The U.S. Cybersecurity and Infrastructure Security Agency (CISA), an operational and support component of the Department of Homeland Security, defines 16 critical infrastructure sectors “whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

A major challenge for CISA in securing the nation’s critical infrastructure is that much of the infrastructure is composed of assets whose security postures are under the control and authority of non-governmental organizations. How can CISA effectively enable these organizations to be as resilient as possible?

In this blog post, we

• discuss how cybersecurity assessments can help critical infrastructure organizations improve their cybersecurity
• describe a set of assessment tools developed by the SEI CERT Division that the U.S. government offers for free
• show how use of these tools can help to create an ecosystem for reducing the nation’s cybersecurity risks.

In mid-November 2022, the General Accounting Office (GAO) published a report that illustrates the challenge of securing the critical infrastructure. Just within one sector of the overall infrastructure, the U.S. oil and gas industry, the GAO identified a network of more than 1,600 separate offshore facilities that produce a significant portion of U.S. domestic oil and gas.

“These facilities, which rely on technology to remotely monitor and control equipment,” wrote the GAO, “face a growing risk of cyberattacks” in the form of threat actors, vulnerabilities, and potential impacts. “A cyberattack on these facilities could cause physical, environmental, and economic harm. And disruptions to oil and gas production and transmission could affect supplies and markets.”

In addition to these threats cited by the GAO, cyberattacks can result in the exposure of secrets about defense capabilities or proprietary industrial information, or exploitation of vulnerabilities by hostile actors seeking financial or other assets.

Among its summary recommendations, the GAO specifically cited the need for assessments:

Like all organizations, those that are part of the critical infrastructure must periodically answer the questions, “How secure are we?” and “How secure do we want to be?” The value of an assessment goes deeper than just answering these questions. Assessments help to build cyber awareness within organizations among all the personnel whose jobs affect organizational security. Assessors within organizations become key assets who can develop a well-thought-out, rational plan that is customized for that organization, leading to improvement in areas of risk that align with organizational objectives. Formal assessments by trained, knowledgeable assessors gain visibility with senior management, which helps to ensure that needed actions that are identified in assessments will be taken and supported.

An effective cyber assessment is more than a simple survey. The role of a cyber assessor requires someone who listens, ensures that accurate information is being captured, and follows through to ensure that assessments lead to effective results that improve the organization’s cybersecurity profile.

Of equal importance, risks continue to change and evolve, particularly in today’s development environments characterized by continuous integration and continuous delivery. In the face of rapidly evolving systems that perpetually change, organizations have begun relying on comprehensive cybersecurity programs to help them define and protect what is important and ensure that they invest their resources where they will most improve the organization’s cybersecurity.

In the interest of providing repeatability and consistency, CISA started the Assessment Evaluation and Standardization (AES) program to promote a standard approach to conducting cybersecurity assessments. The AES program was developed by the SEI CERT Division and CISA. Development of the AES program represents a recognition on the part of the U.S. government that the scope of measuring and assessing cybersecurity within the critical infrastructure is too broad to be administered by the federal government alone without the help of private industry. For this reason, the government has chosen to focus on training assessors to deliver a standard, uniform set of assessments within their organizations.

Standardization of assessments conducted by the disparate organizations that collectively compose the critical infrastructure has many advantages, including the following:

• ensures that all component organizations under private control within the infrastructure comply with one standard methodology
• provides the ability to compare the cyber preparedness of different component organizations in a standardized manner
• provides the ability to assess and understand the state of the cyber posture within the critical infrastructure overall, as well as within specific sectors, without the need for centralized command and control
• creates a culture of cyber awareness across the critical infrastructure
• enables coordination among different entities and across different sectors
• creates a cadre of assessors using common standards that can lead organizational improvement in a coordinated, uniform way

The CERT Division is a pre-eminent national resource that has worked in the field of cybersecurity for many years and has published a wealth of information to raise cyber awareness, including blog posts on related topics such as cyber workforce development, development of cybersecurity incident response teams (CSIRTs), cybersecurity engineering, and management of vulnerabilities.

CERT has developed assessments that the U.S. government offers for free, including the Cybersecurity Capability Maturity Model (C2M2), offered by the U.S. Department of Energy (DOE), and the Cyber Resilience Review (CRR), first developed by CERT in 2011 and offered by CISA. These and other assessments help organizations, regardless of their resources, develop their programs and identify the current state of their cybersecurity capabilities.

In partnership with CISA, AES has adopted the use of four SEI-developed assessments for use in supporting CISA’s effort to understand, manage, and reduce risk to the nation’s cyber and physical infrastructure:

• Cyber Resilience Review (CRR)—evaluates an organization’s operational resilience and cybersecurity practices through an interview-based assessment.
• External Dependencies Management (EDM)—evaluates an organization’s management of external dependencies through an interview-based assessment.
• High Value Asset (HVA)—assesses the HVA security architecture to identify technical concerns that could expose the organization to risk. An HVA is information or an information system that is so important to the organization that any loss would threaten the ability to conduct business. HVAs often contains sensitive controls or data that make them a target of cyber criminals. The HVA course verifies that successful students have the capability to inform respective agency leadership to fully understand and manage risks. Training involves in-person interviews, documentation reviews, in-depth technical analysis, and resilience testing through vulnerability scanning and penetration testing.

The HVA assessment is governed by an assessment lead who is the primary point of contact for the assessment, a technical lead who leads the technical exchange meeting and writes most of the assessment report, and finally, the operator who leads the penetration test. The penetration test is an important part of the assessment because it includes a simulated cyberattack against the system to check for vulnerabilities.

• Risk and Vulnerability Assessment (RVA)—collects data through on-site assessments and combines with national threat and vulnerability information to provide an organization with actionable remediation recommendations prioritized by risk. RVA students conduct in-depth analysis detailing a sample attack path of a cyberthreat actor. Course content and infographics provide a high-level snapshot of five potential attack paths and break out the most successful techniques for each tactic that the RVAs have documented.

The AES program meets a critical need by training assessors on one standard methodology that allows for effective analysis of assessment results that inform cybersecurity practice. The program opens opportunities and builds awareness and skills for thinking about cybersecurity. The assessments covered by the AES program apply to all levels of the organization: policy and governance (CRR, EDM); tactical assessment of controls (RVA); and the transition between these two levels (HVA). It allows development and improvement of cybersecurity programs because of its risk-based nature, resulting in feasible and realistic solutions.

Conducting cyber assessments can position an organization to improve the organization’s risk profile and cyber capability by building internal expertise. Becoming an AES assessor contributes to the overall state of practice at three levels: at the individual level by building awareness and skill needed to cultivate a culture of cyber awareness, at the organizational level by helping organizations to build their own trained pool of cybersecurity assessors, and at the national level by informing and improving the national cyber posture in the critical infrastructure.

To learn more about the AES program, please contact AEStraining@hq.dhs.gov.