Thursday, October 14, 2010

Cyber Security Evaluation Tool

In yesterday’s blog about the 2010 Water Security Congress I noted that a presenter had mentioned an ICS security assessment program conducted by DHS ICS-CERT. Today I would like to take a brief look at this program offered by the Control Systems Security Program of DHS-CERT.

According to the available fact sheet the Cyber Security Evaluation Tool (CSET) is a computer based question and answer tool that “provides users with a systematic and repeatable approach for assessing the cyber security posture of their industrial control system networks”. The tool takes the facility supplied answers to questions about their control systems, facility IT systems and associated procedures and provides “a prioritized list of recommendations for improving the cybersecurity posture of an organization’s ICS or enterprise network”.

DHS provides facilities two different options for completing this voluntary program. Facilities can request a DVD copy of the program and conduct the evaluation on their own or they can conduct the evaluation using on-site ICS-CERT assistance. Organizations with a stronger computer support staff will probably want to use the DVD option.

The program helps facilities evaluate their cyber security program against a variety of established standards with the facility picking which standard best applies to their operation. Standards include:

• National Institute of Standards and Technology (NIST),
• North American Electric Reliability Corporation (NERC),
• International Organization for Standardization (ISO), and
• U.S. Department of Defense (DoD).
Will this help facilities with their CFATS cyber security requirements? Since there are no specifically delineated requirements for a cyber security system under CFATS, that is a hard question to answer. I think that a tool like this will help facilities identify current security issues and provide suggestions on how to deal with them. Having used this system to identify and correct system shortcomings certainly would provide a good basis for justifying a facility’s program to inspectors.

No comments:

/* Use this with templates/template-twocol.html */