What You Should Know About the New Cyber Security Evaluation Tool Model

Key Takeaway: CISA’s Cyber Security Evaluation Tool (CSET) now includes a Ransomware Readiness Assessment (RRA) module with free, comprehensive tools to evaluate and strengthen cybersecurity posture against evolving threats.

Quick Navigation

• What Is Cybersecurity Evaluation?
• How to Evaluate Cybersecurity
• Understanding CISA and CSET
• Getting Started with CSET
• Ransomware Readiness Assessment
• Using ZenGRC for Risk and Compliance
• Frequently Asked Questions

Key Terms

Cybersecurity and Infrastructure Security Agency (CISA): The federal agency responsible for protecting critical infrastructure.

Cyber Security Evaluation Tool (CSET): A free desktop application for assessing cybersecurity posture.

Ransomware Readiness Assessment (RRA): A new CSET module specifically designed to evaluate ransomware defenses.

Industrial Control Systems (ICS): Specialized computer systems used to control industrial processes.

Security Assurance Level (SAL): The recommended level of cybersecurity based on potential attack consequences.

What Is a Cybersecurity Evaluation?

A cybersecurity evaluation is an assessment of an organization’s IT systems, processes, and procedures. It identifies potential vulnerabilities and cybersecurity risks.

The main goal is to assess the effectiveness of existing security measures. Organizations use evaluations to identify weaknesses in their security posture and strategize risk mitigation approaches to protect against cybersecurity threats.

How Do You Evaluate Cybersecurity?

The scope and complexity of cybersecurity evaluations vary, but these are the basic steps.

Step 1: Define Scope and Objectives

Identify the systems, networks, and applications to evaluate. Consider specific objectives when choosing, such as identifying vulnerabilities, testing security controls, or assessing regulatory compliance.

Step 2: Conduct a Risk Assessment

To conduct a cyber risk assessment, first identify potential threats, vulnerabilities, and risks to information assets. Assess the likelihood and potential harm of security incidents, including cyber attacks, data breaches, and system failures.

For a comprehensive approach to cybersecurity risk analysis, organizations should use systematic methodologies that align with industry standards.

Example: In our assessments, we often discover that sensitive customer data is vulnerable to theft through phishing attempts, which could result in reputation damage and financial loss.

Step 3: Review Policies and Procedures

Review security policies and procedures related to access controls, incident response, data protection, and employee training. Make sure measures are comprehensive, relevant, and effective.

Step 4: Assess Network Architecture

Review the network architecture to identify potential vulnerabilities and weaknesses. Assess the design, configuration, and security measures to protect against data breaches and unauthorized access.

Example: During network architecture reviews, we frequently find improperly configured firewalls that leave networks vulnerable to external attacks.

Step 5: Review Software and Hardware Systems

Evaluate security measures built into applications and operating systems. Review the security of third-party software and hardware. Conducting security vulnerability assessments helps remove outdated or unsupported hardware and software to reduce security vulnerabilities.

Step 6: Perform Penetration Testing

Penetration testing looks for and tries to exploit vulnerabilities in IT systems. This allows organizations to address weaknesses before attackers can exploit them. It can be done internally by IT experts or externally by ethical hackers hired for this process.

After thoroughly evaluating cybersecurity posture, create a risk remediation plan and prioritize activities based on risk level and potential impact on operations and reputation.

What Is a Cybersecurity Test?

A cybersecurity test helps IT professionals gauge the effectiveness of a company’s cybersecurity defenses. It identifies vulnerabilities that malicious actors might exploit. Organizations can leverage comprehensive cybersecurity audit checklists to assure thorough evaluations.

Cybersecurity tests use several methods, including penetration testing, network vulnerability assessments, social engineering testing, and red team testing.

Understanding CISA and CSET

What Is CISA?

In 2018, the Cybersecurity and Infrastructure Security Agency (CISA) was established under the Department of Homeland Security (DHS) when the Cybersecurity and Infrastructure Security Agency Act was signed into law.

CISA anticipates, prioritizes, and manages risks to national-level industrial control systems (ICS). The agency promotes collaborative efforts between government and industry to improve cybersecurity across all government levels.

What Is the Cyber Security Evaluation Tool (CSET)?

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) developed the Cyber Security Evaluation Tool (CSET) for industrial control systems. CSET is a systematic, disciplined approach to evaluating organizational security posture.

The CSET desktop software tool guides asset owners and operators through the step-by-step processes. It evaluates industrial control system (ICS) and IT network security practices using recognized government and industry standards and recommendations.

How Does CSET Work?

CSET begins by asking detailed questions about system components, architectures, operational policies, and procedures. Once questionnaires are complete, CSET provides dashboard charts that show strengths and weaknesses, plus prioritized recommendations for increasing cybersecurity posture.

The final report includes recommendations, common practices, compensating actions, and suggested enhancements. Organizations can compare, merge, and trend multiple assessments to understand past and present cybersecurity posture.

What Can CSET Do for Your Organization?

CSET has several key capabilities:

• Consistent method of evaluating control system networks as part of comprehensive cybersecurity assessments
• Standards-based cybersecurity recommendations
• Standards-based information analysis reporting
• Baseline cybersecurity posture establishment

What Are CSET’s Limitations?

But CSET cannot do certain things:

• Validate accuracy of user inputs
• Assure compliance with organizational or regulatory cybersecurity policies
• Guarantee implementation of cybersecurity enhancements
• Identify all known cybersecurity vulnerabilities

Getting Started With Your CSET Assessment

Organizations can benefit from CSET assessments by following these step-by-step instructions.

Select Standards

Decide which government or industry-recognized cybersecurity standards you want to meet. CSET generates questions specific to those requirements. Available standards include:

• DHS Catalog of Control Systems Security: Recommendations for Standards Developers
• NERC Critical Infrastructure Protection (CIP) Standards 002-009
• NIST Special Publication 800-82, Guide to Industrial Control Systems Security
• NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems
• NIST Cybersecurity Framework (CSF)
• NRC Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities
• Committee on National Security Systems Instruction (CNSS) 1253
• INGAA Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry
• NISTIR 7628 Guidelines for Smart Grid Cyber Security

Organizations should understand that while some NIST compliance is mandatory for federal agencies and contractors, many private sector organizations voluntarily adopt these frameworks for enhanced security.

Determine Your Assurance Level

Determine your security assurance level (SAL). Your organization’s SAL depends on potential consequences of successful cyberattacks on your ICS organization, facility, system, or subsystem. SAL can be selected or calculated, and recommendations for cybersecurity rigor levels for worst-case event protection will be provided.

Create the Diagram

Use the CSET graphical interface to diagram network topology and identify network component “criticality.” Create diagrams from scratch, import pre-built template diagrams, or import existing MS Visio diagrams. Define cybersecurity zones, critical components, and network communication paths using the icon palette.

Answer the Questions

Using selected security standards, SAL, and network topology, CSET generates specific questions. Assessment teams should select the best answers for each question based on the organization’s network configuration and security policies. Enter notes, attach files to questions, or flag them for further review.

Review Analysis and Reports

The analysis dashboard creates graphs and tables of assessment results in summary and detailed form. You can easily filter the content or examine detailed information. The dashboard displays top areas of concern prioritized based on current threat information.

Best Practice: To get the most out of CSET assessments, we recommend selecting assessment teams from multiple organizational areas to review policies, network topology diagrams, inventory lists, previous risk assessments, and IT and ICS network policies.

All About the Ransomware Readiness Assessment

What Is the Ransomware Readiness Assessment (RRA)?

CISA offers a Ransomware Readiness Assessment (RRA), which is a CSET module that tests how well a network can protect against and recover from ransomware attacks. It also provides advice for improvements.

The self-assessment tool is accessible by desktop software and applies to both IT and ICS networks. It evaluates organizational cybersecurity strategy based on government and industry recommendations and standards.

How Does the RRA Work?

Like CSET, the CISA RRA tool asks users to answer questions about their cybersecurity policies to help improve defenses against ransomware. The RRA tool begins with basic questions, then moves to intermediate and advanced questions with tutorials.

The RRA provides users with ransomware threat readiness evaluation in a systematic, disciplined, and repeatable manner. It assesses operational technology (OT) and IT network security practices, delivering an analysis dashboard with graphs and tables to view assessment results.

Why Is the RRA Important?

The introduction of this tool shows that the United States considers cybersecurity a national security priority. The government has taken a stronger stance against ransomware by recognizing the importance of protecting critical infrastructure and business operations.

Following high-profile ransomware attacks against organizations like Colonial Pipeline, the U.S. government encourages organizations to strengthen their network defenses. The RRA tool helps organizations accomplish this goal.

CISA strongly encourages all organizations to take the Ransomware Readiness Assessment, regardless of the state of their current cybersecurity strategy. The tool covers several levels of ransomware threat readiness, so all organizations can use it.

Using ZenGRC for Risk and Compliance

Once you’ve used CSET and the RRA tool to establish your organization’s cybersecurity posture, you need to create a cybersecurity risk management program. It should continuously monitor networks and IT systems and maintain strict internal and external access control.

Key ZenGRC Capabilities

ZenGRC‘s unified control management lets organizations map controls across multiple frameworks to see defense mechanism strengths and weaknesses. A centralized dashboard provides key metrics to build compliance programs that respond to the protection your information security program provides.

The platform helps organizations calculate risk across connections, including systems, business divisions, and controls. It uses customizable risk calculations with multivariable scoring, including SCF and NIST frameworks, Cyber Risk Catalog, RISQ Management Enterprise registers, and CIS-RAM Simplified and RISQ calculation methods.

Continuous risk monitoring surfaces compliance-related risks with intuitive and automated alerts and workflows. Organizations can catch and remediate risks with real-time updates.

Simple deployment means organizations can quickly set up risk management and compliance programs in as little as six to eight weeks. This allows teams to focus on the security in information security compliance.

Frequently Asked Questions

What is CISA’s Cyber Security Evaluation Tool (CSET)? CSET is a free desktop software tool developed by CISA that guides organizations through evaluating their industrial control system (ICS) and IT network security practices. It uses recognized government and industry standards.

What is the Ransomware Readiness Assessment (RRA)? RRA is a module in CSET that allows organizations to test how well their networks can protect against and recover from ransomware attacks and it provides advice for improvements.

How much does CSET cost to use? CSET is free and can be used by organizations in all sectors to evaluate their ICS and IT networks.

What cybersecurity standards does CSET support? CSET supports multiple standards including NIST Cybersecurity Framework, NIST 800-82, NIST 800-53, NERC CIP Standards, and others tailored to different industries and requirements.

Who should use CSET and RRA tools? All organizations, regardless of size or industry, can benefit from CSET and RRA tools. CISA strongly encourages all organizations to use these free assessment tools to improve their cybersecurity posture.

Take Control of Your Cybersecurity with ZenGRC

Modern organizations need integrated solutions that build upon foundational tools like CSET and RRA to maintain continuous security posture monitoring and improvement.

ZenGRC helps your security and compliance teams manage information security risks across the business with a single, integrated platform. It provides greater visibility to better manage risks and mitigate business exposure, so you can stay ahead of ever-evolving security threats. 

Are you ready to create a comprehensive cybersecurity risk management program that goes beyond basic assessments? Schedule a demo.