Abstract
Periodically assessing the security status of Industrial Control Systems (ICS) is essential to enable cybersecurity compliance and performance evaluation against an organization’s risk appetite. Ensuring appropriate security level is especially important in Critical Infrastructures (CI). Existing cybersecurity risk management methodologies provide frameworks through which CI stakeholders can enhance security and better protect their assets, against cybersecurity risks. Following traditional risk assessment procedures, a self-assessment tool can support an organization to build up on knowledge and security awareness, check implemented cybersecurity practices and responsibilities. Such methods and tools, when systematically implemented, can identify security weaknesses, establish cybersecurity targets and improve resilience. This paper aims to provide a review and analysis of available cybersecurity Self-Assessment tools, which can be used by ICS owners and CI operators. We also focus on questionnaire content analysis, used in these self-assessment tools, with the purpose to create a classification of questions content, according to core functions of NIST Cybersecurity Framework.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
NIST: Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82 (2015)
NIST: The Five Functions 2018 (2018). https://www.nist.gov/cyberframework/online-learning/five-functions. Accessed 2 May 2018
Swanson, M., Lennon, E.: Security Self-Assessment Guide for Information Technology Systems. NIST (2001). https://www.nist.gov/publications/security-self-assessment-guide-information-technology-systems-0. Accessed 12 Apr 2018
ENISA: Analysis of ICS-SCADA Cyber Security Maturity Levels in Critical Sectors (2015)
NIST: System protection profile – industrial control systems (ver. 1.0) (2004)
US Department of Energy: Infrastructure Security and Energy: 21 steps to improve cyber security of SCADA networks (2007)
CPNI: Good practice guide – Process control and SCADA security (2017)
ENISA: Window of exposure a real problem for SCADA systems? Recommendations for Europe on SCADA patching (2013)
ENISA: Communication network dependencies for ICS/SCADA Systems (2016)
NERG: Project 2014-02 Critical Infrastructure Protection Standards (ver. 5) (2014). www.nerc.com/pa/stand/pages/project-2014-xx-critical-infrastructure-protection-version-5-revisions.aspx
Piggin, R.S.H.: Development of Industrial Cyber Security Standards: IEC 62443 for SCADA and ICS Security (2018)
Stergiopoulos, G., Vasilellis, E., Lykou, G., Kotzanikolaou, P., Gritzalis, D.: Critical infrastructure protection tools: classification and comparison. In: Proceedings of the 10th International Conference on Critical Infrastructure Protection, USA, March 2016
Cherdantseva, Y., et al.: A review of cyber security risk assessment methods for SCADA systems. Comput. Secur. 56, 1–27 (2016)
Lee, K.: CS2SAT: The Control Systems Cyber Security Self-Assessment Tool. No. INL/CON-07-12810. Idaho National Laboratory (INL) (2008)
ICS-CERT: Cyber Security Evaluation Tools (2018). https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_CSET_S508C.pdf. Accessed 12 Apr 2018
SANS: SCADA SAT (SSAT) (2018). https://www.sans.org/summit-archives/file/summit-archive-1493741491.pdf. Accessed 12 Apr 2018
NIST: Guide for Conducting Risk Assessments, SP-800-30 (Rev. 1) (2012)
DHS: Cyber Resilience Review (CRR): Self-Assessment Package (2016)
US-CERT (2016) Cyber Resilience Review (CRR). https://www.us-cert.gov/ccubedvp/assessments. Accessed 2 May 2018
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Lykou, G., Anagnostopoulou, A., Stergiopoulos, G., Gritzalis, D. (2019). Cybersecurity Self-assessment Tools: Evaluating the Importance for Securing Industrial Control Systems in Critical Infrastructures. In: Luiijf, E., Žutautaitė, I., Hämmerli, B. (eds) Critical Information Infrastructures Security. CRITIS 2018. Lecture Notes in Computer Science(), vol 11260. Springer, Cham. https://doi.org/10.1007/978-3-030-05849-4_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-05849-4_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-05848-7
Online ISBN: 978-3-030-05849-4
eBook Packages: Computer ScienceComputer Science (R0)