Upload
sresearcher7
View
214
Download
0
Embed Size (px)
Citation preview
7/25/2019 nps59-122911-03.pdf
http://slidepdf.com/reader/full/nps59-122911-03pdf 1/2
http://www.us-cert.gov/control_systems/satool.html
Cyber Security Evaluation Tool
(CSET)Performing a Self-Assessmen
The Cyber Security Evaluation Tool (CSET) providesusers with a systematic and repeatable approach forassessing the cybersecurity posture of their industrialcontrol system networks. This tool also includes bothhigh-level and detailed questions applicable to allindustrial control systems (ICS). CSET wasdeveloped under the direction of the Department ofHomeland Security (DHS) Control Systems SecurityProgram (CSSP).
What is it?
The CSET is a stand-alone desktop software tool thatenables users to assess their network and ICSsecurity practices against recognized industry and
government standards, guidelines, and practices. Thecompleted CSET assessment provides a prioritizedlist of recommendations for increasing thecybersecurity posture of an organization’s ICS orenterprise network and identifies what is needed toachieve the desired level of security within the specificstandard(s) selected.
The Assessment Process
Four basic steps are available to complete anassessment using CSET. The process is shown in theCSET Process Flow figure.
STEP 1-Select Standards: Users are given theoption to select one, several, or all the followingindustry and government-recognized cybersecuritystandards.
Security Standards
DHS Catalog of Control Systems Security:Recommendations for Standards Developers,Revisions 6 and 7
NIST SP800-82
NIST SP800-53, revision 3
NRC Regulatory Guide 5.71
CFATS Risk Based Performance Standard (RBPS) 8
NERC CIP-002-009 revisions 2 and 3
ISO/IEC 15408 revision 3.1
DoDI 8500.2
Consensus Audit Guidelines 2.3.
After the user selects the applicable standard(s),CSET generates questions that are specific for thoserequirements.
CSET Process Flow
Answer
QuestionsReports
Create
Diagram
Component
Questions
Determine
Security
Level
Weighted
Answers
SelectStandards
StandardQuestions
Downloadable via the Internet at:
http://us-cert.gov/control_systems/csetdownload.html
7/25/2019 nps59-122911-03.pdf
http://slidepdf.com/reader/full/nps59-122911-03pdf 2/2
http://www.us-cert.gov/control_systems/satool.html
Cyber Security Evaluation Tool
(CSET)Performing a Self-Assessmen
STEP 2-Determine Assurance Level: The basis fora Security Assurance Level (SAL) is the user’sanswers to a series of questions relating to thepotential worst-case consequences of a successfulcyber attack. CSET calculates a SALrecommendation for the ICS organization, facility,system, or subsystem assessment. CSET thenprovides the level of cybersecurity rigor necessary toprotect against a worst-case event. For NationalInstitute of Standards and Technology (NIST)-basedstandards and guidance, CSET also supports theFederal Information Processing Standards (FIPS) 199guidelines for determining the security categorizationof a system. Upon SAL completion, CSET determinesand reports the security gaps using comparativeanalysis between the answers to standards questionsand the SAL.
STEP 3-Create Diagram: CSET contains a graphicaluser interface that allows users to build the controlsystem network topology (including criticality levels)into the CSET software. By creating a networkarchitecture diagram using components deemedcritical to the organization, users are able to definethe organizations cybersecurity boundary andposture. CSET provides icon palettes for the varioussystem and network components, allowing users to
build a network architecture diagram by dragging anddropping components onto the screen. Specificquestions direct the identification of each networkcomponent.
STEP 4-Answer Questions: CSET generatesquestions using the specified network topology andthe selected security standards as its basis. Theassessment team then selects the best answer toeach question using the system’s network configuration and implemented security practices.CSET compares the assessment team answers with
the recommended security standards and generates alist of recognized good practices and/or security gaps.
CSET generates both interactive (on-screen) andprinted reports. The reports provide a summary ofsecurity level gaps or areas that did not meet therecommendations of the selected standards. Theassessment team may then use this information toplan and prioritize mitigation strategies.
Onsite Assessment
CSSP provides “over -the-shoulder” training and
guidance to assist asset owners in using CSET for thefirst time.
In order to assist an organization in planning andorganizing for an assessment using the CSET, thekey staff should become familiar with informationabout the organization’s system(s) and network(s) byreviewing polices and procedures, network topologydiagrams, inventory lists of critical assets andcomponents, risk assessments, IT and ICS networkpolicies/practices, and organizational roles andresponsibilities.
Typical DHS Control Systems SecurityProgram Onsite Assessment
An example agenda for an onsite assessment fromCSSP would include the following activities:
1. ICS Awareness Briefing
2. IT and Enterprise Network Evaluation
3. ICS Evaluation
4. Review/Closeout Briefing.
Obtaining Additional Information
To learn more about the CSET or to request asoftware copy via CD, contact [email protected]. Forgeneral program questions or comments, [email protected] or visit http://www.us-cert.gov/control_systems/ .
About DHS and NCSD
The Department of Homeland Security (DHS) is
responsible for safeguarding our Nation’scritical infrastructure from physical and cyberthreats that can affect our national security,public safety, and economic prosperity. TheNational Cyber Security Division (NCSD) leadsthe DHS efforts to secure cyberspace and ournation’s cyber assets and networks.