Switch

• Cisco Catalyst IE9300 Rugged Series Switch

• Cisco Catalyst 9300 Series Switch

• Cisco Catalyst 9400 Series Switch

• Cisco IC3000 Industrial Compute Gateway

• Cisco IR8340 Integrated Services Router Rugged

Active Discovery jobs can be launched at fixed time intervals or just once.

For more information and instructions on how to configure Active Discovery in Cisco Cyber Vision, refer to the Active Discovery Configuration Guide.

The Cisco Cyber Vision Center's home page displays two tabs: Operational Overview and Security Overview of the industrial network over the last month.

Use the checkboxes to edit the display. The Operational Overview shows the Protocol distribution pie chart and a list of the Most critical events.

It also shows Preset highlights. Click Edit favorite presets to change what displays. Select the checkboxes of the presets and click Save.

Security Overview shows the Vulnerable devices per severities ring chart and the Devices by risk score ring chart.

It also shows a list of the Most critical events, Events by category, and the Preset highlights that you can edit.

The navigation bar on the left provides access to all main pages of the Cisco Cyber Vision Center:

1. Explore: Shows the overview of all presets, by defaults or configured.

2. Reports: Shows the Reports page to export valuable information about the industrial network.

3. Events: Shows the Events page which contains graphics and a calendar of all events generated by .

4. Monitor: Shows the Monitor page to perform and automatize data comparisons of the industrial network.

5. Search: Shows the searching area to look for precise data in the industrial network.

6. Admin: Shows how to update the system, configure exports parameters, import and export the database, update the Knowledge DB and reset data and system settings.

Explore shows an overview of all the Presets in Cisco Cyber Vision, both defaults and custom presets. Click Explore on the left navigation bar.

Use the top navigation bar (1) to access the different presets (2) and views.

You can also filter presets by categories.

Create new categories to order and search your custom presets.

Filters included in Explore page's url allow you to save the selection in your browser's favorites.

Security posture reports allow you to export industrial network data from the traffic captured and processed by Cisco Cyber Vision. You can uncover striking information like sensitive entrance points, acknowledged vulnerabilities for status reports, etc. To access Reports, click Reports from the main menu.

You must install the Reports extension to use this page. To install the Reports extension, choose Admin > Extension > Import a new extension file from the main menu. The extension file is available on cisco.com.

Security posture reports allow you to create reports from a preset, (default data) in Cisco Cyber Vision, or a custom one.

Reports extensions include .docx and .pdf formats.

You can customize the report by adding a logo, such as your company's logo. By default, the report shows Cisco's logo.

The table of content menu allows you to set which content will appear in the report.

To access the Events page, choose Admin > Events from the main menu. Use Events to identify and track significant activities on the network. Events can be an activity, a property, or a change—whether it involves software or hardware components.

You can customize the severity of events on the Events administration page. By default, changes apply only to future events. However, you can apply new customized severities to past events by enabling the Apply severity to existing events option.

Important

This action is irreversible and can take several minutes to complete.

Click Reset severity to default to reset the severity settings.

Use the toggle buttons to enable or disable Syslog export and Database storage. These two options are active by default. However, make sure syslog has been configured before the export.

The following are examples of events:

• A wrong password entered on the GUI

• A new component connected to the network

• An anomaly detected in the Monitor Mode

• A component detected as vulnerable

Cisco Cyber Vision provides a monitoring tool called the Monitor mode to detect changes inside industrial networks. Because a network architecture (PLC, switch, SCADA) is constant and its behaviors tend to be stable over time, an established and configured network is predictable. However, some behaviors are unpredictable and can even compromise a network's operation and security. The Monitor mode aims to show the evolution of a network's behaviors, predicted or not, based on presets. Changes, either normal or abnormal, are noted as differences in the Monitor mode when a behavior happens. Using the Monitor mode is particularly convenient for large networks as a preset shows a network fragment and changes are highlighted and managed separately, in the Monitor mode's views.

Use Search to find components among unstructured data. Search components by name, custom name, IP, MAC, tag and property value. To access the Search page, choose Search from the main menu.

Note	Devices are not available in this page yet.

To search, enter the content in the search field and click Search.

To create a preset from your search results, click Save this search as a Preset . Presets will automatically update as new data is detected on the network.

For more information about a component, hover over it. The technical sheet (2) icon appears. The technical sheet gives you access to advanced data about the component.

To access system statistics, click the System statistics icon in the top right corner of Cisco Cyber Vision interface.

You must create your personal account in Cisco Cyber Vision Center. To create personal account, follow these steps:

1. Go to the user menu at the top right corner and click the drop-down arrow.

2. Click My Settings from the drop-down list.

   The My Settings page appears.

3. Enter Firstname and Lastname under the General fileld.

4. Click the radio button of the preferred interface language under the Language filed.

5. Enter your password.

   Passwords must contain at least 6 characters and comply with the rules below. Passwords:

   • Must contain a lower case character: a-z.

   • Must contain an upper case character: A-Z.

   • Must contain a numeric character: 0-9.

   • Cannot contain the user ID.

   • Must contain a special character: ~!"#$%&’()*+,-./:;<=>?@[]^_{|}.

     Important

     Change your password regularly to ensure platform and industrial network security.

     Note	Your email will be requested for login access.

6. Select the checkbox of Restore default parameters to restore interface notifications.

7. Clear application cookies.