CS²SAT Frequently Asked Questions (FAQs)

• What is CS²SAT?
• How does the CS²SAT work?
• Who should use CS²SAT?
• What are the CS²SAT’s limitations?
• Can I get training to use the CS²SAT?
• Are new versions of CS²SAT planned?
• Does the CS²SAT fix security deficiencies?
• After I use the CS²SAT and fix the identified problems will the facility be secure?
• What federal codes and standards are the CS²SAT based on?
• Was NIST involved in the development or review of the CS²SAT?
• What agencies were involved in the testing and review of CS²SAT?
• Who in my organization should use the CS²SAT?
• Does the CS²SAT need to be connected to the control system network?
• Does the CS²SAT need an Internet connection?
• How much time is required to perform the self-assessment?
• My control system is not connected to an external network. Should I perform a self-assessment?
• Our company does not use any of the standards included in CS²SAT. Will CS²SAT be beneficial to my organization?

What is CS²SAT?

The Control System Cyber Security Self-Assessment Tool (CS²SAT) is a self-assessment software application for performing cyber-security reviews of industrial control systems. The tool may be used by any organization to assess the security posture of control systems which manage a physical process. The tool also provides information to assist users resolve identified weaknesses in their control systems and improve the overall security posture of the control systems environment.

The CS²SAT provides users in all infrastructure sectors with a systematic and repeatable approach for performing assessments against multiple standards, recommended security practices, and industry requirements. The CS²SAT provides a flexible question and answer format for performing the assessment and tailors the subjects to site specific configurations, based on user-entered diagrams and selection of specific standards. All of the reference materials, including help documents, are contained in this easy-to-use tool.

Back to top.

How does the CS²SAT work?

The CS²SAT is a desktop software tool which guides users through a step-by-step question and answer process to collect facility-specific control system information. The questions address topics such as hardware, software, administrative policies, and user obligations. After the user responds to the questions, the tool compares the information provided to relevant security standards and regulations, assesses overall compliance, and provides appropriate recommendations for improving the system's cyber security posture. The tool pulls its recommendations from a database of the best available cyber security practices, which have been adapted specifically for application to control system networks and components. Where appropriate, recommendations are linked to a set of prioritized actions that can be applied to remediate specific security vulnerabilities.

Back to top.

Who should use CS²SAT?

The CS²SAT facilitates the assessment of the cyber security posture of a facility's or the organization's control system network. The CS²SAT is typically used by control system engineers, cyber security experts, network and control system administrators, or other technical staff working with cyber security. Any facility with a control system network, regardless of size, can use the CS²SAT to improve the cyber security posture of their control system.

Back to top.

What are the CS²SAT’s limitations?

The reports generated by the tool are only as useful as the care that went into answering the requirement questions. CS²SAT does not independently determine the security level of the control system network. The CS²SAT identifies areas of concern based on the answers provide to the questions; it is up to the organization to analyze these areas and take appropriate action based upon their business model.

The CS²SAT does not provide an architectural analysis of the network or a detailed network hardware/software configuration review. CS²SAT is not intended as a substitute for in-depth analysis of control system vulnerabilities as performed by trained cyber security control systems professionals. Periodic onsite reviews and inspections must still be conducted using a holistic approach including scanning, penetration testing, facility walk-downs, and other security exercises.

The CS²SAT has a component focus rather than a system focus. Therefore, network hardware and software configuration analyses will be limited to the extent that they are defined by programmatic and procedural requirements.

CS²SAT is not a risk analysis tool; it will not create a detailed risk assessment.

It is important to recognize that the CS²SAT is only one component of a comprehensive control system security program. The CS²SAT provides a good starting point to determine the security posture of a system, however, a security program based on a CS²SAT assessment alone must never be considered complete or adequate.

Back to top.

Can I get training to use the CS²SAT?

Yes, the Department of Homeland Security Control System Security Program has developed a companion CS²SAT tutorial video which demonstrates the various steps and features of the tool. Also, the licensed distributors of the tool provide support to CS²SAT users.

Back to top.

Are new versions of CS²SAT planned?

The tool will be periodically updated and revised when new standards, requirements, and recommended practices documents are published.

Back to top.

Does the CS²SAT fix security deficiencies?

The CS²SAT does not fix security concerns or vulnerabilities. The tool identifies areas of possible concern and helps the user prioritize the most critical vulnerabilities. However, it is up to the organization to analyze the identified discrepancies and take the appropriate action for improvements or mitigation.

Back to top.

After I use the CS²SAT and fix the identified problems will the facility be secure?

The CS²SAT is only one component of the overall cyber security program and should be complemented with a robust cyber security effort within the organization. The CS²SAT may not highlight every type of security weakness and should therefore be used as a complimentary product in an organization’s comprehensive control systems cyber security program.

Back to top.

What federal codes and standards are the CS²SAT based on?

The CS²SAT requirements were derived from widely accepted standards such as:

• NERC CIP-002 through CIP-009: North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) (http://www.nerc.com/), Effective June 1, 2006.
• NIST SP 800-53: National Institute of Standards and Technology (NIST), Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems, February, 2005.
• NIST SPP-ICS: National Institute of Standards and Technology, System Protection Profile - Industrial Control Systems, Version 1.0, April 2004.
• NIST SPP-CIPCS: National Institute of Standards and Technology, System Protection Profile - Critical Infrastructure Process Control Systems, Version 1.07, June 2005 (DRAFT).
• ISO/IEC 15408 (The Common Criteria): International Organization of Standards/ International Electrotechnical Commission, Versions 2.1 to 3.0.
• DODI 8500.2: US Department of Defense (DOD) Instruction Number 8500.2, "Information Assurance (IA) Implementation," February 6, 2003.

Was NIST involved in the development or review of the CS²SAT?

Yes. NIST, along with other organizations were involved in the review. The language from “The Common Criteria” was vetted by NIST to ensure accuracy and consistency with the associated requirements within the common criteria.

Back to top.

What agencies were involved in the testing and review of CS²SAT?

The following agencies were involved in either the review or Beta testing of the CS²SAT

Government Agencies:

• U.S. Dept. of Homeland Security
• Environmental Protection Agency
• Department of Energy
• National Institute of Standards and Technology
• Army Corp of Engineers
• Bureau of Reclamation
• Department of Energy laboratories, led by the Idaho National Laboratory

Industry Associations:

• American Water Works Association Research Foundation
• Water Environment Research Foundation
• Instrumentation, Systems, and Automation Society

Others Control Systems Security Professionals:

• Decisive Analytics Corporation
• EMA, Inc.
• Industry recognized Subject Matter Experts

Over 250 Beta tests were conducted in support of the development of the CS²SAT. Results from these efforts were incorporated into the final production version. These tests include on site assessments across several industry sectors. The on-site assessments provided real-world evaluation of how the CS²SAT would be used by an asset owner responsible for control systems security.

Back to top.

Who in my organization should use the CS²SAT?

Assessments using the CS²SAT should not be completed by a single individual with limited knowledge of the organization’s cyber security policies, control systems architecture, and company risk profile. For an accurate assessment of a system's security posture, it is recommended that a cross-functional team of subject matter experts be assembled consisting of representatives from operational, maintenance, information technology, business, and security areas.

Back to top.

Does the CS²SAT need to be connected to the control system network?

No. CS²SAT is a stand alone tool, and does not connect to the control system network. No scans are performed on the control system.

Back to top.

Does the CS²SAT need an Internet connection?

No. The supporting documents and reports are incorporated into the CS²SAT and do not require a network connection.

Back to top.

How much time is required to perform the self-assessment?

With the properly assembled team, a typical assessment should be completed in 1 day. Depending on complexity of the cyber security assets and the selection of requirements used, the assessment time could extend to 2 days.

Back to top.

My control system is not connected to an external network. Should I perform a self-assessment?

While it may be a correct assumption, until an assessment is performed an asset owner does not have a true evaluation of network connectivity. The DHS CSSP has highlighted many types of connections within the control systems environment (historian servers, modems, service agreements, engineering workstations, corporate connectivity, etc.) that the some asset owners did not originally recognize as having external connectivity.

If it is determined that no external connectivity exists, the CS²SAT can still be used to evaluate the baseline control systems environment and address many of the common cyber security issues (loss of life, economic impact, environment impact, internal operational security, and cyber policies).

Back to top.

Our company does not use any of the standards included in CS²SAT. Will CS²SAT be beneficial to my organization?

While your organization may not be required to follow any of the standards incorporated into the CS²SAT, basing security decisions on standards or industry accepted practices ensures that control system security is addressed in a consistent and industry acceptable manner.

Back to top.