New Cyber Security Evaluation Tool released by US Homeland Security for organisations to self-test their security systems
By Cameron Abbott, Warwick Andersen and Jacqueline Patishman
The United States Department of Homeland Security has developed the Cyber Security Evaluation Tool (CSET) which provides a systematic (and repeatable) process that critical infrastructure asset owners can use to assess and improve their cyber security management systems. This tool has a particular focus on the security of industrial control systems and information networks.
The CSET tool is available on Github and is available for download on a permissive MIT license (a type of open source licence) and can be run on Windows with a standalone installer.
The tool comes with a basic, intermediate and advanced set of questions, the intent being that organisations will use the toolkit to first focus on the basics and then to implement best practice in the intermediate to advanced sections in future.
- a team of control system engineers, cyber security staff and managers are put together to conduct the assessment and use the tool;
- the relevant Security Assurance Level (SAL) is determined via a range of questions. The higher the SAL, the higher the level of security required by an organisation;
- a list of questions are then generated depending on the SAL;
- a form selecting the cyber security standards that may be applicable to the organisation then needs to then be filled in. These standards are grouped by industry and purpose like standard relevant to supply chains, transportation or nuclear security;
- the team is then required to graphically capture the organisation’s IT network via a diagram drawing tool;
- CSET then generates a list of questions appropriate for the organisation based on the information provided; and
- once the team responds to all these questions, CSET produces an analysis dashboard which includes a range of reports that highlight any areas of weakness in an organisation’s security systems.
This tool is a really interesting example of the increasingly common assistance that government’s around the world are providing to organisations in this area (particularly those that are considered ‘critical infrastructure’ related). Critical infrastructure is a key target of hackers and it is sensible that governments are taking this approach.