Thanks to a Tweet® from ICS-CERT we know that DHS has updated their Cyber Security Evaluation Tool (CSET) to version 5.0. Because of the recent revision to the ICS-CERT web site and the CSET web page in particular it is not possible to tell what version of CSET is actually available from that site. Even more confusing is the fact that the URL for the CSET factsheet (http://ics-cert.us-cert.gov/pdf/DHS_CyberSecurity_CSSP-CSET-v4.pdf) seems to indicate that it is for version 4.
CSET Fact Sheet
I wrote about the upgrade to version 4.1 just a little over a year ago. The fact sheet has certainly been revised in format, but I don’t really see any new information on the new fact sheet about the CSET. There is some new information provided about the experiences of the Control System Security Program (CSSP) teams experiences assisting facilities in completing the CSET. It notes:
“The CSSP team observed that the most common vulnerabilities identified through CSET self-assessments were a lack of adequate control system inventories and formal documentation; no audit capabilities and accountability for event monitoring; and missing permissions, privileges, and access control restrictions. Other categories of vulnerabilities included improper authentication and credentials management practices, flaws in network architecture designs, configuration (implementation) settings within network components, and traceability on cybersecurity configuration and maintenance.”
There is a link to a new document on the CSET web page; Onsite Consultation and Self-Assessment. As in the past facility management has the option of conducting a self-assessment of their control system (and IT systems) using either the downloadable version of CSET or a CD version (send an email to: CSET@hq.dhs.gov) of the tool or the facility can request an onsite CSSP team visit to assist in the CSET evaluation (certainly my recommended procedure). There is a new assessment that is mentioned on this new document; the Tier 2 Network Architecture Review (with the previously mentioned CSET evaluation being the Tier 1 assessment). It is described this way:
“The Tier 2 assessment, like Tier 1, is conducted onsite by the asset owners with the support of CSSP cybersecurity professionals. However, the Tier 2 consultation provides a more robust evaluation of system interdependencies, vulnerabilities, and mitigation options. This consultation typically requires additional rigor and technical staff and often takes two to three days to complete.”
It is recommended for “most high-security control systems, such as chemical, power and nuclear plants, telecommunications facilities, government facilities, schools, hospitals, and other high-value infrastructure assets”.
As I have mentioned in past posts about the CSET, I have not seen a memorandum of understanding between ISCD and ICS-CERT about any cooperation between those two agencies on cybersecurity requirements under CFATS. Without such an agreement there is no way that the completion of CSET and implementing its suggested security improvements is any guarantee of meeting the RBPS 8 requirements of CFATS.
Having said that, I think that documenting a CSET evaluation, particularly one with an onsite CSSP team involvement, and successfully implementing its recommendations, will go a long way to helping a facility meet the RBPS requirements.
BTW: If anyone at ICS-CERT would like to describe the differences between CSET version 4.1 and 5.0 I would be happy to provide blog space for that description.