Assessment Program Overview
A core component of ICS-CERT’s risk management mission is conducting security assessments in partnership with ICS stakeholders, including critical infrastructure owners and operators, ICS vendors, integrators, Sector-Specific Agencies, other Federal departments and agencies, SLTT governments, and international partners.
ICS-CERT works with these and other partners to assess various aspects of critical infrastructure (cybersecurity controls, control system architectures, and adherence to best practices supporting the resiliency, availability, and integrity of critical systems), and provides options for consideration to mitigate and manage risk.
ICS-CERT’s assessment products improve situational awareness and provide insight, data, and identification of control systems threats and vulnerabilities. ICS-CERT’s core assessment products and services include self-assessments using ICS-CERT’s Cybersecurity Evaluation Tool (CSET®), onsite field assessments, network design architecture reviews, and network traffic analysis and verification. The information gained from assessments also provides stakeholders with the understanding and context necessary to build effective defense-in-depth processes for enhancing cybersecurity.
Download PDF: 2014 Year End Assessment Report
Design Architecture Review
ICS-CERT’s Design Architecture Review (DAR) provides critical infrastructure asset owners and operators with a comprehensive technical review and cyber evaluation of the architecture and components that comprise their industrial control systems (ICS) operations.
This 2-3 day review includes a deep-dive analysis of the operational process—focusing on the underlying ICS network architecture, integration of Information Technology (IT) and Operational Technology teams, vendor support, monitoring, cyber security controls, and all internal and external connections.
The ICS-CERT assessment team works interactively with your IT and operations personnel to evaluate the current architecture and processes, with a focus on three key areas:
- ICS Network Architecture
- Asset Inventory
- Protective and Detective Controls
Network Architecture Verification and Validation
ICS-CERT’s Network Architecture Verification and Validation (NAVV) is a passive analysis of network traffic occurring within the ICS network.
Using a combination of both open-source and commercially available tools, ICS-CERT is able to present a strategic visualization of the network traffic and device-to-device communications that are occurring within ICS network segments.
ICS-CERT’s assessment team works interactively with your IT and Operations personnel to evaluate the captured network traffic, reviewing:
- Protocol hierarchy and organization of network traffic;
- Device to Device communications—including identification of “top-talkers” and the devices generating the most traffic;
- Communications traversing (or attempting to traverse) the ICS network boundary—for verification that the perimeter protections are functioning as intended;
- Potentially misconfigured devices—or those exhibiting suspicious or anomalous behavior;
- ICS protocol analysis—including an in-depth review of function codes and control parameters that are observed within the captured traffic.
For more information, download the Control Systems Architecture Analysis Fact Sheet.
Because ICS-CERT’s DAR and NAVV services are based on Congressional funding, they are available as an onsite facilitated assessment for critical infrastructure asset owners and operators at no cost. Upon completion of the process, ICS-CERT will compile an in-depth report for the asset owner, including a prioritized analysis of key discoveries and practical mitigations for enhancing the organization's cyber security posture.
All information shared with ICS-CERT during the analysis and the report outcomes are confidential to the asset owner and protected by DHS as Protected Critical Infrastructure Information (PCII).
To schedule a DAR/NAVV assessment, please contact ICS-CERT at email@example.com, with "Assessment Request" in the Subject line.
Cyber Security Evaluation Tool
The Cyber Security Evaluation Tool (CSET®) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed by cybersecurity experts under the direction of the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The tool provides users with a systematic and repeatable approach to assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.
CSET® is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. The CSET output is a prioritized list of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls.
CSET® has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as NIST, North American Electric Reliability Corporation (NERC), Transportation Security Administration (TSA), U.S. Department of Defense (DoD), and others. When the tool user selects one or more of the standards, CSET opens a set of questions to be answered. The answers to these questions are compared against a selected security assurance level, and a detailed report is generated that shows areas for potential cybersecurity improvement. CSET provides an excellent means to perform a self-assessment of the security posture of your control system environment.
- CSET contributes to an organization's risk management and decision-making process.
- Raises awareness and facilitates discussion on cybersecurity within the organization.
- Highlights vulnerabilities in the organization's systems and provides recommendations on ways to address the vulnerability.
- Identifies areas of strength and best practices being followed in the organization.
- Provides a method to systematically compare and monitor improvement in the cyber systems.
- Provides a common industry-wide tool for assessing cyber systems.
How to Obtain CSET
CSET is available for download at the following link: Download CSET here
CSET is also available on CD. Please attempt to download CSET before requesting a media shipment, unless your email address ends in .gov or .mil. Government and military installations are generally restricted from downloading this type of file and may request a copy be sent rather than attempting the download. To request a copy, please send an email to: firstname.lastname@example.org. Please include "CSET Media Request" in the Subject line and include the following information in the email Body:
- Your name
- Organization name
- Complete street address (no P.O. boxes)
- Telephone number
Schedule a CSET Assessment
ICS-CERT offers onsite training and guidance to asset owners with the use of CSET. These onsite assessments are conducted at no cost to the asset owner. To assist an organization in planning and organizing an assessment using CSET, ICS-CERT recommends the following actions and items:
- Identify the assessment team members and schedule a date.
- Become familiar with information about the organization's system and network by reviewing policies and procedures, network topology diagrams, inventory lists of critical assets and components, risk assessments, IT and ICS network policies/practices, and organizational roles and responsibilities.
- Select a meeting location to accommodate the assessment team during the question and answer portion of the assessment.
- Work with ICS-CERT for onsite or subject matter support.
To request a CSET onsite assessment, please send an email to: email@example.com with "CSET Onsite Request" in the Subject line and the organization's contact information in the email Body.
Download PDF: 2014 Year End Assessment Report