Sunday, August 14, 2011

ICS-CERT Updates Cybersecurity Evaluation Tool

Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an updated version of their Cyber Security Evaluation Tool (CSET, v 4.0). According to the ICS-CERT web site:

“This new release includes new standards such as NERC CIP Revision 3, NRC Regulatory Guide 5.71, a new key requirements set, and Version 7 of the DHS "Catalog of Security Requirements: Recommendations for Standards Developers." The new CSET also includes a fully revised set of reports with complete gap rankings, new diagramming functionality, and a new resource library as well as minor enhancements. This tool supports evaluations of both business and industrial control systems.”

CSET Description

CSET is a downloadable (also available on DVD; request by email to: stand-alone desktop software tool that allows a facility to assess their network and ICS security practices. According to the CSET Fact Sheet CSET compares the facility answers to a lengthy list of questions “against recognized industry and government standards, guidelines, and practices” and it “provides a prioritized list of recommendations for increasing the cybersecurity posture of an organization’s ICS or enterprise network and identifies what is needed to achieve the desired level of security within the specific standard(s) selected”.

The standards available for evaluation include:

• DHS Catalog of Control Systems Security: Recommendations for Standards Developers, Revisions 6 and 7;

• NIST SP800-82;

• NIST SP800-53, revision 3;

• NRC Regulatory Guide 5.71;

• CFATS Risk Based Performance Standard (RBPS) 8;

• NERC CIP-002-009 revisions 2 and 3;

• ISO/IEC 15408 revision 3.1;

• DoDI 8500.2; and

• Consensus Audit Guidelines 2.3.


Alert readers will notice that the above list of standards (taken directly from the CSET Fact Sheet) includes a listing of CFATS. In a post about an earlier version of CSET I wrote that:

“Will this help facilities with their CFATS cyber security requirements? Since there are no specifically delineated requirements for a cybersecurity system under CFATS, that is a hard question to answer. I think that a tool like this will help facilities identify current security issues and provide suggestions on how to deal with them. Having used this system to identify and correct system shortcomings certainly would provide a good basis for justifying a facility’s program to inspectors.”

It would appear that the newest version of CSET would allow an evaluation of a covered facility’s cybersecurity against the performance standards in RBPS #8 and that is a good thing and should provide a valuable tool for facilities to use to prepare their cyber security portion of their SSP. But, it should be clear that while ICS-CERT and ISCD are both parts of DHS, they don’t talk for one another.

I have not seen a memorandum of understanding between ICS-CERT and ISCD that would establish the CSET as an official evaluation tool for RBPS #8 (and the same thing would apply even more so to NERC CIP-002). It might be a good idea for ISCD to consider such a move, it would ease the evaluation burden on their Chemical Facility Security Inspectors and provide a level of cybersecurity expertise that is almost certainly lacking (through no fault of their own) in the inspection teams.

ICS-CERT Assistance

One last point needs to be made about the CSET tool. It was designed to be used by the facility to conduct a self-evaluation. ICS-CERT believes that a facility with enough control system expertise to manage an ICS should be able to conduct the evaluation. But they realize that that may not be the case at all facilities and ICS-CERT has made provisions for that; “the Control Systems Security Program also offers onsite training and guidance to asset owners in using CSET during onsite assessments. These assessments are conducted at no cost to the asset owners [emphasis included in original]”. This assessment assistance can be requested by email to:

No comments:

/* Use this with templates/template-twocol.html */