Comprehensive Guide to DHS Cyber Security Evaluation Tool

The US Department of Homeland Security (DHS) recently came up with the Cyber Security Evaluation Tool (CSET). This development comes after a recent spike of cyber incidents and high-profile attacks targeting private organizations and government agencies.

The tool offers a systematic, repeatable process that guides critical infrastructure asset owners to evaluate and enhance their cybersecurity management systems. It’s primarily focused on industrial information networks and control systems security.

But what does the evaluation tool entail? How does it work? And what steps can you follow to evaluate your system comprehensively? This detailed guide has the answers to all your questions.

An Overview of the Cyber Security Evaluation Tool

CSET is an all-inclusive cybersecurity software solution running on a laptop or desktop computer. The tool deeply assesses the security of industrial control, automated, or business systems. It leverages a standards-based and hybrid risk approach and delivers accurate and relevant improvement recommendations.

DHS’ CSSP (Control System Security Program) developed the evaluation tool and has made it available for everyone via the US-CERT (US Computer Emergency Readiness Team) website. With this tool, asset owners can review their operating systems and information cybersecurity practices through a series of in-depth queries about their architecture, system components, operational procedures, and policies.

After completing the self-evaluation questionnaire, the cybersecurity tool offers a ranked list of recommendations to increase your cybersecurity posture, including standard practices, solutions, component additions or enhancements, and compensating actions. The resource also notes the requirements to achieve the expected level of system security within your specified configurations.

The evaluation tool can be accessed from Github, and you can download it with a permissive MIT license. It also has a standalone installer and can run on Windows. CSET questions can be basic, intermediate, or advanced. This way, organizations can focus on the basics first then proceed to implement the cybersecurity best practices in the latter sections.

The Assessment Process

Every industry sector stands to benefit from the simple process of assessing and enhancing your automated and industrial control systems. For the best results, be sure to implement the following key steps:

Select Standards

First, CSET invites users to choose one or more of the industry- and government-recognized cybersecurity standards below. The tool then develops questions that align with those requirements.

• RBPS 8 (Risk-Based Performance Standard) by the Chemical Facilities Anti-Terrorism Standard
• DoD instruction 8500.2 (February 2, 2003)
• NRC Regulatory Guide 5.71 – cybersecurity lineups for Nuclear facilities
• NERC Reliability Standards CIP-002-0
• ISO/IEC 15408 revision 3.1 – Common benchmarks for IT security assessment
• NIST Special Publication 800-53
• DHS control system security catalog
• NIST Special Publication 800-82

Determining the Assurance Level

SAL (security assurance level) is determined based on the replies to questions regarding the potential implications of a successful cyber incident on your ICS subsystem, system, facility, or organization. The security evaluation tool computes the security assurance level then offers a recommended cybersecurity rigor to secure the organization against a worst-case scenario.

Determining the required security level using SAL, the evaluation tool runs a comparative analysis of the requirements in the standards and the responses submitted by users. For evaluations using NIST standards and guidance, the tool also supports the FIPS (Federal Information Processing Standards) 199 guidelines to determine a systems security categorization.

Creating A Diagram

The cybersecurity evaluation tool offers a graphical user interface that allows you to sketch your control system’s network topology and identify your network components’ “criticality.” When you create a network architecture diagram, you’ll easily define your company’s cybersecurity zones, communication conduits, and vital components.

You’ll use an icon palette that features vast network and system components to create diagrams. You’ll just drag and drop them into place. Furthermore, specific questions facilitate each component’s detailed identification.

Answer Questions

After creating a diagram, the security evaluation tool comes up with questions based on selected security standards and network topology. The appraisal team then picks the best response to each query using your company’s implemented security procedures, policies, and network configuration. Then, the tool compares the rejoinders with recommended standards requirements then creates a list of identified security gaps and best practices.

The tool also creates printed and on-screen (interactive) reports. These reports share summarized details of security level gaps and sections that failed to meet selected standards’ recommendations. The cybersecurity assessment team will use these insights to prioritize and plan mitigation strategies.

The New Features in CSET 9.2

The evaluation software’s latest update (version 9.0) comes with the following upgrades and enhancements:

• An online diagram editor
• NCUA’s (national Credit Union Administration) ACET (Automated Cybersecurity Examination Tool)
• New appraisal for questions in the network diagram
• Improved reporting capabilities
• IEC (International Electrotechnical Commission) 62443 and ISA (International Society of Automation) standards
• An advanced capability maturity model for organizations in the financial sector TSA (Transportation Security Administration) pipeline security standards

How Does CSET Benefit Your Organization?

The Department of Homeland Security’s infrastructure security evaluation tool is a significant move by the government agency to curb the increasingly complex cybersecurity landscape. Here are the primary ways in which it can benefit your organization:

• The tool offers a repeatable, systematic, and comparable approach to infrastructure assessments.
• The tool hosts a searchable resource library comprising templates, reports, whitepapers, and standards. All these will help you enhance your company’s cybersecurity posture.
• CSET provides a deep-dive analytic competency to determine vulnerabilities and weaknesses in your design that’s centered on the importation of a network diagram within the toolset
• Its capabilities allow it to perform multiple evaluations before baselining and measuring the findings for comparison.
• It can dynamically generate your infrastructure’s visualization or network diagram that includes devices and components of the control system.
• It incorporates self-help options and video tutorials to guide your approach to complete assessments using the cybersecurity evaluation tool.
• It provides enhanced output and reporting options that include a Site Summary report, Executive Summary report, or the ability to create and generate a tailored System Security Plan based on the assessment results.

Final Thoughts

The Cyber Security Evaluation Tool by Homeland Security is a fascinating example of how governments worldwide strive to assist organizations, especially those considered to be related to critical infrastructure. Cybercriminals consider critical infrastructure a key target, so it makes sense that governments are using this approach.

If you’re still facing difficulties deploying the evaluation tool, you need to go beyond “good enough” IT support. Partnering with an experienced IT service provider like Servcom USA could be your ticket to robust cybersecurity approaches and secure systems and data.

Talk to us if you have questions.