Control System Cyber Security Self-Assessment Tool (CS²SAT)

• Purpose
• How It Works
• Become a CS²SAT Distributor
• Download CS²SAT Brochure
• CS²SAT FAQs

Introduction

The Control Systems Cyber Security Self Assessment Tool (CS²SAT) incorporates and utilizes a comprehensive set of cyber security recommendations based on available and emerging standards in the control system community. This information is incorporated into the tool, which provides a user-friendly interface for users to systematically retrieve requirements specific to their control system network. The CS²SAT incorporates feedback from the control systems security community during the beta testing. The CS²SAT is available to the Federal government from the Department of Homeland Security (DHS) Control Systems Security Program on compact disc or through approved licensed distributors. The CS²SAT provides an excellent means to perform a self-assessment of the security posture of your control system environment.

The CSSP has completed beta testing with asset owners and system vendors and has released Version 1.0.1.

Distributors and Approved Licensees:

Department of Homeland Security
Agencies that manage or operate federally owned facilities may obtain and use the CS²SAT at no cost. To obtain a copy please send an email to: cssp@dhs.gov

Lofty Perch
http://www.loftyperch.com/cs2sat.html
1-888-GO-LOFTY

Automation Standards Compliance Institute ISA
http://www.isa.org/CS2SAT
(919) 549-8411

Purpose

The CS²SAT provides users with a systematic and repeatable approach for assessing the cyber security posture of their industrial control system networks. The CS²SAT was developed under the direction of the DHS Control Systems Security Program (CSSP) by cyber security experts from national laboratories and with assistance from the National Institute of Standards and Technology.

The CS²SAT is a desktop software tool which guides users through a step-by-step process to assess their control system network and then makes appropriate recommendations for improving the system's cyber security posture based upon recognized security standards. The tool derives its recommendations from a database of cyber security practices, which have been adapted specifically for application to industry control system networks and components. Each recommendation is linked to a set of actions that can be applied to remediate specific security vulnerabilities.

Back to top.

How it Works

Consequence Analysis helps the user analyze the criticality of a site or facility relative to the potential negative consequences of a successful cyber attack. This element contains a questionnaire to assist the user to determine the potential losses that could occur from a compromised control system in terms of economic losses, death or injury, and environmental impacts. Once the user has responded to a series of questions, the Consequence Analysis element calculates a recommended minimum security assurance level (SAL) for the facility or subsystem. The SAL indicates the recommended level of rigor needed to protect against the anticipated consequences of a compromised system.

Network Topology helps the user identify the network architecture and components that are critical to the system’s cyber security boundary and posture. This element contains a graphical user interface, which allows the user to load the control system network topology (including criticality levels) into the tool’s software. An icon palette is provided for the various system components and the application allows the user to drag and drop the components into a representative diagram.

Requirements Questionnaire generates a set of questions based on the specific Network Topology and Consequence Analysis responses entered by the user. The tool guides the user through the questions and then the user selects the best answer to each question based on the control system's configuration and implementation of security polices and practices. The tool compares the user's answers with the recommended standards for the selected security assurance level.

Assessment Report provides a prioritized list of control systems security recommendations from the results of the questionnaire. The recommendations provide the user with a systematic approach to address control systems security improvements based on the greatest potential to reduce the risk of a successful cyber attack.

Back to top.

Becoming a CS²SAT Distributor

The CS²SAT is copyrighted software code available to end users through licensed distributors. Under direction of the DHS and pursuant to its contract with U.S. Department of Energy (DOE) at the Idaho National Laboratory, Battelle Energy Alliance (BEA) desires to grant licenses to additional and qualified distributors. In particular, BEA is seeking partners who will promote and support the tool's widespread use in each of the DHS designated critical infrastructure sectors.

In order to become a CS²SAT Distributor, commercialization partners would have some or all of the following control systems security qualifications:

• Experience in a control system and/or cyber security related business
• Demonstrated ability to bring new software tools to the market
• Resources to make a significant investment in the marketing and support of this tool
• Access to an established base of potential users in one or more critical infrastructure sector(s)

For information about becoming a licensed distributor of the CS²SAT, email us at: cssp@dhs.gov

Back to top.