Thanks to a Tweet® from
ICS-CERT we know that DHS has updated their Cyber Security Evaluation Tool
(CSET) to version 5.0. Because of the recent revision to the ICS-CERT web site and the CSET web page in particular it
is not possible to tell what version of CSET is actually available from that
site. Even more confusing is the fact that the URL for the CSET factsheet (http://ics-cert.us-cert.gov/pdf/DHS_CyberSecurity_CSSP-CSET-v4.pdf)
seems to indicate that it is for version 4.
CSET Fact Sheet
I wrote about the upgrade
to version 4.1 just a little over a year ago. The fact sheet has certainly
been revised in format, but I don’t really see any new information on the new
fact sheet about the CSET. There is some new information provided about the
experiences of the Control System Security Program (CSSP) teams experiences
assisting facilities in completing the CSET. It notes:
“The CSSP team observed that the
most common vulnerabilities identified through CSET self-assessments were a
lack of adequate control system inventories and formal documentation; no audit capabilities
and accountability for event monitoring; and missing permissions, privileges,
and access control restrictions. Other categories of vulnerabilities included
improper authentication and credentials management practices, flaws in network
architecture designs, configuration (implementation) settings within network
components, and traceability on cybersecurity configuration and maintenance.”
Onsite Consultation
There is a link to a new document on the CSET web page; Onsite
Consultation and Self-Assessment. As in the past facility management has
the option of conducting a self-assessment of their control system (and IT
systems) using either the downloadable version of CSET or a CD version (send an
email to: CSET@hq.dhs.gov) of the
tool or the facility can request an onsite CSSP team visit to assist in the
CSET evaluation (certainly my recommended procedure). There is a new assessment
that is mentioned on this new document; the Tier 2 Network Architecture Review
(with the previously mentioned CSET evaluation being the Tier 1 assessment). It
is described this way:
“The Tier 2 assessment, like Tier
1, is conducted onsite by the asset owners with the support of CSSP cybersecurity professionals. However,
the Tier 2 consultation provides a more robust evaluation of system interdependencies,
vulnerabilities, and mitigation options. This consultation typically requires
additional rigor and technical staff and often takes two to three days to
complete.”
It is recommended for “most high-security control systems,
such as chemical, power and nuclear plants, telecommunications facilities,
government facilities, schools, hospitals, and other high-value infrastructure
assets”.
Recommendation
As I have mentioned in past posts about the CSET, I have not
seen a memorandum of understanding between ISCD and ICS-CERT about any
cooperation between those two agencies on cybersecurity requirements under
CFATS. Without such an agreement there is no way that the completion of CSET and
implementing its suggested security improvements is any guarantee of meeting
the RBPS 8 requirements of CFATS.
Having said that, I think that documenting a CSET
evaluation, particularly one with an onsite CSSP team involvement, and
successfully implementing its recommendations, will go a long way to helping a facility
meet the RBPS requirements.
BTW: If anyone at
ICS-CERT would like to describe the differences between CSET version 4.1 and
5.0 I would be happy to provide blog space for that description.
Posts
No comments:
Post a Comment