Introduces Cisco Cyber Vision sensors by outlining their deployment on Cisco network devices, methods for analyzing OT traffic using deep packet inspection and Active Discovery, identification and transmission of industrial assets and security events, and details on communication protocols between sensors and Cyber Vision Center.
A Cisco Cyber Vision sensor is an application that:
-
Gathers and analyzes industrial network traffic using deep packet inspection.
-
Transmits identified assets, communication flows, and security events to the Cyber Vision Center for further analysis.
Cyber Vision sensors help you analyze industry-specific OT traffic that traditional IT security tools usually cannot interpret.
How does the Cisco Cyber Vision Sensor work?
-
The sensors use traffic mirroring methods (such as SPAN, RSPAN, or ERSPAN) to receive copies of OT network traffic for analysis.
-
Deep packet inspection (DPI) enables identification of industrial protocols (such as Modbus, S7, EtherNet/IP, and other similar protocols), with configurable templates for targeted protocol recognition.
Cyber Vision sensors only inspect TCP and UDP traffic.
-
Capture modes let you define which types of traffic to analyze to optimize performance.
-
Beyond passive analysis, sensors can perform Active Discovery by probing the network for device details.
-
Processed data is securely sent to Cisco Cyber Vision Center.
Specific ports are used for communication between the deployed sensor and the Cyber Vision Center.
| Port |
Message type |
|---|---|
| TCP 5671 |
AMQP (Advanced Message Queuing Protocol) |
| TCP 10514
|
Secure syslogs |