The Department of Homeland Security has released CSET (
Fact Sheet)
The Cyber Security Evaluation Tool (CSET) which provides users with a systematic and repeatable approach for assessing the cybersecurity posture of their industrial control system networks. This tool also includes both high-level and detailed questions applicable to all industrial control systems (ICS). CSET was developed under the direction of the Department of Homeland Security (DHS) Control Systems Security Program (CSSP).
I just downloaded the tool and already find it a bit cumbersome because you need to have Windows – The ISO has windows .exe – but I’m assuming DHS decided to deploy a version that will benefit most companies that only run windows.
So I fired up my baseline Windows 7 VM for some testing. Here are my initial thoughts:
1) You need Java installed to run the application.
2) Point and click Assessment!
3) When you click Create a new assessment you are prompted with a nice disclaimer that reiterates the tools intended use — “this is just part of the puzzle” of ensuring your network is secure etc.
4)
This is not a penetration testing tool. In my opinion, it is focused on policy development/assessment.
This article somewhat mislead me by saying
“CSET is actually a software application that compares the network infrastructure of the user with industry rules. It then lists recommendations that should help enhance the safeguarding of the enterprises cyber structure.”
5) The tool is a great guide that allows a user to answer specific questions that are in-line with the standards — then the tool creates a nice PDF/RTF report summarizing the assessment with recommendations to secure the network. This is not a “point and click” assessment as I initially thought when I opened the application, its actually an in depth tool that requires much more time and thought to ensure you are answering the questions properly.
6) As you continue to use the tool, you are presented a list of detailed options with MEANINGFUL help files. Clearly those that designed the front end of the application took into account the audience of users. Nice job.
All-in-all this is an interesting approach to educate IT professionals on what it takes to be compliant with international/government IT standards. I hope to hear followup from DHS on how many organizations this actually helps. Great work!
This also sparks another idea.. I submitted a paper for the 2012 CEIC conference. If my paper is accepted, this tool gives me a good idea. Stay tuned 🙂