Yesterday the DHS Industrial Control System Cyber Emergency Response Team web site upgraded the access for their Cyber Security Evaluation Tool. Readers might remember that I described this program in a blog post last fall. Well, yesterday, ICS-CERT made it possible to download a copy of the tool so that they could conduct the security evaluation of their ICS without the direct assistance of ICS-CERT.
One short warning; this is not a simple one-click download process, like getting a .PDF document. You will be downloading a piece of complex software in the .ISO format which requires saving to a CD or ‘mounting’ the program to your hard-drive. The instructions on the ‘Download’ page should be read carefully.
Unless you have a time-critical need to conduct the CSET, I would probably recommend taking the alternative course and request a copy of the CSET DVD from ICS-CERT. This is done by sending a relatively simple email to ICS-CERT (see the CSET web page for detailed instructions).
Facilities should probably only consider either of these two options if they have a high internal (or hired) level of control system expertise. If a facility has any doubts about the potential adequacy of their knowledge base, they should probably avail themselves of the free ICS-CERT on-site support for this tool. I think that it would provide a better outside look at the facility ICS security situation.
In any case, every CFATS covered facility with an industrial control system should absolutely take advantage of one of these CSET options to review their ICS security program. If I were a chemical facility security inspector (CFSI) the first cyber security question I would ask is to see the results of the CSET evaluation.