7/25/2019 nps59-122911-03.pdf

http://slidepdf.com/reader/full/nps59-122911-03pdf 1/2

 

http://www.us-cert.gov/control_systems/satool.html

Cyber Security Evaluation Tool

(CSET)Performing a Self-Assessmen

The Cyber Security Evaluation Tool (CSET) providesusers with a systematic and repeatable approach forassessing the cybersecurity posture of their industrialcontrol system networks. This tool also includes bothhigh-level and detailed questions applicable to allindustrial control systems (ICS). CSET wasdeveloped under the direction of the Department ofHomeland Security (DHS) Control Systems SecurityProgram (CSSP).

What is it?

The CSET is a stand-alone desktop software tool thatenables users to assess their network and ICSsecurity practices against recognized industry and

government standards, guidelines, and practices. Thecompleted CSET assessment provides a prioritizedlist of recommendations for increasing thecybersecurity posture of an organization’s ICS orenterprise network and identifies what is needed toachieve the desired level of security within the specificstandard(s) selected.

The Assessment Process

Four basic steps are available to complete anassessment using CSET. The process is shown in theCSET Process Flow figure.

STEP 1-Select Standards: Users are given theoption to select one, several, or all the followingindustry and government-recognized cybersecuritystandards.

Security Standards

DHS Catalog of Control Systems Security:Recommendations for Standards Developers,Revisions 6 and 7

NIST SP800-82

NIST SP800-53, revision 3

NRC Regulatory Guide 5.71

CFATS Risk Based Performance Standard (RBPS) 8

NERC CIP-002-009 revisions 2 and 3

ISO/IEC 15408 revision 3.1

DoDI 8500.2

Consensus Audit Guidelines 2.3.

 After the user selects the applicable standard(s),CSET generates questions that are specific for thoserequirements.

CSET Process Flow

Answer

QuestionsReports

Create

Diagram

Component

Questions

Determine

Security

Level

Weighted

Answers

SelectStandards

StandardQuestions

Downloadable via the Internet at:

http://us-cert.gov/control_systems/csetdownload.html

7/25/2019 nps59-122911-03.pdf

http://slidepdf.com/reader/full/nps59-122911-03pdf 2/2

 

http://www.us-cert.gov/control_systems/satool.html

Cyber Security Evaluation Tool

(CSET)Performing a Self-Assessmen

STEP 2-Determine Assurance Level: The basis fora Security Assurance Level (SAL) is the user’sanswers to a series of questions relating to thepotential worst-case consequences of a successfulcyber attack. CSET calculates a SALrecommendation for the ICS organization, facility,system, or subsystem assessment. CSET thenprovides the level of cybersecurity rigor necessary toprotect against a worst-case event. For NationalInstitute of Standards and Technology (NIST)-basedstandards and guidance, CSET also supports theFederal Information Processing Standards (FIPS) 199guidelines for determining the security categorizationof a system. Upon SAL completion, CSET determinesand reports the security gaps using comparativeanalysis between the answers to standards questionsand the SAL.

STEP 3-Create Diagram: CSET contains a graphicaluser interface that allows users to build the controlsystem network topology (including criticality levels)into the CSET software. By creating a networkarchitecture diagram using components deemedcritical to the organization, users are able to definethe organizations cybersecurity boundary andposture. CSET provides icon palettes for the varioussystem and network components, allowing users to

build a network architecture diagram by dragging anddropping components onto the screen. Specificquestions direct the identification of each networkcomponent.

STEP 4-Answer Questions: CSET generatesquestions using the specified network topology andthe selected security standards as its basis. Theassessment team then selects the best answer toeach question using the system’s network configuration and implemented security practices.CSET compares the assessment team answers with

the recommended security standards and generates alist of recognized good practices and/or security gaps.

CSET generates both interactive (on-screen) andprinted reports. The reports provide a summary ofsecurity level gaps or areas that did not meet therecommendations of the selected standards. Theassessment team may then use this information toplan and prioritize mitigation strategies.

Onsite Assessment

CSSP provides “over -the-shoulder” training and

guidance to assist asset owners in using CSET for thefirst time.

In order to assist an organization in planning andorganizing for an assessment using the CSET, thekey staff should become familiar with informationabout the organization’s system(s) and network(s) byreviewing polices and procedures, network topologydiagrams, inventory lists of critical assets andcomponents, risk assessments, IT and ICS networkpolicies/practices, and organizational roles andresponsibilities.

Typical DHS Control Systems SecurityProgram Onsite Assessment

 An example agenda for an onsite assessment fromCSSP would include the following activities: 

1. ICS Awareness Briefing

2. IT and Enterprise Network Evaluation

3. ICS Evaluation

4. Review/Closeout Briefing.

Obtaining Additional Information

To learn more about the CSET or to request asoftware copy via CD, contact cset@dhs.gov. Forgeneral program questions or comments, contactcssp@dhs.gov or visit http://www.us-cert.gov/control_systems/ . 

About DHS and NCSD

The Department of Homeland Security (DHS) is

responsible for safeguarding our Nation’scritical infrastructure from physical and cyberthreats that can affect our national security,public safety, and economic prosperity. TheNational Cyber Security Division (NCSD) leadsthe DHS efforts to secure cyberspace and ournation’s cyber assets and networks.