Introduction

Cyber Vision and Cisco ISE integrations

A Cyber Vision and Cisco ISE integration is a network security solution that

  • combines full operational technology (OT) visibility with device identity management,

  • enables implementation of software-defined segmentation strategies for industrial networks, and

  • enables you to automatically synchronize asset and endpoint data between Cyber Vision and Cisco ISE.

Integration details and workflow

Integrating Cyber Vision with Cisco ISE allows you to define network segments using industrial asset data collected by Cyber Vision. It also enables you to create dynamic security groups in Cisco ISE. These groups can be enforced across the network using Cisco TrustSec, increasing operational efficiency and security.

Component data from Cyber Vision is mapped to endpoint data in Cisco ISE. While many attributes have equivalents, you may need custom endpoint attributes to record all asset details. If there are changes to asset data in Cyber Vision, the updates are automatically synchronized with Cisco ISE, ensuring information consistency.

Example

If you add or modify component properties in Cyber Vision, the associated endpoint attributes in Cisco ISE update automatically, supporting real-time security enforcement and network segmentation.

Supported releases

Use these software releases to integrate Cyber Vision and Cisco Identity Services Engine (ISE):

  • Cisco Cyber Vision release 5.4.0 and later releases

  • Cisco ISE release 3.2 and later releases

Table 1. License requirements and features

System

License

Feature

Cyber Vision

Advantage

pxGrid integration with Cisco ISE​

Cisco ISE

Advantage

Context in or out using pxGrid, pxGrid Cloud, and pxGrid Direct

Mapping Cyber Vision properties to Cisco ISE attributes

You can see how Cyber Vision component properties are transmitted and mapped to Cisco ISE attributes for device integration. This action maintains accurate data transfer and enables proper policy and reporting functionality.

  • In Cyber Vision, a property is a piece of data that describes a device or component, such as its IP address or model name.

  • An attribute is a specific data element or field in a database or system used to store or reference information about an object. In Cisco ISE, an attribute is a field that records a property's value for use in policy rules, reporting, or integration.

Standard Cyber Vision properties mapped to Cisco ISE attributes

Cyber Vision property

Description

Cisco ISE attribute

ID

Internal Cyber Vision ID

assetId

Name

Component name

assetName

Ip

Component IP address / Maximum 2 of the IPV4 address

assetIpAddress

Mac

Component MAC address

assetMacAddress

Vendor-name

Component manufacturer (IEEE OUI)

assetVendor

Model-ref

Manufacturer product ID

assetProductId

Serial-number

Manufacturer serial number

assetSerialNumber

Tags

Concatenate component category tags

assetDeviceType

Fw-version

Component firmware version

assetSwRevision

Hw-version

Component hardware version

assetHwRevision

Protocols

Concatenate component protocol tags

assetProtocol

Custom Cyber Vision attributes and their mapping to Cisco ISE custom attributes

If a standard Cisco ISE attribute does not exist for a Cyber Vision property, create a matching custom attribute in Cisco ISE. The table lists the Cyber Vision properties for which you must create custom attributes in Cisco ISE.

Cyber Vision property

Description

Cisco ISE custom attribute

Model-name

Manufacturer model name

assetModelName

OS-name

Operating system name

assetOsName

Project-name

Project name (inside PLC program)

assetProjectName

Project-version

Project version (inside PLC program)

assetProjectVersion

Group

Component group

assetGroup

Group-path

Component group path

assetGroupPath

Custom-name

Component custom name

assetCustomName

Source

Data source (always CCV)

assetSource

For instructions on creating custom attributes in Cisco ISE, see Create custom attribute in Cisco ISE.