The Cyber Security Evaluation Tool (CSET) combines the functionality of two earlier tools, the Control System Cyber Security Self-Assessment Tool (CS²SAT), and the Cyber Security Vulnerability Assessment (CSVA). The CSVA functionality is called Enterprise Evaluation or EE in CSET.

 

The CSET uses four core elements to aid the user in establishing a better understanding of their cyber security posture as it relates to their control domain:
 
Consequence Analysis helps the user analyze the criticality of a site or facility relative to the potential consequences of a successful cyber attack. The tool uses the calculated security assurance level to determine how the user measures up against the recommendations.
 
Network Topology helps the user identify the network architecture and components that are critical to the system’s cyber security boundary. This element of the tool contains a graphical user interface to define the cyber security boundaries and connectivity of the control system network.
 
Requirements Questionnaire generates a set of questions based on the specific network topology and consequence analysis responses entered by the user.
 
Risk Reduction Calculation provides the user with a concise set of prioritized recommendations to provide direction for securing control system elements. A graphical representation of the analysis, along with gap analysis reports, are also provided so the user can easily identify areas that need improvement.
 

The CSET was developed under the direction of the Department of Homeland Security (DHS) Control Systems Security Program (CSSP) by cyber security experts from national laboratories and with assistance from the National Institute of Standards and Technology. The CSET is a desktop software tool which guides users through a step-by-step process to collect facility specific control system information and then makes appropriate recommendations for improving the system’s cyber security posture.

The CSET is an excellent tool to help organizations get a granular perspective on their cyber security programs, and assist them in making informed choices about addressing the cyber risk in their control system environments.   The CSET provides users with a systematic and repeatable approach for assessing the cyber security posture of their industrial control system networks.

 

Users can use the tool to support their initiatives, and choose from several standards and practices including, NERC CIP, NIST SP 800-53 Rev 0-3, NIST SP800-82 Rev 0, DoDI 8500, ISO/IEC 15408 and the Global Assessment (Catalog of Recommendations) 2008-2009.  Additionally, the CSET has added support for business systems evaluation, called the Enterprise Evaluation (EE).  The Enterprise Evaluation, is a set of questions that evaluates the policies, plans, and procedures in place to reduce cyber vulnerabilities for business systems and is applicable to all critical infrastructure sectors.