ISCD Publishes Resource Flyer – 09-11-18

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) published a ‘news item’ on their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web page about a new flyer on “DHS Chemical Security Preparedness Resources”. You have to search through the ‘Fact Sheets and Flyers’ section of the page to find the link (or you could look on the CFATS Resources page under ‘Fact Sheets’).

The flyer contains links to a number of DHS programs that may be of use to chemical facilities both in and outside of the CFATS program. One interesting inclusion on the list is a link to a US-CERT page to use to request a download of the Cyber Security Evaluation Tool (CSET). I have written favorably about CSET a number of times in this blog (see here for example), but the CSET program information is no longer accessible from the ICS-CERT web site (though the old CSET page is still active). This looks like it is part of the continuing winding down of ICS-CERT in favor of NCCIC-ICS. Unfortunately, this looks like it includes a reduction in support for a valuable assessment tool, CSET.

ICS-CERT Publishes FY 2015 Assessment Report

Today the DHS ICS-CERT published a report that looks at the results of 112 formal assessments that ICS-CERT conducted of industrial control systems during FY 2015. These assessments were conducted using the ICS-CERT’s Cybersecurity Evaluation Tool (CSET, 38 facilitated assessments), the Design Architecture Review (DAR, 46 assessments), and the Network Architecture Validation and Verification (NAVV, 28 assessments).

The report provides the following snap shot of the assessments conducted in FY 2015 (pg 1):

• ICS-CERT conducted 112 assessments in FY 2015, including 38 facilitated CSET®, 46 DAR, and 28 NAVV assessments.

• There were 638 weaknesses identified through DAR and NAVV assessments.

• The top six categories represented 36 percent of all weaknesses.

• Boundary protection was the most commonly identified area of weakness in both FY 2014 and FY 2015.

• Weaknesses related to boundary protection and least functionality represented 21 percent of all discovered weaknesses.

• Key trends included pervasive issues related to virtual machines, remote access, virtual local area network (VLAN) use, bring your own device (BYOD) risks, use of cloud services, and ICS network monitoring.

While the report draws some interesting conclusions about the most common cybersecurity weaknesses found in these assessments, it is very difficult to determine how these weaknesses apply to the total control system environment in the United States. The small number of facilities assessed, the fact that they were self-selected (the facilities requested ICS-CERT assessments), and the lack of information about facility size, type of control system (DCS, SCADA, etc), or the extent of support the facilities had from internal or contract cybersecurity personnel in setting up the security of their control systems all make it very difficult to draw wider conclusions about the results of these assessments.

The other problem with this report is that we are not even sure that there were 112 separate facilities included in the assessments. The very real possibility that facilities may have had ICS-CERT conduct combinations of assessments could seriously reduce the actual number of facilities involved in the study.

Having said all of that, I think that control system security personnel (professional or the untrained grunts on the frontline) should probably read this 25-page document. Addressing the most common problems identified in these assessments will not necessarily make the associated industrial control systems secure, but they will provide a good starting point for making facilities more secure.

ICS-CERT Announces CSET v7.1

Today the DHS ICS-CERT published an announcement that they have released version 7.1 of their Cyber Security Evaluation Tool (CSET). This marks a change in that in recent years the new version updates have only been announced in the next ICS-CERT Monitor.

According to the release notes the new version of the CSET includes:

• NIST SP800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations was added to CSET;

• NERC CIP compliance risk based priority list;

• Enhanced dashboard; 

• Requirements organized according to standard: eg NERC CIP, CFATS, etc (including standards numbering scheme);

• Custom parameter values; and

• Doubled number of network components for network diagrams

There is no indication whether or not the CSAT standards have been updated with the specific requirements from the Chemical Facility Anti-Terrorism Standards (CFATS) Expedited Approval Program. The EAP process specifies particular security controls instead of the more general Risk Based Performance Standards used for the majority of Site Security Plans.

It does not look like the CSET Fact Sheet was updated for the new version of CSET since the Standards list does not include the new SP800-161 and it includes an old-style (2014) DHS email address for CSET.

The CSET Downloading and Installing web page was, however, updated as you can clearly see where they changed the CSET_x.x.iso to CSET_7.1.iso. It would have helped, though, if they had removed the old instructions for the ‘x.x’ situation.

It does appear that the old options for either downloading the CSET or requesting a disc from ICS-CERT remain in effect. Organizations also still have the option of running the CSET evaluation themselves or requesting an ICS-CERT team to help them with the process.

ICS-CERT Publishes Nov-Dec Monitor

This afternoon the DHS ICS-CERT published the latest version of their periodic report on activities under taken by ICS-CERT. Long-time readers will recall that I have become increasingly dismissive of this publication over the years. Unfortunately, I have to continue that trend.

As usual this issue starts off with a ‘report’ on an actual incident that was investigated by ICS-CERT. The details are even more sketchy than normal with no positive indication that a control system was actually involved. I understand that ICS-CERT is restricted in what information that it can share in a public environment, but all were told here is that the Assessment team noted indications of malware and the Incident Response team was called in. They confirmed the infection and provided information to allow the clean-up process to begin. Sorry, but we get more useful information from CSI Cyber®.

There is a nice fluff piece on vulnerability coordination in the medical device space. It contains a nice description of the coordination process but it is a feel good article that weakly makes the case for vulnerability disclosures. I hope ICS-CERT does a better job at next week’s FDA Conference.

We have the typical year end summary of ICS-CERT incidents where ICS-CERT continues to conflate ICS incidents and IT incidents at facilities with ICS. The section in this issue does make one very cogent point:

“While sophisticated intrusions against asset owners persist, in FY 2015, ICS-CERT responded to a significant number of incidents enabled by insufficiently architected networks, such as ICS networks being directly connected to the Internet or to corporate networks, where spear phishing can enable access. It is uncertain if this was a change in targeting by adversaries, if these systems merely represented targets of opportunity, or if there is some other explanation. Regardless of cause, this reinforces the need for asset owners/operators to focus on security fundamentals such as those outlined in our DHS/FBI/NSA joint publication ‘Seven Steps to Effectively Defend Industrial Control Systems’ and ICS-CERT’s ‘Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies.’”

The FY 2015 highlights section of the Monitor does provide some interesting factoids about ICS-CERT and industrial control system security. An important milestone mentioned here is the elevation of the ICS-CERT to a continuous presence on the National Cybersecurity and Communications Integration Center (NCCIC) floor. This does mark an important increase in the perceived level of importance of control system security.

There is another mention in the highlights section that deserves some discussion here. That is the apparent release of version 7.0 of the Cyber Security Evaluation Tool (CSET). Unfortunately, there is no information about the differences between v7.0 and earlier versions and there is no indication on the ICS-CERT web site that the CSET has changed since May of 2014. This is a shame because this has been a valuable tool that can be used either in the stand-alone mode by a facility team or in conjunction with an assistance team from ICS-CERT. I really wish that ICS-CERT would do a better job publicizing the CSET.

In the final analysis, this is a short document that costs nothing but the very short download time. We are going to be hearing about the misleading incident stats for the next 9 months so you might as well read the document.

ICS-CERT Publishes Advisory and Monitor

This morning the DHS ICS-CERT published an advisory for OSIsoft PI AF as well as the March-April Monitor.

OSIsoft Advisory

This advisory describes a a default permissions vulnerability in PI AF product. This vulnerability was self-reported. Since this is described as more of an installation issue rather than a software issue, OSIsoft is recommending making adjustments to “PI SQL (AF) Trusted Users” instead of making any changes to the programming.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to execute SQL statements that result in tampering, information disclosure, repudiation, elevation of privilege, and denial of service.

March-April Monitor

This latest version of the Monitor features:

∙ A water sector incident investigation;

∙ A report on assessments conducted by ICS-CERT;

∙ Situational awareness;

∙ ICS-CERT news; and

∙ A variety of standard Monitor reports.

The interesting thing about the water facility incident was that while it initially looked like a malware attack, it wasn’t. The whole incident was an installation error. While there are certainly lessons to be learned about having an installation done properly, I don’t really think that it is necessarily important enough to be mentioned here. On the other hand, that may have been the most interesting incident during this two month period; we can only hope.

The brief report on the cybersecurity assessments done by ICS-CERT indicates that they spent most of their time in the water sector. Of the 21 assessments done during the two month period, fourteen were in water and waste water facilities.

The situational awareness section of the Monitor looks at multi-factor authentication. It is an interesting page and a half read.

The news section has brief articles on the upcoming spring meeting of ICSJWG, ICS-CERT regional training and CSET 6.2. This is the second time (the first was the year in review publication) that ICS-CERT has featured v6.2 of the CSET but the CSET web page still mentions nothing about the latest and greatest version. Maybe it’s not so great after all.

DHS Publishes ICS-CERT Monitor

Yesterday the DHS ICS-CERT published their now quarterly (formerly monthly) Monitor. This issue is important because it describes publicly for the first time the first really documented attacks (unsuccessful) on privately-owned control systems.

Pipeline Control System Attacks

We have been hearing about these pipeline attacks for some time now, but the article in the Monitor provides information about the extent of the attack without providing any sensitive details.

One of the more important pieces of information provided in the article was that the initial report to ICS-CERT of these attacks came from a single owner “about an increase in brute force attempts to access their process control network”. System logs identified 10 IP addresses associated with the attempted access. When those addresses were shared with other operators by ICS-CERT similar attempted attacks were found in additional facility systems logs and more IP addresses were identified. This, again, demonstrates the needs for maintaining and checking system logs.

The article also mentions, for the first time that I have seen, the existence of the ‘Control Systems Center’ on the US-CERT Secure Portal and notes that:

“ICS-CERT periodically releases alerts, advisories, and indicator bulletins via the Control Systems Compartment of the US-CERT Secure Portal that provides critical infrastructure constituents with information intended to be useful for network defense.”

We have seen some of these documents make their way to the ICS-CERT web page, but only after they have been available for a couple of weeks on the Portal. It seems to me that owners and operators of control systems owe it to themselves to ensure that they at least have representatives who can routine access and monitor this site for valuable information.

Outside Contributors

This issue marks the first time that the Monitor has included articles from outside contributors. Kyle Wilhoit from Trend Micro wrote “Your SCADA Devices Are Being Attacked” and Reid Wightman from IOActive wrote “Why Sanitize Excessed Equipment”.  Both short pieces provide valuable information. Inclusion of these outside contributors can only make the Monitor more helpful and maybe bring it back to a mostly monthly publication.

Other Offerings

There is a summary type article about the recent Verizon 2013 data breach report. For those that don’t have time to read the gritty details of that report, this is a good summary. ICS-CERT notes that they were one of the 19 global reporters of incident data that helped Verizon with that report.

There is a belated report on the introduction of CSET 5.0. There is still some good information, particularly about the changes that will probably be included in the next version. The article notes that customer feedback is one of the sources for new ideas that ICS-CERT is using trying to target in future versions. If you have ideas or comments contact the ICS-CERT folks at cset@hq.dhs.gov.

All of the standard features we have come to expect in the Monitor are still here. The list of security researchers that are currently working with ICS-CERT continues to grow. All of these people should be encouraged to continue to publicly disclose (preferable through a coordinated disclosure, IMHO) ICS vulnerabilities that they discover. As a community we need to develop some way to reward them for their efforts so that they don’t have to sell their research to the highest bidder that will probably keep the vulnerabilities quiet.

ICS-CERT Publishes 2012 Review

Yesterday ICS-CERT published a full-color glossy (it is an electronic document so ‘glossy’ refers to ‘slick’ in the advertising sense) pamphlet reviewing their operations in 2012. While this has the feel of a PR exercise more than anything else, there are some interesting tidbits of information to be winnowed from the document.

Spear Phishing Campaigns

We have heard about the spear phishing campaign directed against the pipeline/energy companies. That is, of course, mentioned here, but there is also a brief note about a similar campaign targeted against chemical companies (pg6);

“The chemical sector was also the victim of targeted spear-phishing attacks in 2012. AAL [Advanced Analytical Laboratory] worked directly with companies affected by this campaign, providing onsite support, analyzing drive images and malware samples and disseminating indicators back to the community. AAL provided onsite support to one of the affected companies.”

That’s it folks. Nothing about what kinds of chemical companies or how many companies were targeted. Oh well, maybe we will see more in the January 2013 Monthly Monitor, or is it now a Quarterly Monitor?

Antivirus Engines

There is an interesting note about antivirus engines (pg 6);

“AAL also developed a tool to scan whole drives for malware using multiple antivirus engines. This tool greatly reduced the time needed to scan multiple drive images with commercial antivirus products.”

Unfortunately, that tool will never leave their lab; the AV companies would scream bloody murder (justifiably so). But it does bring an interesting thought to mind; if ICS-CERT finds new malware in one of their investigations, do they provide signatures to the AV companies? If so, which ones? My favorite answers would be ‘YES’ and ‘whichever ones are actively cooperating with ICS-CERT’.

Training

There are two interesting facts from their section on training. First (pg 9);

“Provided 12 Advanced Training sessions, which are week-long events that provide intensive hands-on training and a 12-hour, red team/blue team exercise that simulates a corporate espionage scenario [emphasis added].”

While this is the apparent threat-of-the-day (and there is a certain justification for that), it is hardly a control system threat. Okay, maybe they are trying to get control system access information, but I haven’t seen anything to date about actual control system penetrations. Admittedly, ICS-CERT and the affected community might not be willing to tell us about such penetration, but preventing cyber-espionage training should be a US-CERT or FBI focus, not ICS-CERT.

The second factoid is certainly control system focused (pg 9);

“Developed a Control Systems Forensics for Law Enforcement course. This course helps law enforcement agents to understand the differences in performing forensics on ICSs versus normal corporate enterprise network forensics.”

This is a great idea. I would hope that this is being pushed at all major metropolitan police departments that have cyber-crime units, particularly those with large concentrations of critical infrastructure facilities. It would also be nice if they had a slightly more basic ICS forensics course for those companies that would be  large enough to  have the staff necessary to do forensics stabilization and data collection.

ICS Evaluations

There are two pages that deal with ICS system evaluations that can be conducted by ICS-CERT. On the first of the two pages (pg 10) it states that:

“Asset owners can now request Cybersecurity Evaluation Tool (CSET®) evaluations and/or Architecture Reviews, which is a more in-depth comprehensive evaluation of specific control systems networks, architectures, and components.”

Now I hadn’t heard of Architecture Reviews before, so I did a quick search of the ISC-CERT web page and found an interesting pamphlet that provides a little more information. It looks interesting and interested organizations should contact o cset@dhs.gov. It would have been nice if the evaluation pamphlet had been mentioned/linked in this review

The second page about system reviews provides some more detailed information about the Control System Evaluation Tool. Even though CSET v.0 was introduced this year there is a brief description of the changes made in this 2012 Review. I wrote about the CSET 5.0 introduction, but didn’t have much information about what actual changes had been made. This Review notes (pg 11);

“ICS-CERT released CSET® 5.0, in January 2013, this version represents the most significant upgrade in the underlying technical architecture of the tool. This upgrade involves conversion to the Microsoft.NET framework environment as well as utilization of component pieces from Syncfusion [http://www.syncfusion.com/]. In addition, Section 508 of the Americans with Disabilities Act (ADA) was incorporated into the new version to allow those with disabilities a way to interact with and use the CSET®.”

Incident Modeling

It looks like ICS-CERT is actually trying to determine what the potential consequences of a successful cyber-attack (or natural disaster, a more likely affecter) on a control system at a critical infrastructure facility. The review describes a modeling tool called the Industrial Control Systems Consequence Effects and Analysis (ICS-CEA) framework (pg 12);

“The Industrial Control Systems Consequence Effects and Analysis (ICS-CEA) framework is a collaboration tool. ICS-CEA provides a critical infrastructure modeling and simulation capability. The tool also provides a means for users to model, analyze, and share information related to potential consequences of naturally occurring or man-made threats on our Nation’s critical infrastructure. The ICS-CEA system provides the NCCIC a capability for daily use of modeling, simulation, analysis, and information sharing related to potential cross-sector ‘consequence’ effects to ICS and their related CIKR sectors.”

Again, I hadn’t heard of this whiz bang idea, so I did a search of the ICS-CERT web site and found an abstract from the Spring  ICSJWG Conference (I knew there was a reason that I have wanted to attend at least one of these);

“Situational Awareness (SA) is achieved through access to comprehensive and relevant information pertaining to evolving events. Historically, SA has been achieved through semi-automated or manual processes to aggregate data into actionable information. The purpose of the Industrial Control Systems' Consequence Effects and Analysis (ICS-CEA) application is to provide tools to efficiently access relevant information pertaining to Critical Infrastructure Key Recourse (CIKR) assets. This allows the Industrial Control Systems - Cyber Emergency Response Team (ICS-CERT) analysts to understand potential cross-sector impacts associated with environmental impacts and ongoing incidents or known vulnerabilities. ICS-CEA provides the ability to perform exploratory geographic-based analysis and modeling via a web-browser interface. In doing so, analysis, data, and information products are created to meet the unique requirements for SA audiences.”

Again, this is something that I would like to know more about; as would many of the readers here, I’m sure. (Hint, hint)

Statistics

You can’t have a year-end review without statistics and this Year in Review is no different. There are three different pages of statistics

• ICS-CERT by the Numbers, ‘Calendar Years’, page 14;

• ICS-CERT by the Numbers, ‘Fiscal Years’, page 15; and

• Sector Support by the Numbers, page 16.

I’m not sure why they included calendar year stats and fiscal year stats, but it is interesting that they did because you see two different sets of trends. We’ve seen the FY stats before and they were used to describe the rapid escalation of ‘attacks’ on control systems. The calendar year stats, show a completely different picture, a substantial decrease (204 to 138) in ICS Incident[s] Reported between 2011 and 2012. Well, you know what they say about statistics….

ICS-CERT Updates CSET

Thanks to a Tweet® from ICS-CERT we know that DHS has updated their Cyber Security Evaluation Tool (CSET) to version 5.0. Because of the recent revision to the ICS-CERT web site and the CSET web page in particular it is not possible to tell what version of CSET is actually available from that site. Even more confusing is the fact that the URL for the CSET factsheet (http://ics-cert.us-cert.gov/pdf/DHS_CyberSecurity_CSSP-CSET-v4.pdf) seems to indicate that it is for version 4.

CSET Fact Sheet

I wrote about the upgrade to version 4.1 just a little over a year ago. The fact sheet has certainly been revised in format, but I don’t really see any new information on the new fact sheet about the CSET. There is some new information provided about the experiences of the Control System Security Program (CSSP) teams experiences assisting facilities in completing the CSET. It notes:

“The CSSP team observed that the most common vulnerabilities identified through CSET self-assessments were a lack of adequate control system inventories and formal documentation; no audit capabilities and accountability for event monitoring; and missing permissions, privileges, and access control restrictions. Other categories of vulnerabilities included improper authentication and credentials management practices, flaws in network architecture designs, configuration (implementation) settings within network components, and traceability on cybersecurity configuration and maintenance.”

Onsite Consultation

There is a link to a new document on the CSET web page; Onsite Consultation and Self-Assessment. As in the past facility management has the option of conducting a self-assessment of their control system (and IT systems) using either the downloadable version of CSET or a CD version (send an email to: CSET@hq.dhs.gov) of the tool or the facility can request an onsite CSSP team visit to assist in the CSET evaluation (certainly my recommended procedure). There is a new assessment that is mentioned on this new document; the Tier 2 Network Architecture Review (with the previously mentioned CSET evaluation being the Tier 1 assessment). It is described this way:

“The Tier 2 assessment, like Tier 1, is conducted onsite by the asset owners with the support of  CSSP cybersecurity professionals. However, the Tier 2 consultation provides a more robust evaluation of system interdependencies, vulnerabilities, and mitigation options. This consultation typically requires additional rigor and technical staff and often takes two to three days to complete.”

It is recommended for “most high-security control systems, such as chemical, power and nuclear plants, telecommunications facilities, government facilities, schools, hospitals, and other high-value infrastructure assets”.

Recommendation

As I have mentioned in past posts about the CSET, I have not seen a memorandum of understanding between ISCD and ICS-CERT about any cooperation between those two agencies on cybersecurity requirements under CFATS. Without such an agreement there is no way that the completion of CSET and implementing its suggested security improvements is any guarantee of meeting the RBPS 8 requirements of CFATS.

Having said that, I think that documenting a CSET evaluation, particularly one with an onsite CSSP team involvement, and successfully implementing its recommendations, will go a long way to helping a facility meet the RBPS requirements.

BTW: If anyone at ICS-CERT would like to describe the differences between CSET version 4.1 and 5.0 I would be happy to provide blog space for that description.

ICS-CERT Publishes Another Wonderware Advisory and New CSET

Today the folks at DHS ICS-CERT published another advisory on Invensys Wonderware (the last one was published just last Friday) and made available an updated version of their Cyber Security Evaluation Tool (CSET).

Wonderware Advisory

The Wonderware Advisory is based upon multiple vulnerabilities reported by Terry McCorkle and Billy Rios in a coordinated disclosure. The vulnerabilities involve:

• Cross-Site Scripting;

• SQL Injection; and

• Permissions, Privileges and Access Control.

All three vulnerabilities are remotely exploitable by an attacker with a low skill level even though there is no known exploit code publicly available for these vulnerabilities. A successful attack could result in denial of service or execution of arbitrary code. A social engineering attack ‘may’ be required to exploit these vulnerabilities.

Invensys has produced software updates that can be used to mitigate these vulnerabilities. Interestingly for this advisory there is an actual link to download the update where the previous advisory provided a link to an admin publication describing what to do to mitigate the vulnerabilities. I wonder why the different approaches.

I also wish that ICS-CERT would settle on one standard method of dealing with multiple advisories on the same applications. They have done it by updating an advisory with the additional vulnerabilities (makes a certain amount of sense). In this case they went with separate advisories. I can’t figure out why they would do this two different ways. Government agencies typically like consistency.

Cyber Security Evaluation Tool v, 4.1

I wrote about the publication of version 4.0 of this program last August. As best I can tell that information is relatively current. All of the supporting documentation (the Fact Sheet and the Download instructions) for the earlier version are identical to those currently on the CSET web site. You can also still send an email to CSET@dhs.gov to obtain the program on a DVD. Oh, and finally, you can still request ICS-CERT provide on-site assistance in applying the CSET evaluation to your control system.

The only difference that is noted on the ICS-CERT web site is that this latest version of CSET now includes the capability of preparing a network diagram using MS Visio®. The diagram can be drawn in Visio® and uploaded to the application, or drawn in the CSET application and downloaded as a Visio® file. Preparing a detailed network diagram in this manner makes it much easier for CSET to analyze the unique ICS layout for the installation. It also allows the program to formulate specific questions about your system architecture to help make the analysis more complete.

As I noted in the earlier blog post on this tool, the ICS-CERT folks have provided the capability for the tool to analyze the ICS security status for high-risk chemical facilities covered under CFATS. Since ISCD has almost no industrial control system security expertise (and I am almost certainly being generous here), showing that the facility has conducted a security assessment using this CSET should certainly go a long way to convincing the Chemical Security Inspectors that the facility has assessed and addressed their RBPS (Risk-Based Performance Standard) 8 (Cyber Security) requirements.

Until ISCD gets the necessary expertise in-house to do a real ICS cybersecurity assessment (unlikely any time soon) or signs a memorandum of understanding (MOU) with ICS-CERT to have them conduct that portion of the site security plan review, this will probably be the best way to address control system security requirements within CFATS.

Two New ICS-CERT Advisories

Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two new control system advisories; one for Invensys Wonderware, and the other for 7-Technologies Data Server. Both advisories were previously published in the limited distribution on the US-CERT secure portal.

Invensys

The three buffer overflow vulnerabilities described in this Advisory were reported by Kuang-Chun Hung of the Security Research and Service Institute−Information and Communication Security Technology Center (ICST). They would allow a low skilled attacker to execute a denial of service attack and a more skilled attacker to execute arbitrary code on the system. The US-CERT/NIST vulnerability summary is available for these vulnerabilities (Note: The link does work).

Invensys has developed software updates for the affected Wonderware InBatch systems.

7-Technologies

The second advisory involved another buffer overflow vulnerability that was discovered in the 7-Technologies IGSS Data Server by UCQ from the Cyber Defense Institute, Inc. A moderately skilled attacker could use this vulnerability to execute a DOS attack on the system. A CVE number has been assigned to this vulnerability, but it is not yet live on the US-CERT/NIST site.

7T has developed a patch to address this vulnerability and it is currently available on the IGSS web site (NOTE: This link is to a .ZIP file).

Cyber Security Evaluation Tool

The ICS-CERT web page also contains a link to version 4.0.1 of the Cyber Security Evaluation Tool (CSET^TM). There is no indication when exactly that new version became available nor is there any explanation on the CSET web site of how the new version differs from version 4.0; though one would expect the differences to be relatively minor.

ICS-CERT Updates Cybersecurity Evaluation Tool

Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an updated version of their Cyber Security Evaluation Tool (CSET, v 4.0). According to the ICS-CERT web site:

“This new release includes new standards such as NERC CIP Revision 3, NRC Regulatory Guide 5.71, a new key requirements set, and Version 7 of the DHS "Catalog of Security Requirements: Recommendations for Standards Developers." The new CSET also includes a fully revised set of reports with complete gap rankings, new diagramming functionality, and a new resource library as well as minor enhancements. This tool supports evaluations of both business and industrial control systems.”

CSET Description

CSET is a downloadable (also available on DVD; request by email to: CSET@dhs.gov) stand-alone desktop software tool that allows a facility to assess their network and ICS security practices. According to the CSET Fact Sheet CSET compares the facility answers to a lengthy list of questions “against recognized industry and government standards, guidelines, and practices” and it “provides a prioritized list of recommendations for increasing the cybersecurity posture of an organization’s ICS or enterprise network and identifies what is needed to achieve the desired level of security within the specific standard(s) selected”.

The standards available for evaluation include:

• DHS Catalog of Control Systems Security: Recommendations for Standards Developers, Revisions 6 and 7;

• NIST SP800-82;

• NIST SP800-53, revision 3;

• NRC Regulatory Guide 5.71;

• CFATS Risk Based Performance Standard (RBPS) 8;

• NERC CIP-002-009 revisions 2 and 3;

• ISO/IEC 15408 revision 3.1;

• DoDI 8500.2; and

• Consensus Audit Guidelines 2.3.

CSET and CFATS

Alert readers will notice that the above list of standards (taken directly from the CSET Fact Sheet) includes a listing of CFATS. In a post about an earlier version of CSET I wrote that:

“Will this help facilities with their CFATS cyber security requirements? Since there are no specifically delineated requirements for a cybersecurity system under CFATS, that is a hard question to answer. I think that a tool like this will help facilities identify current security issues and provide suggestions on how to deal with them. Having used this system to identify and correct system shortcomings certainly would provide a good basis for justifying a facility’s program to inspectors.”

It would appear that the newest version of CSET would allow an evaluation of a covered facility’s cybersecurity against the performance standards in RBPS #8 and that is a good thing and should provide a valuable tool for facilities to use to prepare their cyber security portion of their SSP. But, it should be clear that while ICS-CERT and ISCD are both parts of DHS, they don’t talk for one another.

I have not seen a memorandum of understanding between ICS-CERT and ISCD that would establish the CSET as an official evaluation tool for RBPS #8 (and the same thing would apply even more so to NERC CIP-002). It might be a good idea for ISCD to consider such a move, it would ease the evaluation burden on their Chemical Facility Security Inspectors and provide a level of cybersecurity expertise that is almost certainly lacking (through no fault of their own) in the inspection teams.

ICS-CERT Assistance

One last point needs to be made about the CSET tool. It was designed to be used by the facility to conduct a self-evaluation. ICS-CERT believes that a facility with enough control system expertise to manage an ICS should be able to conduct the evaluation. But they realize that that may not be the case at all facilities and ICS-CERT has made provisions for that; “the Control Systems Security Program also offers onsite training and guidance to asset owners in using CSET during onsite assessments. These assessments are conducted at no cost to the asset owners [emphasis included in original]”. This assessment assistance can be requested by email to: CSET@dhs.gov.