Saturday, October 18, 2008

Neat DHS/NCSD Cyber Security Vulnerability Assessment Tool (CSVA) + CS2SAT

Last updated 8-2-2009
DHS’s National Cyber Security Division (NCSD) has been working to develop an objective, comprehensive cyber security vulnerability assessment (CSVA) tool for some time and revving through Betas. Using a simplified methodology, the CSVA is aimed to quickly assess an organization, facility or system’s cyber vulnerabilities and recommend options with extensive helpful explanations and examples. Critical infrastructure sectors are encourage by DHS to use this tool to analyze their cybersecurity posture.

I recently got my hands on and fired up CSVA BETA 5 - some thoughts:

  • Best if performed with prepared team and good facilitation. Cyber security knowledgeable folks familiar with the assessment environment can get a running, upfront start.
  • An initial determination is made regarding if a Business Network or a Control System is being assessed and adjusts approach- very good!
  • Truth over harmony needed here folks - some questions are combination issues and not all the answers to pick from fit well. Pick the most conservative answers and capture views in comments to get through the process.
  • Credibility bolstered in assessment process with a virtual informed third-party (DHS/NCSD) cooked in.
  • Can save assessment, go back and make adjustments for what ifs or actual improvements and see results.
  • Strives to leverage concepts from recognized cybersecurity standards and guidance- e.g. ISO,COBIT, NIST, etc
  • Offers great benefit lift ratio for effort required. Being "free" helps too!

Bottom line. The CSVA journey is a short, easy trip and the results are well worth it. The tool offers a solid approach to further develop shared understanding of cybersecurity posture with various stakeholders to build on and prioritize improvements, For more information or a copy of the tool, contact the Critical Infrastructure Protection / Cyber Security Program within the DHS National Cyber Security Division at
Next- the CS2SAT.
For those needing to go beyond the CSVA’s high-level approach and focus on more specific risk particulars- factoring in consequences, network topology, requirements, etc - there’s the Control System Cyber Security Self Assessment Tool (CS2SAT) Haven't looked at it yet but planning to give it a whirl at some point - list pricing, e.g., $1800, is waived ("free") for many energy organizations.

Update 8-2-2009 - Per DHS, the CSVA will be integrated into upcoming versions of the CS2SAT . The latest Version 2 of the CS2SAT is now specifically configurable to address NERC CIP, SANS, etc for assessment activities. Works a lot like the CSVA - but focused on control system space for now (until CSVA transitioned). DHS is very committed to the CS2SAT approach- given freely at one day Industrial Control System cyber security courses - worth checking out.

No comments: