ISA Insights

<meta name="Date" content="2008-03-18">
<title>ISA | Control Systems Cyber Security Self Assessment Tool Available (CS2SAT)</title>

ISA | December
		<h1>ISA Insights</h1>
<h4>December 2007</h4>
<h2>Control Systems Cyber Security Self Assessment Tool Available (CS<sup>2</sup>SAT)</h2>

<p> </p>

<p>The ISA Automation Standards Compliance Institute (ASCI) recently completed an agreement with the Idaho National Labs to distribute CS<sup>2</sup>SAT on behalf of the United States Department of Homeland Security. The tool is distributed with a training video, online documentation and, 2 hours of phone support from control systems cyber security specialists to help licensees structure their self assessment approach. </p>

<p>The tool accelerates the assessment process and can reduce the time to complete a self assessment from a few months to a few weeks. While the tool does not identify all vulnerabilities, it is extremely valuable because it highlights areas of cyber security showing the greatest risk. In addition, CS<sup>2</sup>SAT provides linkages to specific regulations such as NERC CIP that may be out of compliance, including hyperlinks to the regulatory language stored in the knowledgebase.</p>

<p>The Department of Homeland Security National Cyber Security Division developed the Control System Cyber Security Self-Assessment Tool (CS<sup>2</sup>SAT) to provide users with a systematic and repeatable approach for assessing the cyber-security posture of their industrial control system networks. The CS<sup>2</sup>SAT was developed by cyber security experts from Department of Energy National Laboratories and with assistance from the National Institute of Standards and Technology. CS<sup>2</sup>SAT was reviewed by a team of ISA control systems security experts to identify specific improvements to CS<sup>2</sup>SAT to enhance support for security assessments of industrial control systems. ISA recommendations are included in the current release of CS<sup>2</sup>SAT with more to be included in future releases.</p>

<p>The CS<sup>2</sup>SAT is a desktop software tool that guides users through a step-by-step process to collect facility-specific control system information and then makes appropriate recommendations for improving the system’s cyber-security posture. </p>

<p>The CS<sup>2</sup>SAT provides recommendations from a database of industry available cyber-security practices, which have been adapted specifically for application to industrial control system networks and components. Each recommendation is linked to a set of actions that can be applied to remediate-specific security vulnerabilities.</p>

<p>The CS<sup>2</sup>SAT is designed with an underlying cyber security framework based on control-system-related federal codes, industry standards, and guidelines such as the following:</p>
<ul>
<li>National Institute of Standards and Technology (NIST) System Protection Profile, Critical Infrastructure Process Control Systems (SPP-CIPCS), Revision 1.07 (Draft)</li>
<li>NIST SPP Industrial Control Systems (SPP-ICS), Revision 1.0</li>
<li>Common Criteria, ISO/IEC 15408 Versions 2.1 to 3.1</li>
<li>North American Electric Reliability Council (NERC) Critical Infrastructure Protection (CIP) Reliability Standards, CIP-002-1 – CIP-009-1</li>
<li>NIST Special Publication (SP) 800 53, Recommended Security Controls for Federal Information Systems, February, 2005</li>
<li>U.S. Department of Defense (DoD) Instruction Number 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003</li>
<li>Industry Standards and Leading Practices</li>
</ul>

<p>The tool is designed to be used by an assessment team, because the breadth and depth of questions usually exceeds the knowledge of any one individual. Having a team also allows sharing of information and clarifying security configurations among members of the organization.</p>

<p>For information on pricing and availability, visit <a href="http://www.isa.org/asci/cs2sat">www.isa.org/asci/cs2sat</a> or call Andre Ristaino at 919-990-9222.</p>