CS2SAT
From SCADApedia
The Control System Cyber Security Self-Assessment Tool (CS2SAT) was developed by Idaho National Labs (INL) as part of the DHS Control System Security Program (CSSP). CS2SAT runs on Windows 2000 or XP and requires Java (JRE 5.0 release 6 or later).
CS2SAT is an online, detailed questionnaire consisting of hundreds of questions even for a small system assessment. The results of the self-assessment are online and PDF reports that compare the response with the security requirement for each individual question. CS2SAT security requirements were determined based on industry standards, regulations and best practices, and the requirements vary based on 1) the criticality of the asset and system and 2) the consequence of a compromise of the control system.
Self-assessment begins with general information about the assessment such as date, assessor name, and location. This information is used in the reports generated at the end of the assessment and is not part of the assessment calculations.
Contents |
Security Assurance Level (SAL)
Next comes a series of 10 questions to determine your Security Assurance Level. The questions are based on the consequence in money, human life, reputation and other factors of a security incident. The answers to these questions will set the SAL from 1(low) to 5(high), and this level will determine the security controls required for all components in the assessment. A higher SAL will require more technical and administrative controls be met for the system to be rated secure.
Based on the answers, and all questions must be answered to move on, CS2SAT will calculate a recommended SAL. The assessment team can manually adjust the level at any time. Raising the SAL will increase the rigor of the security requirements.
Network Diagram
The components and architecture in the control system under test must be laid out in a network diagram. CS2SAT comes with six templates that provide a start for most control systems. The assessment teams will need to use the CS2SAT DrawNodes editor to modify the diagram. Additional components and subnets should be added to the diagram until it represents the system under assessment.
System Questions
A set of system questions are based on one or more security standards the assessment team selects to be included in the assessment. Currently CS2SAT supports NERC CIP(135 questions), NIST SP800-53(163 questions) and IEC 15408(81 questions). These questions address standard requirements that are not component specific. For example, there are NERC CIP-002 questions on whether a risk-based assessment methodology, Critical Asset list and Critical Cyber Asset list exist.
The relevant text from the standard is available for each question in a help file that can be viewed by clicking on the question mark. Each question, throughout the CS2SAT not just in the System Questions, also has the capability for the assessment team to add a note. For example, the assessment team could enter the file and location of the Critical Cyber Asset list in a note.
The assessment team does not need to answer all of the system questions, but any unanswered questions will be considered to have failed in the final report regardless of the SAL.
Component Questions
Each component entered in the network diagram has a set of questions. The questions vary by the type of component and are typically between 20 and 40 questions per component. The questions for a database server are different than the questions for a HMI.
If there are multiple components of the same type, such as 15 PLC's, the assessment team can answer questions for a default PLC that will apply to all of the PLC's. The assessment team then can answer questions for each individual PLC if it does not match the default answers.
The assessment team does not need to answer all of the component questions, but any unanswered questions will be considered to have failed in the final report regardless of the SAL.
Assessment Report
A variety of assessment reports are available from the CS2SAT, but none of the reports result in a numerical score. Instead, the approach is to compare the answer to each question to the required answer based on the SAL and component criticality and identify if the control system meets the requirement or is deficient.
An overall report can be viewed online or any combination of six sub-reports (Information, Summary, Gap Analysis, Sorted Gap Analysis, Questions/Answers and NERC CIP) can be printed to a PDF.
CS2SAT Pricing and Availability
CS2SAT is available free of charge to US Government organizations. The product is currently available to asset owners via two different channels.
ISA is selling the CS2SAT $1,795, which is a reduced 'promotional' price.
Lofty Perch is selling CS2SAT for $399, and the price includes two hours of Lofty Perch support.
