Discover the changes CISA has made to their Cyber Security Evaluation Tool and what it could mean for your business.
Understanding CISA and CSET
In 2018 the Cybersecurity and Infrastructure Security Agency (CISA) was established under the Department of Homeland Security (DHS) when then-President Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act into law.
CISA aims to anticipate, prioritize, and manage risks to national-level industrial control systems (ICS) by promoting a more collaborative effort between government and industry.
Specifically, CISA attempts to improve cybersecurity across all levels of government, coordinates cybersecurity programs with U.S. states, and strengthens the government’s cybersecurity protections against private and nation-state hackers.
Within the DHS and under CISA, an organization called the U.S. Computer Emergency Readiness Team — US-CERT, a branch of the Office of Cybersecurity and Communications’ (CS&C) National Cybersecurity and Communications Integration Center (NCCIC) — is responsible for analyzing and reducing cyber threats, vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities.
CS&C conducts complementary, voluntary assessments to evaluate operational resilience and cybersecurity capabilities within critical infrastructure sectors, as well as within state, local, tribal, and territorial governments.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) developed the Cyber Security Evaluation Tool (CSET) for industrial control systems. It provides a systematic, disciplined, and repeatable approach for evaluating an organization’s security posture at no cost.
CSET is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate their industrial control system (ICS) and information technology (IT) network security practices. Using recognized government and industry standards and recommendations, users can evaluate their own cybersecurity stance using CSET.
To help asset owners assess their information and operational systems’ cybersecurity practices, CSET begins by asking a series of detailed questions derived from industry recognized cybersecurity standards about system components and architectures as well as operational policies and procedures.
Once the questionnaires are complete, CSET then provides asset owners with a dashboard of charts including areas of strengths and weaknesses, as well as a prioritized list of recommendations for increasing cybersecurity posture.
In the final report, CSET provides recommendations, common practices, compensating actions, and suggested component enhancements or additions. Using CSET, you can also compare, merge, and trend multiple assessments at once to better understand your organization’s past and present cybersecurity posture.
Here are some other things that CSET can do for your organization:
- Provide a consistent means of evaluating a control system network as part of a comprehensive cybersecurity assessment
- Specify cybersecurity recommendations
- Report using standards-based information analysis
- Provide a baseline cybersecurity posture
There are, however, other things that CSET cannot do:
- Validate accuracy of user inputs
- Ensure compliance with organizational or regulatory cybersecurity policies and procedures
- Ensure implementation of cybersecurity enhancements or mitigation techniques
- Identify all known cybersecurity vulnerabilities
With no cost to end users, the CSET assessment can and should be used by organizations in all sectors to effectively evaluate their ICS and IT networks.
Getting started with your CSET Assessment
If you think your organization might benefit from the CSET assessment, here are step-by-step instructions to get the process started:
Select standards. First, you need to decide which government or industry recognized cybersecurity standards you want to meet. Once you’ve decided (on one or more), CSET will generate questions that are specific to those requirements.
Some of the cybersecurity standards that you can choose from include:
- DHS Catalog of Control Systems Security: Recommendations for Standards Developers
- NERC Critical Infrastructure Protection (CIP) Standards 002-009
- NIST Special Publication 800-82, Guide to Industrial Control Systems Security
- NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems
- NIST Cybersecurity Framework (CSF)
- NRC Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities
- Committee on National Security Systems Instruction (CNSS) 1253
- INGAA Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry
- NISTIR 7628 Guidelines for Smart Grid Cyber Security
Determine assurance level: Next you need to determine your security assurance level (SAL). Your organization’s SAL will depend on the potential consequences of a successful cyberattack on your ICS organization, facility, system, or subsystem. A SAL can be either selected or calculated, and will also provide you with a recommended level of cybersecurity rigor to protect against a worst-case event.
Create the diagram. Use the CSET graphical user interface to diagram network topology and identify the “criticality” of the network component. (You can create a diagram from scratch, import a pre-built template diagram, or import an existing MS Visio diagram.) You can also define cybersecurity zones, critical components, and network communication paths using the icon palette featuring system and network components to build and modify diagrams by dragging and dropping components into place.
Answer the questions. Using your selected security standards, SAL, and network topology, CSET will then generate specific questions. An assessment team should select the best answers for each question using your organization’s network configuration and security policies and procedures. Using CSET, you can enter notes or attach files to questions, or flag them for further review or to provide clarification. Each question also contains associated reference information for further research. CSET displays the underlying requirements, any supplemental text, and additional resources to help address any identified problems your organization might encounter.
Review analysis and reports. The analysis dashboard will then provide you with graphs and tables that present the assessment results in both summary and detailed form. This allows you to filter content easily or examine more detailed information. The analysis dashboard also displays the top areas of concern, prioritized based on current threat information. You can print these professionally designed reports to use when communicating with management and other staff members.
To get the most out of a CSET assessment, NCCIC recommends selecting an assessment team from multiple areas of the organization to review:
- Policies and procedures
- Network topology diagrams
- Inventory lists of critical assets and components
- Previous risk assessments
- IT and ICS network policies and practices
- Organizational roles and responsibilities
Most recently, CISA released a Ransomware Readiness Assessment (RRA), a new module in CSET that allows organizations to test how well their networks can protect against and recover from ransomware attacks, and provides advice for improvements.
All About the Ransomware Self-Assessment Security Audit Tool
How ready is your organization to defend itself from ransomware? Using CISA’s new Ransomware Readiness Assessment (RRA) self-assessment tool, your organization can now test its network defences and evaluate whether your cybersecurity procedures can protect you from a ransomware attack.
The self-assessment tool is accessible by desktop software and can be applied to both IT and ICS networks. It evaluates your organization’s cybersecurity strategy based on government and industry recommendations and standards.
Like CSET, the CISA RRA tool asks users to answer a series of questions about their cybersecurity policies with the aim of helping them improve their defences against ransomware.
The RRA tool begins with more basic questions, and then moves on to intermediate and advanced questions with tutorials.
No matter the state of your cybersecurity strategy, CISA strongly encourages all organizations to take the Ransomware Readiness Assessment. The tool also encompasses several different levels of ransomware threat readiness so that all types of organizations can use it.
“CISA has tailored the RRA to varying levels of ransomware threat readiness to make it useful to all organizations regardless of their current cybersecurity maturity,” CISA said.
The RRA provides users with ransomware threat readiness evaluation in a systematic, disciplined, and repeatable manner. It helps assess both operational technology (OT) and IT network security practices, delivering an analysis dashboard with graphs and tables to view assessment results.
Following the high-profile ransomware attack against Colonial Pipeline, the U.S. government is encouraging organizations to do more to shore up their networks’ defences — and the RRA tool can help you do just that.
ZenGRC Is the Superior Cybersecurity Solution
Once you’ve utilized CSET and the RRA tool to establish your organization’s cybersecurity posture, you need to create a cybersecurity risk management program that will continuously monitor your networks and IT systems, and maintain strict access control both internally and externally.
ZenGRC from Reciprocity equips your security and compliance teams with a single, integrated experience that reveals information security risk across your business.
Providing greater visibility across your organization to better manage risks and mitigate business exposure, ZenGRC can help you stay ahead of ever-evolving security threats.
ZenGRC also helps you calculate risk across connections, such as systems, business divisions, and crontrols, using customizable risk calculations with multivariable scoring, including SCF and NIST frameworks, Cyber Risk Catalog and the RISQ Management Enterprise registers, and CIS-RAM Simplified and RISQ calculation methods.
Continuous risk monitoring allows you to expose compliance-related risks with intuitive and automated alerts and workflows so you can catch and remediate risks with real-time updates.
Simple deployment means you can rapidly deploy a risk management and compliance program in as little as six to eight weeks so you can focus on the security in information security compliance.
ZenGRC’s unified control management also lets you map controls across multiple frameworks for visibility into defense mechanism strengths and weaknesses.
A centralized dashboard provides key metrics to build a compliance program that responds to the protection your information security program provides.
ZenGRC makes compliance and risk management simple. Learn more about how ZenGRC can help your organization create a cybersecurity risk management program using CSET and RRA to establish your cybersecurity and ransomware posture, and schedule a demo today.