Discover the changes CISA has made to their Cyber Security Evaluation Tool and what it could mean for your business.
What Is a Cybersecurity Evaluation?
A cybersecurity evaluation is the assessment (or audit) of an organization’s IT systems, processes, and procedures to detect and identify potential vulnerabilities and security breach risks.
The goal is to assess the effectiveness of existing security measures, identify weaknesses in the security posture, and strategize ways to mitigate risks and protect against cyber threats.
How Do You Evaluate Cybersecurity?
Your approach to cybersecurity evaluation will depend on the evaluation’s scope and complexity. There is, however, a general hierarchy you can follow:
Step 1: Define evaluation scope and objective
Identify the systems, networks, and applications to evaluate; and consider the specific objectives behind your choices (for example, identifying vulnerabilities, testing security controls, or assessing regulatory compliance).
Step 2: Conduct a risk assessment
To conduct a cyber risk assessment, you first must identify potential threats, vulnerabilities, and risks to your organization’s information assets. You should also assess the likelihood and harm of potential security incidents, such as cyber attacks, data breaches, and system failure.
For example, you may discover that your company’s sensitive customer data is vulnerable to theft through phishing attempts, which could result in reputation damage and financial loss.
Step 3: Review policies and procedures
You must also review security policies and procedures related to access controls, incident response, data protection, and employee training, to assure that those measures are comprehensive, relevant, and effective.
Step 4: Assess network architecture
The next step is to review your company’s network architecture to pinpoint potential vulnerabilities and weaknesses.
First assess the design and configuration of the network, along with the security measures in place to protect against data breaches and unapproved access. For example, after a network architecture review, you may learn the company’s firewall isn’t configured properly, leaving the network vulnerable to outside attacks.
Step 5: Review software and hardware systems
Evaluate the security measures built into your apps and operating systems. Also review the security of your team’s third-party software or hardware. Your aim is to remove any hardware or software that’s outdated or no longer supported by the vendor to reduce security vulnerabilities.
Step 6: Perform penetration testing
Penetration testing is a deliberate effort to find and exploit vulnerabilities in your own IT systems, so you can seal up those weaknesses before attackers exploit them for real. You can either have an expert from your IT team do this or hire white-collar hackers (or ethical hackers).
At this stage, you’ve thoroughly evaluated your company’s cybersecurity posture. Based on your findings, create a remediation plan to address the identified vulnerabilities and weaknesses. Consider the level of risk and the potential effect on the company’s operations and reputation when prioritizing remediation activities.
What Is a Cybersecurity Test?
A cybersecurity test helps IT professionals gauge a company’s cybersecurity defenses to identify and fix vulnerabilities and weaknesses that malicious actors might exploit. It uses multiple methods to measure the effectiveness of any company’s cybersecurity strategy against potential cyber attacks.
Common examples of cyber testing include penetration testing, vulnerability scanning, social engineering testing, and red team testing.
Understanding CISA and CSET
In 2018 the Cybersecurity and Infrastructure Security Agency (CISA) was established under the Department of Homeland Security (DHS) when then-President Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act into law.
CISA aims to anticipate, prioritize, and manage risks to national-level industrial control systems (ICS) by promoting a more collaborative effort between government and industry.
Specifically, CISA attempts to improve cybersecurity across all levels of government, coordinates cybersecurity programs with U.S. states, and strengthens the government’s cybersecurity protections against private and nation-state hackers.
Within the DHS and under CISA, an organization called the U.S. Computer Emergency Readiness Team – US-CERT, a branch of the Office of Cybersecurity and Communications’ (CS&C) National Cybersecurity and Communications Integration Center (NCCIC) – is responsible for analyzing and reducing cybersecurity threats, disseminating cyber threat warning information, and coordinating incident response activities.
CS&C conducts complementary, voluntary assessments to evaluate operational resilience and cybersecurity capabilities within critical infrastructure sectors, as well as within state, local, tribal, and territorial governments.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) developed the Cyber Security Evaluation Tool (CSET) for industrial control systems. It provides a systematic, disciplined approach to evaluating an organization’s security posture – at no cost to the organization.
CSET is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate their industrial control system (ICS) and IT network security practices. Using recognized government and industry standards and recommendations, users can evaluate their cybersecurity stance using CSET.
To help organizations assess their information and operational systems’ cybersecurity practices, CSET begins by asking a series of detailed questions about system components and architectures, as well as operational policies and procedures.
Once the questionnaires are complete, CSET then provides the organization with a dashboard of charts that depict strengths and weaknesses, as well as a prioritized list of recommendations for increasing cybersecurity posture.
In the final report, CSET provides recommendations, common practices, compensating actions, and suggested enhancements or additions. Using CSET, you can also compare, merge, and trend multiple assessments to better understand your organization’s past and present cybersecurity posture.
Here are some other things that CSET can do for your organization:
- Provide a consistent means of evaluating a control system network as part of a comprehensive cybersecurity assessment
- Specify cybersecurity recommendations
- Report using standards-based information analysis
- Provide a baseline cybersecurity posture
There are, however, other things that CSET cannot do:
- Validate accuracy of user inputs
- Assure compliance with organizational or regulatory cybersecurity policies and procedures
- Assure implementation of cybersecurity enhancements or mitigation techniques
- Identify all known cybersecurity vulnerabilities
With no cost to end users, the CSET assessment can be used by organizations in all sectors to evaluate their ICS and IT networks.
Getting Started With Your CSET Assessment
If you think your organization might benefit from the CSET assessment, here are step-by-step instructions to get started:
Select standards. First, decide which government or industry-recognized cybersecurity standards you want to meet. Once you’ve decided (on one or more), CSET will generate questions specific to those requirements. Some of the cybersecurity standards that you can choose from include:
- DHS Catalog of Control Systems Security: Recommendations for Standards Developers
- NERC Critical Infrastructure Protection (CIP) Standards 002-009
- NIST Special Publication 800-82, Guide to Industrial Control Systems Security
- NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems
- NIST Cybersecurity Framework (CSF)
- NRC Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities
- Committee on National Security Systems Instruction (CNSS) 1253
- INGAA Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry
- NISTIR 7628 Guidelines for Smart Grid Cyber Security
Determine your assurance level. Next, determine your security assurance level (SAL). Your organization’s SAL will depend on the potential consequences of a successful cyberattack on your ICS organization, facility, system, or subsystem. A SAL can be either selected or calculated, providing you with a recommended level of cybersecurity rigor to protect against a worst-case event.
Create the diagram. Use the CSET graphical user interface to diagram network topology and identify the “criticality” of the network component. (You can create a diagram from scratch, import a pre-built template diagram, or import an existing MS Visio diagram.) You can also define cybersecurity zones, critical components, and network communication paths using the icon palette to build diagrams by dragging and dropping components into place.
Answer the questions. Using your selected security standards, SAL, and network topology, CSET will then generate specific questions. An assessment team should select the best answers for each question using your organization’s network configuration and security policies and procedures. Using CSET, you can enter notes or attach files to questions, or flag them for further review or to provide clarification. Each question also contains associated reference information for further research. CSET displays the underlying requirements, any supplemental text, and additional resources to help address any identified problems your organization might encounter.
Review analysis and reports. The analysis dashboard will then provide you with graphs and tables that present the assessment results in both summary and detailed form. This allows you to filter content easily or examine more detailed information. The analysis dashboard also displays the top areas of concern, prioritized based on current threat information. You can print these reports when communicating with management and other staff members.
To get the most out of a CSET assessment, NCCIC recommends selecting an assessment team from multiple areas of the organization to review:
- Policies and procedures
- Network topology diagrams
- Inventory lists of critical assets and components
- Previous risk assessments
- IT and ICS network policies and practices
- Organizational roles and responsibilities
Most recently, CISA released a Ransomware Readiness Assessment (RRA), a new module in CSET that allows organizations to test how well their networks can protect against and recover from ransomware attacks, and provides advice for improvements.
All About the Ransomware Self-Assessment Security Audit Tool
How ready is your organization to defend itself from ransomware? Using CISA’s new Ransomware Readiness Assessment (RRA) self-assessment tool, your organization can test its network defenses and evaluate whether your cybersecurity procedures can protect you from a ransomware attack.
The self-assessment tool is accessible by desktop software and can apply to both IT and ICS networks. It evaluates your organization’s cybersecurity strategy based on government and industry recommendations and standards.
Like CSET, the CISA RRA tool asks users to answer a series of questions about their cybersecurity policies to help them improve their defenses against ransomware.
The RRA tool begins with more basic questions, then moves on to intermediate and advanced questions with tutorials.
No matter the state of your cybersecurity strategy, CISA strongly encourages all organizations to take the Ransomware Readiness Assessment. The tool also encompasses several levels of ransomware threat readiness so that all organizations can use it.
The RRA provides users with ransomware threat readiness evaluation in a systematic, disciplined, and repeatable manner. It helps assess operational technology (OT) and IT network security practices, delivering an analysis dashboard with graphs and tables to view assessment results.
Following the high-profile ransomware attack against Colonial Pipeline, the U.S. government is encouraging organizations to do more to shore up their networks’ defenses. The RRA tool can help you do that.
Take the Reigns of Your Cybersecurity with the ZenGRC
Once you’ve used CSET and the RRA tool to establish your organization’s cybersecurity posture, you need to create a cybersecurity risk management program that will continuously monitor your networks and IT systems and maintain strict internal and external access control.
The ZenGRC equips your security and compliance teams with a single, integrated experience that reveals information security risks across your business.
Providing greater visibility across your organization to better manage risks and mitigate business exposure, ZenGRC can help you stay ahead of ever-evolving security threats.
ZenGRC also helps you calculate risk across connections, such as systems, business divisions, and controls, using customizable risk calculations with multivariable scoring, including SCF and NIST frameworks, Cyber Risk Catalog and the RISQ Management Enterprise registers, and CIS-RAM Simplified and RISQ calculation methods.
Continuous risk monitoring allows you to expose compliance-related risks with intuitive and automated alerts and workflows so you can catch and remediate risks with real-time updates.
Simple deployment means you can rapidly deploy a risk management and compliance program in as little as six to eight weeks so you can focus on the security in information security compliance.
ZenGRC’s unified control management also lets you map controls across multiple frameworks to see defense mechanism strengths and weaknesses.
A centralized dashboard provides key metrics to build a compliance program that responds to the protection your information security program provides.
ZenGRC makes compliance and risk management simple. Learn how it can help your organization create a cybersecurity risk management program using CSET and RRA to establish your cybersecurity and ransomware posture and schedule a demo today.