National Cybersecurity and

Communications Integration Center

NCCIC ICS CYBER SECURITY EVALUATION TOOL

Performing a Self-Assessment 1. Select Standards
The Cyber Security Evaluation Tool (CSET®) provides a Users select one or more government and industry recognized
systematic, disciplined, and repeatable approach for evaluating cybersecurity standards. CSET then generates questions that are
an organization’s security posture. It is a desktop software tool specifc to those requirements. Some sample standards include:
that guides asset owners and operators through a step-by- • DHS Catalog of Control Systems Security: Recommendations
step process to evaluate their industrial control system (ICS) for Standards Developers;
and information technology (IT) network security practices. • NERC Critical Infrastructure Protection (CIP) Standards
Users can evaluate their own cybersecurity stance using 002-009;
many recognized government and industry standards and
• NIST Special Publication 800-82, Guide to Industrial Control
recommendations. The Department of Homeland Security’s
Systems Security;
(DHS) National Cybersecurity and Communications Integration
Center (NCCIC) developed the CSET application, and offers it at • NIST Special Publication 800-53, Recommended Security
no cost to end users. Controls for Federal Information Systems;
• NIST Cybersecurity Framework;
How it Works • NRC Regulatory Guide 5.71 Cyber Security Programs for
CSET helps asset owners assess their information and Nuclear Facilities;
operational systems cybersecurity practices by asking a series of
• Committee on National Security Systems Instruction
detailed questions about system components and architectures,
(CNSSI) 1253;
as well as operational policies and procedures. These questions
are derived from accepted industry cybersecurity standards. • INGAA Control Systems Cyber Security Guidelines for the
Natural Gas Pipeline Industry; and
When the questionnaires are completed, CSET provides a
dashboard of charts showing areas of strength and weakness, as • NISTIR 7628 Guidelines for Smart Grid Cyber Security.
well as a prioritized list of recommendations for increasing the 2. Determine Assurance Level
site’s cybersecurity posture. CSET includes solutions, common
The security assurance level (SAL) is determined by responses
practices, compensating actions, and component enhancements
to questions relating to the potential consequences of a
or additions. CSET supports the capability to compare multiple
successful cyber-attack on an ICS organization, facility, system,
assessments, establish a baseline, and determine trends.
or subsystem. It can be selected or calculated and provides a
The Assessment Process recommended level of cybersecurity rigor necessary to protect
against a worst-case event.
This assessment process can be used effectively by organizations
in all sectors to evaluate ICS or IT networks. 3. Create the Diagram
CSET contains a graphical user interface that allows users to
diagram network topology and identify the “criticality” of the
network components. Users can create a diagram from scratch,
import a pre-built template diagram, or import an existing MS
Visio® diagram. Users are able to defne cybersecurity zones,
critical components, and network communication paths. An
icon palette featuring system and network components allows
users to build and modify diagrams by simply dragging and
dropping components into place.
 National Cybersecurity and
Communications Integration Center

4.Answer the Questions

CSET then generates questions using the network topology,
selected security standards, and SAL as its basis. The assessment
team can select the best answer to each question using the
organization’s actual network confguration and implemented
security policies and procedures. Notes can be entered or fles
attached to individual questions, fagging them for further
review or providing clarifcation. Each question has associated
reference information that is provided for clarifcation.
The system also displays the underlying requirements, any
IH:R St CU RI I Y tVALUAI IO N IOO L
supplemental text, and additional resources to help address the •;,, 1:11\.;_,

problem identifed.
5.Review Analysis and Reports
The Analysis dashboard provides interaction with graphs and
tables that present the assessment results in both summary and
detailed form. Users are easily able to flter content or “drill
down” to look at more granular information. It also provides !CS-CERT
the top areas of concern that are prioritized based on current
threat information. Professionally designed reports can be
printed to facilitate communication with management and
other staff members.

Preparing for an Assessment

To get the most out of a CSET assessment, NCCIC recommends
selecting a cross-functional team from many areas of
the organization. To adequately prepare for a CSET self-
assessment, this team should review policies and procedures, About NCCIC
network topology diagrams, inventory lists of critical assets The National Cybersecurity and Communications Integration
and components, previous risk assessments, IT and ICS Center (NCCIC) is a 24x7 cyber situational awareness, incident
network policies and practices, and organizational roles and response, and management center that is a national nexus of
responsibilities. Staff should also understand their operational cyber and communications integration for the Federal Govern-
data fow. ment, intelligence community, and law enforcement.

Getting Started http://www.dhs.gov/national-cybersecurity-communica-

Get started by downloading CSET at https://ics-cert.us-cert. tions-integration-center
gov/Downloading-and-Installing-CSET. To learn more about
CSET or to request a physical copy of the software, contact
[email protected]. For general program questions or comments,
contact [email protected] or visit https://ics-cert.us-cert.gov.