high level cyber security assessment - detailed report

8/12/2019 High Level Cyber Security Assessment - Detailed Report

1/57

February 01, 2012

Assessor: J. Doe

High Level Cyber Security


2/57

Advisory

CSET is only one component of the overall cybersecurity picture and should be complemented with a robust

cybersecurity program within the organization. A self-assessment with CSET cannot reveal all types of security

weaknesses, and should not be the sole means of determining an organizations security posture.

The tool will not provide an architectural analysis of the network or a detailed network hardware/software

configuration review. It is not a risk analysis tool so it will not generate a complex risk assessment. CSET is not

intended as a substitute for in depth analysis of control system vulnerabilities as performed by trained professionals.

Periodic onsite reviews and inspections must still be conducted using a holistic approach including facility

walkdowns, interviews, and observation and examination of facility practices. Consideration should also be given to

additional steps including scanning, penetration testing, and exercises on surrogate, training, or non-production

systems, or systems where failures, unexpected faults, or other unexpected results will not compromise production or

safety.

CSET assessments cannot be completed effectively by any one individual. A cross-functional team consisting of

representatives from operational, maintenance, information technology, business, and security areas is essential.

The representatives must be subject matter experts with significant expertise in their respective areas. No oneindividual has the span of responsibility or knowledge to effectively answer all the questions.

Data and reports generated by the tool should be managed securely and marked, stored, and distributed in a manner

appropriate to their sensitivity.


3/57

Table of Contents

1Assessment Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6Evaluation Against Selected Standards and Question Sets . . . . . . . . . . . . . . . . . . . . . . . . .

7Standards Compliance - Key Reqs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8Calculated General Security Assurance Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9Ranked Subject Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10Key Reqs Gap Analysis Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

31Key Reqs Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


4/57

Assessment Information

Assessment Name: High Level Cyber Security Assessment

Assessment Date, (MM/DD/YYYY): 02/01/2012

Facility Name: ABC Manufacturing - Complex A

City or Site Name: Industry City

State, Province or Region: CA

Principal Assessor Name: J. Doe

Assessor E-mail: [email protected]

Assessor Telephone: (555) 555-1212

Description of Assessment: This report presents the results of a cyber security assessment performed using the CyberSecurity Evaluation Tool (CSET), a stand alone, desktop software application developed forthe U.S. Department of Homeland Security (DHS). Before generating this report, theassessor was presented with a list of recognized industrial and governmental standards,guidelines, and best practices. A series of requirements-based questions were generated foreach selected standard. If a network topology diagram was created, component-specificquestions were also generated. The tool then combined the answered questions withencoded weights and ranking values to determine the facility's cyber security posture.

Additional Notes and Comments:

(1) Name, Title and Role of Contact: J.T. LangillICS Cyber Security SpecialistSCADAhackerOutside Consultant

(2) Name, Title and Role of Contact:



Other Contacts used in Assessment:

Assessment Information - 03/01/2012 Page 1 of 54


5/57

This report presents the results of a cyber security assessment performed using the Cyber Security Evaluation

Tool (CSET), a stand alone, desktop software application developed for the U.S. Department of Homeland

Security (DHS). Before generating this report, the assessor was presented with a list of recognized industrial

and governmental standards, guidelines, and best practices. A series of requirements-based questions weregenerated for each selected standard. If a network topology diagram was created, component-specific

questions were also generated. The tool then combined the answered questions with encoded weights and

ranking values to determine the facility's cyber security posture.

Cyber terrorism is a real and growing threat. Standards and guides have been developed, vetted, and widely

accepted to assist with protection from cyber attacks. The Cyber Security Evaluation Tool (CSET) includes a

selectable array of these standards for a tailored assessment of cyber vulnerabilities. Once the standards were

selected and the resulting question sets answered, the CSET created a compliance summary, compiled variance

statistics, ranked top areas of concern, and generated security recommendations.

The compliance summary charts below provide a high level overview of assessment results. The Summary

Percent Compliance chart shows overall security status as well as a breakdown between compliance to selected

standards (known as administrative) and compliance of those components depicted on the network diagram.

The next two sets of graphs provide greater detail on compliance to selected standards and component

compliance.

The Areas of Concern - Top Subject and Question section lists the five areas of greatest vulnerability.

Addressing these areas quickly will provide the greatest return on investment.

Executive Summary - 03/01/2012 Page 2 of 54


6/57

The Cyber Security Evaluation Tool (CSET) provides (1) a framework for analyzing control system component security

vulnerabilities and (2) a consistent and technically sound methodology to identify, analyze, and communicate to security

professionals the overall security posture of the control or information system under evaluation.

Background

Before generating this report, the user selects the standards against which the subject control system should be

evaluated. Based on that selection, the tool displays a questionnaire for each standard. If the user elects to evaluate the

components in the subject control system and has, therefore, created a component diagram to represent the control

system, the tool auto-generates a questionnaire containing questions for each of the components in the diagram.

The users answers to the questions determine the systems compliance to the selected standards. The tool

accomplishes this by assigning a compliance level to each selected answer and compares it against a user-selected

security level. The method of specifying the security level varies, depending on the standards selected by the user. For

NIST and DoD standards, it is assumed that the required security levels are known and fixed, so the user has to specify

these levels before answering any questions. For the NERC and CAG standards, the results are pass or fail; so the userdoes not need to specify a security level. For the ISO standard and component questionnaire, the user has to specify a

numeric security level prior to generating this report. To assist in determining the numeric security level, a General

Security Assurance Level (SAL) questionnaire requests the user to evaluate various consequences of a compromised

control system.

Scope

This report presents the results of the completed assessment. The sections included may vary, depending on the

standards selected by the user at the start of the assessment and the subreports selected prior to report generation. The

sections that may be included in this report are described below.

Assessment Information

This section contains the assessment information supplied by the user.

Document Library

This section contains a list of documents and other files that are saved with the assessment.

Description of Assessment

This section contains a brief description of the assessment process.

Executive Summary

This section contains the executive summary text as modified by the user.

Summary Reports

These sections provide the self-assessment team and senior management with a snapshot of the overall security status.

Each selected standard is shown on a separate bar chart that shows the percentage of questions that passed in specific

subject areas.

Introduction

Introduction - 03/01/2012 Page 3 of 54


7/57

Component Diagram

The user-created network diagram is displayed on a single page.

Network Summary Reports

These sections provide the self-assessment team and senior management with a snapshot of the overall security status

of the network as depicted on the user-created network diagram. Any warnings or recommendations found during the

network analysis are also listed in this section.

Security Assurance Levels

This section contains the results of the General, NIST, and DoD SAL questionnaire(s).

Ranked Subject Areas

This chart groups all of the selected standard questions into common subject areas and ranks the selected answers.

Subject areas at the top of the chart should be addressed first.

Gap Analysis

This section lists those standards-based and component questions the answers of which did not meet the minimum level

of rigor needed to comply with the associated requirement at the selected security levels. Any unanswered question is

included as a gap. Each section is specific to the standard selected. Color codes are included to present the full

compliance picture for each question. Both the subject question and the requirement are shown to help the user put the

provided information into context. The questions, except for NERC and CAG questions, are assigned a target

percentage that constitutes a rough measure of how well the question satisfies the associated requirement. For some

standards, the target percentage is also adjusted to reflect the criticality of the requirement. The tool sorts the questions

within a component using this percentage, where the least compliant questions are displayed first.

This section may also include a top-20 gap analysis for components, which lists the 20 questions that have the smallesttarget percentage (are least compliant) across all the components. The target value is adjusted to some extent by both

the criticality of the requirement and the importance of the component. The components importance is the priority value

assigned to it when it was inserted into the diagram.

Requirements and Questions

This section contains information related to compliance to each requirement of the NERC/CIP 002009 standard. It lists

the requirement text, along with all questions associated with the requirement and the selected answers, in the same

order as the parent standard. Color indicators denote compliance.

Questions and Answers

These sections summarize and group the answered questions (including component questions) and the supplied

answers. A color code is provided as an indication of compliance. Any comments or documents saved with the questions

are presented here.

Question Comments

This section simply shows any user comments that were associated with a standard's questions.



8/57

Compensating Control Comments

This section displays the questions and comments associated with answers that specify compensating security controls

that are being used in lieu of the NIST SP800-53 Appendix I recommended controls.

Questions Marked for Review

If a user would like to return to a question shortly after assessment completion, the tool allows the user to specifically

mark it for easy identification. A list of marked questions is included in this section along with any added comments

discussing why the question was marked.

Summary

CSET is meant to broadly cover areas of potential risk across your control or information system rather than provide an

in-depth analysis of a particular technology or process. To that end, this report should be used as a preliminary guide to

help you focus on specific areas that require more rigorous attention. It cannot replace a focused assessment performed

by trained assessment professionals.



9/57

Key Reqs

Evaluation Against Selected Standards and Question Sets - 03/01/2012 Page 6 of 54


10/57

Standards Compliance - Key Reqs

Standards Compliance - Key Reqs - 03/01/2012 Page 7 of 54


11/57

Calculated General Security Assurance Levels

Question Name Answer Level

On-Site Injury Potential

On-Site Injury (Hospital)

On-Site Death Potential

Site Capital Assets

Site Economic Impact

Site Env Cleanup

Off-Site Injury Potential

Off-Site Injury Hospital

Off-Site Death Potential

Off-Site Capital Assets

Off-Site Economic Impact

Off-Site Env Cleanup

NIST SP800-60 (FIPS 199) Based Security Assurance Levels

Name Level

Confidentiality Moderate

Integrity High

Availability High

DoD 8500.1 Based Security Assurance Levels

Name Level

Confidentiality Selection

MAC Level Selection

Calculated Level: 0

Calculated General Security Assurance Levels - 03/01/2012 Page 8 of 54


12/57

Ranked Subject Areas

This graph shows areas needing the most attention. It represents the total (100%) of the security variances identified

ranked by area. Each of the area bars represents the percentage of the total security variances that were identified in

that particular area. The security variance is a combination of both the importance of the requirement missed and the

area of concern.

Ranked Subject Areas - 03/01/2012 Page 9 of 54


13/57

Key Reqs Gap Analysis Report

Rank: 8 Requirement: Administrative-2.1.1 Subject: Security Policy & Procedures

Requirement: The organization develops, implements, and periodically reviews and updates:

1. A formal, documented, control system security policy that addresses:a. The purpose of the security program as it relates to protecting the organization's personnel and assets.b. The scope of the security program as it applies to all organizational staff and third-party contractors.c. The roles, responsibilities, management commitment, and coordination among organizational entities of the security programto ensure compliance with the organization's security policy and other regulatory commitments.2. Formal, documented procedures to implement the security policy and associated requirements. A control system securitypolicy considers controls from each family contained in this document.

Question: 1. How does the organization implement security policies and procedures?

Level Answer(s)

Not Met The organization does not implement security policy and procedures as defined.

Low The organization develops, implements, and periodically reviews and updates a formal, documented, systemsecurity policy that addresses: a. The purpose of the security program as it relates to protecting the organization'spersonnel and assets, b. The scope of the security program as it applies to all organizational staff and third-partycontractors, and c. The roles, responsibilities, management commitment, and coordination among organizationalentities of the security program to ensure compliance with the organization's security policy and other regulatorycommitments.

The organization develops, implements, and periodically reviews and updates formal, documented procedures toimplement the security policy and associated requirements. A control system security policy considers controlsfrom each family contained in this document.

Moderate The organization develops, implements, and periodically reviews and updates a formal, documented, systemsecurity policy that addresses: a. The purpose of the security program as it relates to protecting the organization'spersonnel and assets, b. The scope of the security program as it applies to all organizational staff and third-partycontractors, and c. The roles, responsibilities, management commitment, and coordination among organizationalentities of the security program to ensure compliance with the organization's security policy and other regulatorycommitments.


High The organization develops, implements, and periodically reviews and updates a formal, documented, systemsecurity policy that addresses: a. The purpose of the security program as it relates to protecting the organization'spersonnel and assets, b. The scope of the security program as it applies to all organizational staff and third-partycontractors, and c. The roles, responsibilities, management commitment, and coordination among organizationalentities of the security program to ensure compliance with the organization's security policy and other regulatorycommitments.


Key Reqs Gap Analysis Report - 03/01/2012 Page 10 of 54


14/57

Very High The organization develops, implements, and periodically reviews and updates a formal, documented, systemsecurity policy that addresses: a. The purpose of the security program as it relates to protecting the organization'spersonnel and assets, b. The scope of the security program as it applies to all organizational staff and third-partycontractors, and c. The roles, responsibilities, management commitment, and coordination among organizationalentities of the security program to ensure compliance with the organization's security policy and other regulatorycommitments.

The organization develops, implements, and periodically reviews and updates formal, documented procedures toimplement the security policy and associated requirements. A control system security policy considers controls

from each family contained in this document.

Level Specific Requirement:

The organization develops, implements, and periodically reviews and updates:1. A formal, documented, control system security policy that addresses:a. The purpose of the security program as it relates to protecting the organization's personnel and assets.b. The scope of the security program as it applies to all organizational staff and third-party contractors.c. The roles, responsibilities, management commitment, and coordination among organizational entities of the security program to ensurecompliance with the organization's security policy and other regulatory commitments.2. Formal, documented procedures to implement the security policy and associated requirements. A control system security policyconsiders controls from each family contained in this document.

Rank: 15 Requirement: Administrative-2.5.4 Subject: System & Services Acquisition

Requirement: The organization includes the following requirements and specifications, explicitly or by reference, in control system acquisitioncontracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, andstandards:- Security functional requirements/specifications- Security-related documentation requirements- Developmental and evaluation-related assurance requirements.Requirements Enhancement 1 - The organization requires in acquisition documents that vendors/contractors provideinformation describing the functional properties of the security controls employed within the control system.Requirements Enhancement 2 - The organization requires in acquisition documents that vendors/contractors provideinformation describing the design and implementation details of the security controls employed within the control system(including functional interfaces among control components).Requirements Enhancement 3 - The organization limits the acquisition of commercial technology products with securitycapabilities to products that have been evaluated and validated through a government-approved process.

Question: 12. How does the organization include requirements/specifications in acquisition contracts?

Level Answer(s)

Not Met Acquisition contracts do not include the defined requirements.

Low The organization includes security functional requirements and specifications explicitly or by reference, in controlsystem acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives,policies, regulations, and standards.

The organization includes security-related documentation requirements explicitly or by reference, in controlsystem acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives,policies, regulations, and standards.

The organization includes developmental and evaluation-related assurance requirements explicitly or byreference, in control system acquisition contracts based on an assessment of risk and in accordance withapplicable laws, directives, policies, regulations, and standards.

Moderate The organization includes security functional requirements and specifications explicitly or by reference, in controlsystem acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives,policies, regulations, and standards.

The organization includes security-related documentation requirements explicitly or by reference, in control

system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives,policies, regulations, and standards.

The organization includes developmental and evaluation-related assurance requirements explicitly or byreference, in control system acquisition contracts based on an assessment of risk and in accordance withapplicable laws, directives, policies, regulations, and standards.

Requirements Enhancement 1 - The organization requires in acquisition documents that vendors/contractorsprovide information describing the functional properties of the security controls employed within the controlsystem.



15/57

High The organization includes security functional requirements and specifications explicitly or by reference, in controlsystem acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives,policies, regulations, and standards.


The organization includes developmental and evaluation-related assurance requirements explicitly or byreference, in control system acquisition contracts based on an assessment of risk and in accordance with

applicable laws, directives, policies, regulations, and standards.Requirements Enhancement 1 - The organization requires in acquisition documents that vendors/contractorsprovide information describing the functional properties of the security controls employed within the controlsystem.

Requirements Enhancement 2 - The organization requires in acquisition documents that vendors/contractorsprovide information describing the design and implementation details of the security controls employed within thecontrol system (including functional interfaces among control components).

Very High The organization includes security functional requirements and specifications explicitly or by reference, in controlsystem acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives,policies, regulations, and standards.


The organization includes developmental and evaluation-related assurance requirements explicitly or byreference, in control system acquisition contracts based on an assessment of risk and in accordance with

applicable laws, directives, policies, regulations, and standards.

Requirements Enhancement 1 - The organization requires in acquisition documents that vendors/contractorsprovide information describing the functional properties of the security controls employed within the controlsystem.

Requirements Enhancement 2 - The organization requires in acquisition documents that vendors/contractorsprovide information describing the design and implementation details of the security controls employed within thecontrol system (including functional interfaces among control components).

Requirements Enhancement 3 - The organization limits the acquisition of commercial technology products withsecurity capabilities to products that have been evaluated and validated through a government-approved process.


The organization includes the following requirements and specifications, explicitly or by reference, in control system acquisition contractsbased on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards:- Security functional requirements/specifications- Security-related documentation requirements

- Developmental and evaluation-related assurance requirements.Requirements Enhancement 1 - The organization requires in acquisition documents that vendors/contractors provide informationdescribing the functional properties of the security controls employed within the control system.

Rank: 11 Requirement: Administrative-2.6.2 Subject: Configuration Management

Requirement: The organization develops, documents, and maintains a current baseline configuration of the control system and an inventoryof the system's constituent components.Requirement Enhancement 1 - The organization reviews and updates the baseline configuration as an integral part of controlsystem component installations.Requirement Enhancement 2 - The organization employs automated mechanisms to maintain an up-to-date, complete,accurate, and readily available baseline configuration of the control system.Requirement Enhancement 3 - The organization maintains a baseline configuration for development and test environmentsthat is managed separately from the operational baseline configuration.Requirement Enhancement 4 - The organization employs a deny-all, permit-by-exception authorization policy to identify

software allowed on organizational control systems.Question: 18. How does the organization implement a system baseline?

Level Answer(s)

Not Met The configuration baseline is not implemented as defined.

Low The organization develops, documents, and maintains a current baseline configuration of the control system andan inventory of the system's constituent components.



16/57

Moderate The organization develops, documents, and maintains a current baseline configuration of the control system andan inventory of the system's constituent components.

Requirement Enhancement 1 - The organization reviews and updates the baseline configuration as an integralpart of control system component installations.

High The organization develops, documents, and maintains a current baseline configuration of the control system andan inventory of the system's constituent components.


Requirement Enhancement 2 - The organization employs automated mechanisms to maintain an up-to-date,complete, accurate, and readily available baseline configuration of the control system.

Requirement Enhancement 3 - The organization maintains a baseline configuration for development and testenvironments that is managed separately from the operational baseline configuration.

Requirement Enhancement 4 - The organization employs a deny-all, permit-by-exception authorization policy toidentify software allowed on organizational control systems.

Very High The organization develops, documents, and maintains a current baseline configuration of the control system andan inventory of the system's constituent components.


Requirement Enhancement 2 - The organization employs automated mechanisms to maintain an up-to-date,complete, accurate, and readily available baseline configuration of the control system.

Requirement Enhancement 3 - The organization maintains a baseline configuration for development and testenvironments that is managed separately from the operational baseline configuration.

Requirement Enhancement 4 - The organization employs a deny-all, permit-by-exception authorization policy toidentify software allowed on organizational control systems.


The organization develops, documents, and maintains a current baseline configuration of the control system and an inventory of thesystem's constituent components.Requirement Enhancement 1 - The organization reviews and updates the baseline configuration as an integral part of control systemcomponent installations.Requirement Enhancement 2 - The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, andreadily available baseline configuration of the control system.Requirement Enhancement 3 - The organization maintains a baseline configuration for development and test environments that ismanaged separately from the operational baseline configuration.Requirement Enhancement 4 - The organization employs a deny-all, permit-by-exception authorization policy to identify software allowedon organizational control systems.

Rank: 13 Requirement: Administrative-2.6.3 Subject: Configuration Management

Requirement: The organization:1. Authorizes and documents changes to the control system.2. Retains and reviews records of configuration-managed changes to the system.3. Audits activities associated with configuration-managed changes to the system.Requirement Enhancement 1 - The organization employs automated mechanisms to:a. Document proposed changes to the control system.b. Notify appropriate approval authorities.c. Highlight approvals that have not been received in a timely manner.d. Inhibit change until necessary approvals are received.e. Document completed changes to the control system.Requirement Enhancement 2 - The organization tests, validates, and documents configuration changes (e.g., patches andupdates) before installing them on the operational control system. The organization ensures that testing does not interfere withcontrol system operations. The tester fully understands the corporate cyber and control system security policies andprocedures and the specific health, safety, and environmental risks associated with a particular facility and/or process.

Question: 19. How does the organization implement configuration change control?

Level Answer(s)

Not Met Configuration change control is not implemented as defined.

Low Configuration change control is not implemented as defined.



17/57

Moderate The organization authorizes and documents changes to the control system.

The organization retains and reviews records of configuration-managed changes to the system.

The organization audits activities associated with configuration-managed changes to the system.

High The organization authorizes and documents changes to the control system.



Requirement Enhancement 1 - The organization employs automated mechanisms to: a. document proposedchanges to the control system, b. notify appropriate approval authorities, c. highlight approvals that have not beenreceived in a timely manner, d. inhibit change until necessary approvals are received, and e. document completedchanges to the control system.

Requirement Enhancement 2 - The organization tests, validates, and documents configuration changes (e.g.,patches and updates) before installing them on the operational control system. The organization ensures thattesting does not interfere with control system operations. The tester fully understands the corporate cyber andcontrol system security policies and procedures and the specific health, safety, and environmental risksassociated with a particular facility and/or process.

Very High The organization authorizes and documents changes to the control system.



Requirement Enhancement 1 - The organization employs automated mechanisms to: a. document proposed

changes to the control system, b. notify appropriate approval authorities, c. highlight approvals that have not beenreceived in a timely manner, d. inhibit change until necessary approvals are received, and e. document completedchanges to the control system.

Requirement Enhancement 2 - The organization tests, validates, and documents configuration changes (e.g.,patches and updates) before installing them on the operational control system. The organization ensures thattesting does not interfere with control system operations. The tester fully understands the corporate cyber andcontrol system security policies and procedures and the specific health, safety, and environmental risksassociated with a particular facility and/or process.


The organization:1. Authorizes and documents changes to the control system.2. Retains and reviews records of configuration-managed changes to the system.3. Audits activities associated with configuration-managed changes to the system.Requirement Enhancement 1 - The organization employs automated mechanisms to:a. Document proposed changes to the control system.

b. Notify appropriate approval authorities.e. Highlight approvals that have not been received in a timely manner.d. Inhibit change until necessary approvals are received.e. Document completed changes to the control system.Requirement Enhancement 2 - The organization tests, validates, and documents configuration changes (e.g., patches and updates)before installing them on the operational control system. The organization ensures that testing does not interfere with control systemoperations. The tester fully understands the corporate cyber and control system security policies and procedures and the specific health,safety, and environmental risks associated with a particular facility and/or process.

Rank: 2 Requirement: Administrative-2.11.1 Subject: Security Awareness & Trainning

Requirement: The organization develops, disseminates, and periodically reviews and updates:1. A formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities,management commitment, coordination among organizational entities, and compliance.2. Formal, documented procedures to facilitate the implementation of the security awareness and training policy andassociated security awareness and training controls.

Question: 41. How does the organization implement security awareness and training policies and procedures?

Level Answer(s)

Not Met Security awareness and training policy and procedures are not implemented as defined.



18/57

Low The organization develops, disseminates, and periodically reviews and updates a formal, documented, securityawareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment,coordination among organizational entities, and compliance.

The organization develops, disseminates, and periodically reviews and updates formal, documented proceduresto facilitate the implementation of the security awareness and training policy and associated security awarenessand training controls.

Moderate The organization develops, disseminates, and periodically reviews and updates a formal, documented, securityawareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment,

coordination among organizational entities, and compliance.The organization develops, disseminates, and periodically reviews and updates formal, documented proceduresto facilitate the implementation of the security awareness and training policy and associated security awarenessand training controls.

High The organization develops, disseminates, and periodically reviews and updates a formal, documented, securityawareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment,coordination among organizational entities, and compliance.

The organization develops, disseminates, and periodically reviews and updates formal, documented proceduresto facilitate the implementation of the security awareness and training policy and associated security awarenessand training controls.

Very High The organization develops, disseminates, and periodically reviews and updates a formal, documented, securityawareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment,coordination among organizational entities, and compliance.

The organization develops, disseminates, and periodically reviews and updates formal, documented proceduresto facilitate the implementation of the security awareness and training policy and associated security awareness

and training controls.


The organization develops, disseminates, and periodically reviews and updates:1. A formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities, managementcommitment, coordination among organizational entities, and compliance.2. Formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated securityawareness and training controls.

Rank: 12 Requirement: Administrative-2.12.15 Subject: Incident Response

Requirement: The organization identifies an alternate control center, necessary telecommunications, and initiates necessary agreements topermit the resumption of control system operations for critical functions within an organization-prescribed time period when theprimary control center is unavailable.Requirement Enhancement 1 - The organization identifies an alternate control center that is geographically separated from the

primary control center so it is not susceptible to the same hazards.Requirement Enhancement 2 - The organization identifies potential accessibility problems to the alternate control center in theevent of an areawide disruption or disaster and outlines explicit mit igation actions.Requirement Enhancement 3 - The organization develops alternate control center agreements that contain priority-of-serviceprovisions in accordance with the organization's availability requirements.Requirement Enhancement 4 - The organization fully configures the alternate control center and telecommunications so thatthey are ready to be used as the operational site supporting a minimum required operational capability.Requirement Enhancement 5 - The organization ensures that the alternate processing site provides information securitymeasures equivalent to that of the primary site.

Question: 46. How does the organization implement an alternate control center?

Level Answer(s)

Not Met An alternate control center is not implemented as defined.

Low An alternate control center is not implemented as defined.



19/57

Moderate The organization identifies an alternate control center, necessary telecommunications, and initiates necessaryagreements to permit the resumption of control system operations for critical functions within an organization-prescribed time period when the primary control center is unavailable.

Requirement Enhancement 1 - The organization identifies an alternate control center that is geographicallyseparated from the primary control center so it is not susceptible to the same hazards.

Requirement Enhancement 2 - The organization identifies potential accessibility problems to the alternate controlcenter in the event of an areawide disruption or disaster and outlines explicit mitigation actions.

Requirement Enhancement 3 - The organization develops alternate control center agreements that containpriority-of-service provisions in accordance with the organization's availability requirements.

Requirement Enhancement 5 - The organization ensures that the alternate processing site provides informationsecurity measures equivalent to that of the primary site.

High The organization identifies an alternate control center, necessary telecommunications, and initiates necessaryagreements to permit the resumption of control system operations for critical functions within an organization-prescribed time period when the primary control center is unavailable.




Requirement Enhancement 4 - The organization fully configures the alternate control center andtelecommunications so that they are ready to be used as the operational site supporting a minimum required

operational capability.

Requirement Enhancement 5 - The organization ensures that the alternate processing site provides informationsecurity measures equivalent to that of the primary site.

Very High The organization identifies an alternate control center, necessary telecommunications, and initiates necessaryagreements to permit the resumption of control system operations for critical functions within an organization-prescribed time period when the primary control center is unavailable.




Requirement Enhancement 4 - The organization fully configures the alternate control center andtelecommunications so that they are ready to be used as the operational site supporting a minimum required

operational capability.Requirement Enhancement 5 - The organization ensures that the alternate processing site provides informationsecurity measures equivalent to that of the primary site.


The organization identifies an alternate control center, necessary telecommunications, and initiates necessary agreements to permit theresumption of control system operations for critical functions within an organization-prescribed time period when the primary controlcenter is unavailable.Requirement Enhancement 1 - The organization identifies an alternate control center that is geographically separated from the primarycontrol center so it is not susceptible to the same hazards.Requirement Enhancement 2 - The organization identifies potential accessibility problems to the alternate control center in the event of anareawide disruption or disaster and outlines explicit mitigation actions.Requirement Enhancement 3 - The organization develops alternate control center agreements that contain priority-of-service provisions inaccordance with the organization's availability requirements.Requirement Enhancement 4 - The organization fully configures the alternate control center and telecommunications so that they areready to be used as the operational site supporting a minimum required operational capability.

Requirement Enhancement 5 - The organization ensures that the alternate processing site provides information security measuresequivalent to that of the primary site.



20/57


Requirement: The organization:1. Conducts backups of user-level information contained in the system on an organization-defined frequency.2. Conducts backups of system-level information (including system state information) contained in the system on anorganization-defined frequency.3. Protects the confidentiality and integrity of backup information at the storage location.Requirement Enhancement 1 - The organization tests backup information periodically to verify media reliability and informationintegrity.Requirement Enhancement 2 - The organization selectively uses backup information in the restoration of control systemfunctions as part of contingency plan testing.Requirement Enhancement 3 - The organization stores backup copies of the operating system and other critical control systemsoftware in a separate facility or in a fire-rated container that is not collocated with the operational software.

Question: 47. How does the organization implement system and user backups?

Level Answer(s)

Not Met System backups are not implemented as defined.

Low The organization conducts backups of user-level information contained in the system on an organization-definedfrequency.

The organization conducts backups of system-level information (including system state information) contained inthe system on an organization-defined frequency.

The organization protects the confidentiality and integrity of backup information at the storage location.

Moderate The organization conducts backups of user-level information contained in the system on an organization-definedfrequency.



Requirement Enhancement 1 - The organization tests backup information periodically to verify media reliabilityand information integrity.

High The organization conducts backups of user-level information contained in the system on an organization-definedfrequency.



Requirement Enhancement 1 - The organization tests backup information periodically to verify media reliabilityand information integrity.

Requirement Enhancement 2 - The organization selectively uses backup information in the restoration of controlsystem functions as part of contingency plan testing.

Requirement Enhancement 3 - The organization stores backup copies of the operating system and other criticalcontrol system software in a separate facility or in a fire-rated container that is not collocated with the operationalsoftware.

Very High The organization conducts backups of user-level information contained in the system on an organization-definedfrequency.



Requirement Enhancement 1 - The organization tests backup information periodically to verify media reliability

and information integrity.Requirement Enhancement 2 - The organization selectively uses backup information in the restoration of controlsystem functions as part of contingency plan testing.

Requirement Enhancement 3 - The organization stores backup copies of the operating system and other criticalcontrol system software in a separate facility or in a fire-rated container that is not collocated with the operationalsoftware.


The organization:1. Conducts backups of user-level information contained in the system on an organization-defined frequency.2. Conducts backups of system-level information (including system state information) contained in the system on an organization-defined



21/57

frequency.3. Protects the confidentiality and integrity of backup information at the storage location.Requirement Enhancement 1 - The organization tests backup information periodically to verify media reliability and information integrity.Requirement Enhancement 2 - The organization selectively uses backup information in the restoration of control system functions as partof contingency plan testing.Requirement Enhancement 3 - The organization stores backup copies of the operating system and other critical control system softwarein a separate facility or in a fire-rated container that is not collocated with the operational software.


Requirement: The organization provides the capability to recover and reconstitute the system to a known secure state after a disruption,compromise, or failure.Requirement Enhancement 1 - The organization implements transaction recovery for systems that are transaction-based (e.g.,database management systems).Requirement Enhancement 2 - The organization provides compensating security controls (including procedures ormechanisms) for the organization-defined circumstances that inhibit recovery to a known, secure state.Requirement Enhancement 3 - The organization provides the capability to re-image system components in accordance withorganization-defined restoration time periods from configuration-controlled and integrity-protected disk images representing asecure, operational state for the components.

Question: 48. How does the organization implement system recovery and reconstitution?

Level Answer(s)

Not Met Recovery and reconstitution controls are not implemented as defined.

Low The organization provides the capability to recover and reconstitute the system to a known secure state after adisruption, compromise, or failure.

Moderate The organization provides the capability to recover and reconstitute the system to a known secure state after adisruption, compromise, or failure.

Requirement Enhancement 1 - The organization implements transaction recovery for systems that aretransaction-based (e.g., database management systems).

Requirement Enhancement 2 - The organization provides compensating security controls (including proceduresor mechanisms) for the organization-defined circumstances that inhibit recovery to a known, secure state.

High The organization provides the capability to recover and reconstitute the system to a known secure state after adisruption, compromise, or failure.


Requirement Enhancement 2 - The organization provides compensating security controls (including procedures

or mechanisms) for the organization-defined circumstances that inhibit recovery to a known, secure state.

Requirement Enhancement 3 - The organization provides the capability to re-image system components inaccordance with organization-defined restoration time periods from configuration-controlled and integrity-protected disk images representing a secure, operational state for the components.

Very High The organization provides the capability to recover and reconstitute the system to a known secure state after adisruption, compromise, or failure.


Requirement Enhancement 2 - The organization provides compensating security controls (including proceduresor mechanisms) for the organization-defined circumstances that inhibit recovery to a known, secure state.

Requirement Enhancement 3 - The organization provides the capability to re-image system components inaccordance with organization-defined restoration time periods from configuration-controlled and integrity-protected disk images representing a secure, operational state for the components.


The organization provides the capability to recover and reconstitute the system to a known secure state after a disruption, compromise, orfailure.Requirement Enhancement 2 - The organization provides compensating security controls (including procedures or mechanisms) for theorganization-defined circumstances that inhibit recovery to a known, secure state.Requirement Enhancement 3 - The organization provides the capability to re-image system components in accordance with organization-defined restoration time periods from configuration-controlled and integrity-protected disk images representing a secure, operational statefor the components.



22/57

Rank: 5 Requirement: Administrative-2.15.3 Subject: Access Control

Requirement: The organization manages system accounts, including:1. Identifying account types (i.e., individual, group, and system).2. Establishing conditions for group membership.3. Identifying authorized users of the system and specifying access rights and privileges.4. Requiring appropriate approvals for requests to establish accounts.5. Authorizing, establishing, activating, modifying, disabling, and removing accounts.6. Reviewing accounts on a defined frequency.7. Specifically authorizing and monitoring the use of guest/anonymous accounts.8. Notifying account managers when system users are terminated, transferred, or system usage or need to-know/need-to-share changes.9. Granting access to the system based on a valid need-to-know or need-to-share that is determined by assigned official dutiesand satisfying all personnel security criteria and intended system usage.Requirement Enhancement 1 - The organization employs automated mechanisms to support the management of systemaccounts.Requirement Enhancement 2 - The system automatically terminates temporary and emergency accounts after a defined t imeperiod for each type of account.Requirement Enhancement 3 - The system automatically disables inactive accounts after a defined time period.Requirement Enhancement 4 - The system automatically audits account creation, modification, disabling, and terminationactions and notifies, as required, appropriate individuals.Requirement Enhancement 5 - The organization reviews currently active system accounts on a defined frequency to verify thattemporary accounts and accounts of terminated or transferred users have been deactivated in accordance with organizationalpolicy.

Requirement Enhancement 6 - The organization prohibits the use of system account identifiers as the identifiers for userelectronic mail accounts.

Question: 59. How does the organization manage information system accounts?

Level Answer(s)

Not Met Account management is not implemented as defined.

Low The organization manages system accounts, including identifying account types (i.e., individual, group, andsystem).

The organization manages system accounts, including establishing conditions for group membership.

The organization manages system accounts, including identifying authorized users of the system and specifyingaccess rights and privileges.

The organization manages system accounts, including requiring appropriate approvals for requests to establish

accounts.The organization manages system accounts, including authorizing, establishing, activating, modifying, disabling,and removing accounts.

The organization manages system accounts, including reviewing accounts on an organization-defined frequency.

The organization manages system accounts, including specifically authorizing and monitoring the use ofguest/anonymous accounts.

The organization manages system accounts, including notifying account managers when system users areterminated; transferred, or system usage or need-to-know/need-to-share changes.

The organization manages system accounts, including granting access to the system based on a valid need-to-know or need-to-share that is determined by assigned official duties and satisfying all personnel security criteriaand intended system usage.



23/57

Moderate The organization manages system accounts, including identifying account types (i.e., individual, group, andsystem).



The organization manages system accounts, including requiring appropriate approvals for requests to establishaccounts.

The organization manages system accounts, including authorizing, establishing, activating, modifying, disabling,and removing accounts.





Requirement Enhancement 1 - The organization employs automated mechanisms to support the management ofsystem accounts.

Requirement Enhancement 2 - The system automatically terminates temporary and emergency accounts after anorganization-defined time period for each type of account.

Requirement Enhancement 3 - The system automatically disables inactive accounts after a defined time period.

Requirement Enhancement 4 - The system automatically audits account creation, modification, disabling, andtermination actions and notifies, as required, appropriate individuals.

Requirement Enhancement 5 - The organization reviews currently active system accounts on a defined frequencyto verify that temporary accounts and accounts of terminated or transferred users have been deactivated inaccordance with organizational policy.

Requirement Enhancement 6 - The organization prohibits the use of system account identifiers as the identifiersfor user electronic mail accounts.

High The organization manages system accounts, including identifying account types (i.e., individual, group, andsystem).

















24/57

Very High The organization manages system accounts, including identifying account types (i.e., individual, group, andsystem).
















The organization manages system accounts, including:1. Identifying account types (i.e., individual, group, and system).2. Establishing conditions for group membership.3. Identifying authorized users of the system and specifying access rights and privileges.

4. Requiring appropriate approvals for requests to establish accounts.5. Authorizing, establishing, activating, modifying, disabling, and removing accounts.6. Reviewing accounts on a defined frequency.7. Specifically authorizing and monitoring the use of guest/anonymous accounts.8. Notifying account managers when system users are terminated, transferred, or system usage or need to-know/need-to-share changes.9. Granting access to the system based on a valid need-to-know or need-to-share that is determined by assigned official duties andsatisfying all personnel security criteria and intended system usage.Requirement Enhancement 1 - The organization employs automated mechanisms to support the management of system accounts.Requirement Enhancement 2 - The system automatically terminates temporary and emergency accounts after a defined time period foreach type of account.Requirement Enhancement 3 - The system automatically disables inactive accounts after a defined time period.Requirement Enhancement 4 - The system automatically audits account creation, modification, disabling, and termination actions andnotifies, as required, appropriate individuals.Requirement Enhancement 5 - The organization reviews currently active system accounts on a defined frequency to verify that temporaryaccounts and accounts of terminated or transferred users have been deactivated in accordance with organizational policy.Requirement Enhancement 6 - The organization prohibits the use of system account identifiers as the identifiers for user electronic mailaccounts.


Requirement: The organization manages system identifiers for users and devices by:1. Receiving authorization from a designated organizational official to assign a user or device identifier.2. Selecting an identifier that uniquely identifies an individual or device.3. Assigning the user identifier to the intended party or the device identifier to the intended device.4. Archiving previous user or device identifiers.

Question: 60. How does the organization manage system identifiers for users and devices?



25/57

Level Answer(s)

Not Met Identifier management controls are not implemented as defined.

Low The organization manages system identifiers for users and devices by receiving authorization from a designatedorganizational official to assign a user or device identifier.

The organization manages system identifiers for users and devices by selecting an identifier that uniquelyidentifies an individual or device.

The organization manages system identifiers for users and devices by assigning the user identifier to the intended

party or the device identifier to the intended device.

The organization manages system identifiers for users and devices by archiving previous user or deviceidentifiers.

Moderate The organization manages system identifiers for users and devices by receiving authorization from a designatedorganizational official to assign a user or device identifier.


The organization manages system identifiers for users and devices by assigning the user identifier to the intendedparty or the device identifier to the intended device.


High The organization manages system identifiers for users and devices by receiving authorization from a designatedorganizational official to assign a user or device identifier.




Very High The organization manages system identifiers for users and devices by receiving authorization from a designatedorganizational official to assign a user or device identifier.





The organization manages system identifiers for users and devices by:1. Receiving authorization from a designated organizational official to assign a user or device identifier.2. Selecting an identifier that uniquely identifies an individual or device.3. Assigning the user identifier to the intended party or the device identifier to the intended device.4. Archiving previous user or device identifiers.


Requirement: The organization develops and enforces policies and procedures for control system users concerning the generation and useof passwords. These policies stipulate rules of complexity, based on the criticality level of the systems to be accessed.Requirement Enhancement - ICS deployment will require two-factor authentication or comparable compensating measures toensure only approved authorized access is allowed

Question: 67. How does the organization implement passwords?

Level Answer(s)

Not Met Password policy and procedures are not implemented as defined.

Low The organization develops and enforces policies and procedures for control system users concerning thegeneration and use of passwords.

The password policies stipulate rules of complexity, based on the criticality level of the systems to be accessed.



26/57

Moderate The organization develops and enforces policies and procedures for control system users concerning thegeneration and use of passwords.


High The organization develops and enforces policies and procedures for control system users concerning thegeneration and use of passwords.


Very High The organization develops and enforces policies and procedures for control system users concerning the

generation and use of passwords.


Requirement Enhancement - ICS deployment will require two-factor authentication or comparable compensatingmeasures to ensure only approved authorized access is allowed


The organization develops and enforces policies and procedures for control system users concerning the generation and use ofpasswords. These policies stipulate rules of complexity, based on the criticality level of the systems to be accessed.


Requirement: The organization authorizes, monitors, and manages all methods of remote access to the control system.Requirement Enhancement 1 - The organization employs automated mechanisms to facilitate the monitoring and control ofremote access methods.

Requirement Enhancement 2 - The organization uses cryptography to protect the confidentiality and integrity of remote accesssessions. Note: The encryption strength of mechanism is selected based on the FIPS 199 impact level of the information.Requirement Enhancement 3 - The system routes all remote accesses through a limited number of managed access controlpoints.Requirement Enhancement 4 - The organization authorizes remote access for privileged commands and security-relevantinformation only for compelling operational needs and documents the rationale for such access in the security plan for thesystem.Requirement Enhancement 5 - The system protects wireless access to the system using authentication and encryption. Note:Authentication applies to user, device, or both as necessary.Requirement Enhancement 6 - The organization monitors for unauthorized remote connections to the system, includingscanning for unauthorized wireless access points on an organization-defined frequency and takes appropriate action if anunauthorized connection is discovered. Note: Organizations proactively search for unauthorized remote connections includingthe conduct of thorough scans for unauthorized wireless access points. The scan is not necessarily limited to those areaswithin the facility containing the systems. Yet, the scan is conducted outside those areas only as needed to verify thatunauthorized wireless access points are not connected to the system.Requirement Enhancement 7 - The organization disables, when not intended for use, wireless networking capabilities internally

embedded within system components prior to issue.Requirement Enhancement 8 - The organization does not allow users to independently configure wireless networkingcapabilities.Requirement Enhancement 9 - The organization ensures that users protect information about remote access mechanisms fromunauthorized use and disclosure.Requirement Enhancement 10 - The organization ensures that remote sessions for accessing an organization-defined list ofsecurity functions and security-relevant information employ additional security measures (organization defined securitymeasures) and are audited.Requirement Enhancement 11 - The organization disables peer-to-peer wireless networking capability within the systemexcept for explicitly identified components in support of specific operational requirements.Requirement Enhancement 12 - The organization disables Bluetooth wireless networking capability within the system exceptfor explicitly identified components in support of specific operational requirements.

Question: 72. How does the organization manage remote access?

Level Answer(s)

Not Met Remote access controls are not implemented as defined.

Low The organization authorizes, monitors, and manages all methods of remote access to the control system.



27/57

Moderate The organization authorizes, monitors, and manages all methods of remote access to the control system.

Requirement Enhancement 1 - The organization employs automated mechanisms to facilitate the monitoring andcontrol of remote access methods.

Requirement Enhancement 2 - The organization uses cryptography to protect the confidentiality and integrity ofremote access sessions. Note: The encryption strength of mechanism is selected based on the FIPS 199 impactlevel of the information.

Requirement Enhancement 3 - The system routes all remote accesses through a limited number of managed

access control points.Requirement Enhancement 4 - The organization authorizes remote access for privileged commands and security-relevant information only for compelling operational needs and documents the rationale for such access in thesecurity plan for the system.

Requirement Enhancement 5 - The system protects wireless access to the system using authentication andencryption. Note: Authentication applies to user, device, or both as necessary.

Requirement Enhancement 6 - The organization monitors for unauthorized remote connections to the system,including scanning for unauthorized wireless access points on an organization-defined frequency and takesappropriate action if an unauthorized connection is discovered. Note: Organizations proactively search forunauthorized remote connections including the conduct of thorough scans for unauthorized wireless accesspoints. The scan is not necessarily limited to those areas within the facility containing the systems. Yet, the scanis conducted outside those areas only as needed to verify that unauthorized wireless access points are notconnected to the system.

Requirement Enhancement 10 - The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information employ additional security measures(organization defined security measures) and are audited.

Requirement Enhancement 11 - The organization disables peer-to-peer wireless networking capability within thesystem except for explicitly identified components in support of specific operational requirements.

Requirement Enhancement 12 - The organization disables Bluetooth wireless networking capability within thesystem except for explicitly identified components in support of specific operational requirements.

High The organization authorizes, monitors, and manages all methods of remote access to the control system.



Requirement Enhancement 3 - The system routes all remote accesses through a limited number of managedaccess control points.

Requirement Enhancement 4 - The organization authorizes remote access for privileged commands and security-

relevant information only for compelling operational needs and documents the rationale for such access in thesecurity plan for the system.




Requirement Enhancement 11 - The organization disables peer-to-peer wireless networking capability within the

system except for explicitly identified components in support of specific operational requirements.Requirement Enhancement 12 - The organization disables Bluetooth wireless networking capability within thesystem except for explicitly identified components in support of specific operational requirements.



28/57

Very High The organization authorizes, monitors, and manages all methods of remote access to the control system.



Requirement Enhancement 3 - The system routes all remote accesses through a limited number of managed

access control points.Requirement Enhancement 4 - The organization authorizes remote access for privileged commands and security-relevant information only for compelling operational needs and documents the rationale for such access in thesecurity plan for the system.



Requirement Enhancement 7 - The organization disables, when not intended for use, wireless networkingcapabilities internally embedded within system components prior to issue.

Requirement Enhancement 8 - The organization does not allow users to independently configure wirelessnetworking capabilities.

Requirement Enhancement 9 - The organization ensures that users protect information about remote accessmechanisms from unauthorized use and disclosure.


Requirement Enhancement 11 - The organization disables peer-to-peer wireless networking capability within thesystem except for explicitly identified components in support of specific operational requirements.

Requirement Enhancement 12 - The organization disables Bluetooth wireless networking capability within thesystem except for explicitly identified components in support of specific operational requirements.


The organization authorizes, monitors, and manages all methods of remote access to the control system.Requirement Enhancement 1 - The organization employs automated mechanisms to facilitate the monitoring and control of remoteaccess methods.Requirement Enhancement 2 - The organization uses cryptography to protect the confidentiality and integrity of remote access sessions.Note: The encryption strength of mechanism is selected based on the FIPS 199 impact level of the information.Requirement Enhancement 3 - The system routes all remote accesses through a limited number of managed access control points.Requirement Enhancement 4 - The organization authorizes remote access for privileged commands and security-relevant informationonly for compelling operational needs and documents the rationale for such access in the security plan for the system.Requirement Enhancement 5 - The system protects wireless access to the system using authentication and encryption. Note:Authentication applies to user, device, or both as necessary.Requirement Enhancement 6 - Th

high level cyber security assessment - detailed report

Documents