In an earlier article, I laid out some of the varied methods of risk assessment in SCADA/ICS systems from academia, government and industry groups. As I pointed out there, SCADA/ICS risk estimation is especially difficult and nebulous. The probabilities of an event are difficult-to-impossible to obtain and the consequences of the event are sometimes so large as to be unthinkable.
We can, however, attempt to do a risk assessment based upon security standards for the IT industry as a whole and the SCADA/ICS industry, in particular. The U.S. Homeland Security commissioned the development of a tool to assist the risk assessment and securing an SCADA/ICS site based upon various security standards. This free tool enables us to select an industry and sector, as well a security standard that applies to our circumstances and then walks us through a risk assessment of our organization. For our considerable effort in this exercise, we receive a assessment and report as to the risks that our organization bears and a guideline to tightening up our security.
Step #1 Download and Install CSET
You can download CSET here. This will take you to the U.S. Computer Emergency Readiness Team (CERT) page. Scroll down the page about 3/4 of the way down and you will find the download link.
This will open a form page where you complete your with name and organization. Then you can download CSET 8.0. It's an .ISO file of about 650M, so it doesn't take long to download, even with a slow Internet connection.
Step #2 Extract the Image
The image is an .ISO and needs to be extracted. You can use any of the extraction/archiving tools, but here I used WinArchiver.
I extracted my image to C:/cset, but you can save it wherever is convenient for you.
Step #3 Start the Installation
Once the image is extracted, click on the CSET_Setup.
This will open a set up screen like below.
After you click "Install", the CSET install wizard will walk you through the setup and installation steps.
Step #4 Getting Started
Once CSET has completed its installation, you will be greeted by the splash screen similar to that below.
Now, we are about to prepare our risk assessment on your organization. Simply click "Start Here" at the bottom of the screen.
You will asked for information about your site and yourself, but you can skip this section as I did here. The only drawback to skipping this step is that final report will not have your organization name on it when you have completed the risk assessment.
Step #5 Providing a Sector and Industry
Before you begin, though, this tool needs to know what industry you are in in order to select the proper assessment.
Here, I was assessing the security of a company in the Nuclear Reactor sector in the "Operating Nuclear Power Plants" industry with a gross value over $10,00,000. In addition, I indicated that I was willing to expend a large effort (spend three days or more) on the assessment. It was my experience that if you have the information at hand (that's a big IF), this assessment can certainly be completed in a single day.
Next, CSET asked you whether you want to create a diagram. This is not necessary, so I skipped it and hit "Continue".
Step #6 Mode Selection
The next screen is important to the overall assessment. I selected the Advanced Mode and then selected the "Requirements-based Approach". I recommend you do the same.
Next, we select the Security Assurance Level (SAL). By default, the tool begins with a LOW overall SAL, but you can select Medium or High. Those higher SAL's require additional time to complete the assessment. You can always go back and redo your assessment with a higher SAL later, once you are certain that you meet all the low SAL requirements. This is what I recommend.
Based upon the industry you selected, the CSET tool selects the recommended standards you should meet. You can select any standard simply by de-selecting the recommended standard (s) and selecting the standard you need. In addition, you can select multiple standards. In my case, the CSET tool chose two standards pertinent to the Nuclear Power plant industry, NEI-08-09 and NRC Regulatory Guide 5.71. I used those two recommended standards for this risk assessment
Now, the questions begin. Based upon the industry, standards and the SAL you selected, CSET will now present you with numerous questions to assess your risk. The questions are not ALL specific to SCADA/ICS. Most of the questions relate to best security practices in any IT environment, but they do also contain questions specific to SCADA/ICS and your industry.
In my case, there are 301 questions, but they can be as many as 1500. Each question goes into great detail about a particular recommendation including supplemental information to help you understand the standard. You can choose Yes, No, Not Applicable or an Alternative Response.
After completing all 301 questions, the CSET tool then provides you with a score. As you can see below, my client scored disturbingly low, especially considering it was nuclear power plant operator.
When we click "View My Results", we can see the Dashboard below. We can quickly assess that the plant's compliance based upon industry standards was very low (34%), but also see how the facility ranked based upon various assessment categories. This one ranked high on "Access Control" and very low on "Continuity".
We can then take all that information and create a report. We can choose 4 different types of reports and two file types. I chose to build a Executive Summary (about 4 pages) and in a PDF format.
The report takes few minutes to generate so be patient and then opens automatically on your computer.
In my report, it breaks down each category and graphs the compliance with the components of the chosen standard.
Finally, it provides a page of "Areas of Concern". It ranks the top areas of concern so that you and your organization can begin the process of tightening your compliance to this cyber security standard (s) and reducing your facility's risk.
Conclusion
There are numerous methods of risk assessment for the SCADA/ICS industry and none of them are ideal. The CSET tool developed by U.S. Homeland Security is a free and useful tool that walks you through the guidelines and standards for risk mitigation that any industry can utilize to assess their compliance and risk.