Monitor mode
Cisco Cyber Vision provides a monitoring tool called the Monitor mode to detect changes inside industrial networks. Because a network architecture (PLC, switch, SCADA) is constant and its behaviors tend to be stable over time, an established and configured network is predictable. However, some behaviors are unpredictable and can even compromise a network's operation and security. The Monitor mode aims to show the evolution of a network's behaviors, predicted or not, based on presets. Changes, either normal or abnormal, are noted as differences in the Monitor mode when a behavior happens. Using the Monitor mode is particularly convenient for large networks as a preset shows a network fragment and changes are highlighted and managed separately, in the Monitor mode's views.
Baselines as Preset's normal states
A Preset is a set of criteria which aims to show a detailed fragment of a network. To start monitoring a network, you need to pick up a preset, and to define what would be its normal, stable state. This will represent the preset's baseline. A state may rely on a period, as a network fragment may be subject to several states. Hence, it is possible to create several planned, controlled and time-framed baselines per preset, and to monitor the whole network. For example, a normal state of the network can be a typical weekday operating mode, in which numerous processes are performed iteratively. During weekends, these processes may be slowed down, different, or even stopped. Any network phase can be saved as a baseline by selecting the time span in which it occurs, and monitored. Other examples of baselines can be a regular maintenance period, a degraded mode, a weekend and night mode, and so forth. A baseline is created for a situation considered as part of a normal operating process in which all network behaviors (components, activities, properties, tags, variable accesses) will be taken into account for review.
Review and assignment of differences
A difference is a new or changed behavior happening within a fragment of a network. Any difference detected is highlighted in the Monitor mode through several views such as a map, a component list and an activity list. When reviewing these, they can be acknowledged or reported. It depends on whether you consider them as normal or not, and their level of criticality. That is, you can include these changes into your baseline if it is part of a normal network development process, or take action in case of suspicious behavior. By doing so, each baseline will be refined bit by bit over time and become more compliant with your needs.