Skip to content

Home  |   FAQ  |   Contact  |   Privacy & Use

customize

Control Systems Security Program (CSSP)

CSET Frequently Asked Questions (FAQs)

What is CSET?

The Cyber Security Evaluation Tool (CSET) combines the functionality of two earlier tools, the Control System Cyber Security Self-Assessment Tool (CS2SAT), and the Cyber Security Vulnerability Assessment (CSVA). The CSVA functionality is called Enterprise Evaluation or EE in CSET.

CSET is a self-assessment software application for performing cybersecurity reviews of industrial control and enterprise network systems. The tool may be used by any organization to assess the security posture of cyber systems that manage a physical process or enterprise network. The tool also provides information that assists users in resolving identified weaknesses in their networks and improving their overall security posture.

CSET provides users in all infrastructure sectors with a systematic and repeatable approach for performing assessments against multiple standards, recommended security practices, and industry requirements. CSET provides a flexible question and answer format for performing assessments. Users may apply the tool to site-specific configurations, based on user created diagrams and selection of specific standards for each assessment. Reference materials, including help documents, are contained in this easy-to-use tool.

Back to top.

How does CSET work?

CSET is a desktop software tool that guides users through a step-by-step question and answer process to collect facility-specific control and enterprise network information. The questions address topics such as hardware, software, administrative policies, and user obligations. After the user responds to the questions, the tool compares the information provided to relevant security standards and regulations, assesses overall compliance, and provides appropriate recommendations for improving the system’s cybersecurity posture. The tool pulls its recommendations from a database of the best available cybersecurity practices, which have been adapted specifically for application to control system and enterprise networks and components. Where appropriate, recommendations are linked to a set of prioritized actions that can be applied to remediate specific security vulnerabilities.

Back to top.

Who should use CSET?

CSET facilitates the assessment of the cybersecurity posture of a facility’s or organization’s cyber network. CSET is typically used by control system engineers, cybersecurity experts, network and control system administrators, or other technical staff working with cybersecurity. Any organization with a control system or enterprise network, regardless of size, can use CSET to improve the cybersecurity posture of their system.

Back to top.

What are CSET’s limitations?

  • It is important to recognize that CSET is only one component of a comprehensive cybersecurity program. CSET provides a good starting point to determine the baseline security posture of a system and may be useful in assessing the implementation status of your security program.
  • CSET does not provide an architectural analysis of the network or a detailed network hardware/software configuration review. CSET is not intended as a substitute for in-depth analysis of control system or enterprise network vulnerabilities as performed by trained cybersecurity professionals. Periodic onsite reviews and inspections must still be conducted using a holistic approach including scanning, penetration testing, facility walk-downs, and other security exercises.
  • CSET has a component focus rather than a system focus. Therefore, network hardware and software configuration analyses will be limited to the extent that they are defined by programmatic and procedural requirements.
  • CSET is not a risk analysis tool; it will not create a detailed risk assessment.

Back to top.

Can I get training to use CSET?

Yes, the Department of Homeland Security (DHS), National Cyber Security Division (NCSD), has developed a companion CSET tutorial video that demonstrates the various steps and features of the tool. The CSSP may also provide "over-the-shoulder" training and guidance to approved critical asset owners.

Back to top.

Does CSET fix security deficiencies?

CSET does not fix security concerns or vulnerabilities. The tool identifies areas of possible concern and helps the user prioritize the most critical vulnerabilities. However, it is up to the organization to analyze the identified discrepancies and take the appropriate action for improvements or mitigation.

Back to top.

After I use CSET and fix the identified problems will the facility be secure?

CSET is only one component of an overall cybersecurity program and should be complemented with a robust cybersecurity effort within the organization. CSET may not highlight every type of security weakness and should, therefore, be used as a complimentary product in an organization’s comprehensive control systems and enterprise network cybersecurity programs.

Back to top.

What federal codes and standards is CSET based on?

CSET requirements were derived from widely accepted standards such as:

  • NIST SP 800-53: National Institute of Standards and Technology (NIST), Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems, Revisions 0, 1, 2, and 3 Final Public Draft, June 2009.
  • NIST SP 800-82: National Institute of Standards and Technology, Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security, Final Public Draft, September 2008.
  • ISO/IEC 15408 (The Common Criteria): International Organization of Standards/ International Electrotechnical Commission, Version 3.1, September 2007.
  • DODI 8500.2: US Department of Defense (DoD) Instruction Number 8500.2, "Information Assurance (IA) Implementation," February 6, 2003.
  • NERC CIP-002 through CIP-009: North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) (http://www.nerc.com/), Effective June 1, 2006.
Back to top.

Was NIST involved in the development or review of CSET?

Yes. NIST, along with other organizations, were involved in the review of CSET or its predecessor CS2SAT. The language from “The Common Criteria” was vetted by NIST to ensure accuracy and consistency with the associated requirements within the common criteria.

Back to top.

What agencies were involved in the testing and review of CSET?

The following agencies were involved in either the review or Beta testing of CSET or its predecessors

Government Agencies:

  • U.S. Dept. of Homeland Security
  • Environmental Protection Agency
  • Department of Energy
  • National Institute of Standards and Technology
  • Army Corps of Engineers
  • Bureau of Reclamation
  • Department of Energy laboratories, led by the Idaho National Laboratory

Industry Associations:

  • Water Environment Research Foundation
  • Water Research Foundation (formerly AwwaRF)
  • Instrumentation, Systems, and Automation Society

Over 250 Beta tests were conducted in support of the development of CSET. Results from these efforts were incorporated into the final production version. These tests include onsite assessments across several industry sectors. The onsite assessments provided real-world evaluation of how CSET would be used by an asset owner responsible for control and information systems security.

Back to top.

Who in my organization should use CSET?

Assessments using CSET should not be completed by a single individual with limited knowledge of the organization’s cybersecurity policies, control systems architecture, enterprise network architecture, and company risk profile. For an accurate assessment of a system’s security posture, it is recommended that a cross-functional team of subject matter experts be assembled consisting of representatives from operational, maintenance, information technology, business, and security areas.

Back to top.

Does CSET need to be connected to my network?

No. CSET is a stand-alone tool and does not connect to the network. No scans are performed on the network.

Back to top.

Does CSET need an Internet connection?

No. The supporting documents and reports are incorporated into CSET and do not require a network connection.

Back to top.

My system is not connected to an external network. Should I perform a self-assessment?

While it may be a correct assumption, until an assessment is performed, an asset owner does not have a true evaluation of network connectivity. DHS CSSP has identified many types of connections within the control or enterprise network environments (historian servers, modems, service agreements, engineering workstations, corporate connectivity, etc.) that some asset owners did not originally recognize as having external connectivity.

If it is determined that no external connectivity exists, CSET can still be used to evaluate the baseline system environment and address many of the common cybersecurity issues (loss of life, economic impact, environment impact, internal operational security, and cyber policies).

Back to top.

Our company does not use any of the standards included in CSET. Will CSET be beneficial to my organization?

While your organization may not be required to follow any of the standards incorporated into CSET, basing security decisions on standards or industry accepted practices ensures that cybersecurity is addressed in a consistent and industry acceptable manner.

Back to top.