Skip to main content

Cybersecurity Self-assessment Tools: Evaluating the Importance for Securing Industrial Control Systems in Critical Infrastructures

  • Conference paper
  • First Online:
Critical Information Infrastructures Security (CRITIS 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11260))

  • 1653 Accesses

Abstract

Periodically assessing the security status of Industrial Control Systems (ICS) is essential to enable cybersecurity compliance and performance evaluation against an organization’s risk appetite. Ensuring appropriate security level is especially important in Critical Infrastructures (CI). Existing cybersecurity risk management methodologies provide frameworks through which CI stakeholders can enhance security and better protect their assets, against cybersecurity risks. Following traditional risk assessment procedures, a self-assessment tool can support an organization to build up on knowledge and security awareness, check implemented cybersecurity practices and responsibilities. Such methods and tools, when systematically implemented, can identify security weaknesses, establish cybersecurity targets and improve resilience. This paper aims to provide a review and analysis of available cybersecurity Self-Assessment tools, which can be used by ICS owners and CI operators. We also focus on questionnaire content analysis, used in these self-assessment tools, with the purpose to create a classification of questions content, according to core functions of NIST Cybersecurity Framework.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. NIST: Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82 (2015)

    Google Scholar 

  2. NIST: The Five Functions 2018 (2018). https://www.nist.gov/cyberframework/online-learning/five-functions. Accessed 2 May 2018

  3. Swanson, M., Lennon, E.: Security Self-Assessment Guide for Information Technology Systems. NIST (2001). https://www.nist.gov/publications/security-self-assessment-guide-information-technology-systems-0. Accessed 12 Apr 2018

  4. ENISA: Analysis of ICS-SCADA Cyber Security Maturity Levels in Critical Sectors (2015)

    Google Scholar 

  5. NIST: System protection profile – industrial control systems (ver. 1.0) (2004)

    Google Scholar 

  6. US Department of Energy: Infrastructure Security and Energy: 21 steps to improve cyber security of SCADA networks (2007)

    Google Scholar 

  7. CPNI: Good practice guide – Process control and SCADA security (2017)

    Google Scholar 

  8. ENISA: Window of exposure a real problem for SCADA systems? Recommendations for Europe on SCADA patching (2013)

    Google Scholar 

  9. ENISA: Communication network dependencies for ICS/SCADA Systems (2016)

    Google Scholar 

  10. NERG: Project 2014-02 Critical Infrastructure Protection Standards (ver. 5) (2014). www.nerc.com/pa/stand/pages/project-2014-xx-critical-infrastructure-protection-version-5-revisions.aspx

  11. Piggin, R.S.H.: Development of Industrial Cyber Security Standards: IEC 62443 for SCADA and ICS Security (2018)

    Google Scholar 

  12. Stergiopoulos, G., Vasilellis, E., Lykou, G., Kotzanikolaou, P., Gritzalis, D.: Critical infrastructure protection tools: classification and comparison. In: Proceedings of the 10th International Conference on Critical Infrastructure Protection, USA, March 2016

    Google Scholar 

  13. Cherdantseva, Y., et al.: A review of cyber security risk assessment methods for SCADA systems. Comput. Secur. 56, 1–27 (2016)

    Article  Google Scholar 

  14. Lee, K.: CS2SAT: The Control Systems Cyber Security Self-Assessment Tool. No. INL/CON-07-12810. Idaho National Laboratory (INL) (2008)

    Google Scholar 

  15. ICS-CERT: Cyber Security Evaluation Tools (2018). https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_CSET_S508C.pdf. Accessed 12 Apr 2018

  16. SANS: SCADA SAT (SSAT) (2018). https://www.sans.org/summit-archives/file/summit-archive-1493741491.pdf. Accessed 12 Apr 2018

  17. NIST: Guide for Conducting Risk Assessments, SP-800-30 (Rev. 1) (2012)

    Google Scholar 

  18. DHS: Cyber Resilience Review (CRR): Self-Assessment Package (2016)

    Google Scholar 

  19. US-CERT (2016) Cyber Resilience Review (CRR). https://www.us-cert.gov/ccubedvp/assessments. Accessed 2 May 2018

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Dimitris Gritzalis .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lykou, G., Anagnostopoulou, A., Stergiopoulos, G., Gritzalis, D. (2019). Cybersecurity Self-assessment Tools: Evaluating the Importance for Securing Industrial Control Systems in Critical Infrastructures. In: Luiijf, E., Žutautaitė, I., Hämmerli, B. (eds) Critical Information Infrastructures Security. CRITIS 2018. Lecture Notes in Computer Science(), vol 11260. Springer, Cham. https://doi.org/10.1007/978-3-030-05849-4_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-05849-4_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-05848-7

  • Online ISBN: 978-3-030-05849-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics