In CSET Tools (Cyber Security Evaluation Tools – Developed by US Department of Homeland Security), NIST SP 800-82 Standard has 12 checklist in total. The following checklist for Industrial Control System (ICS) security assessment are:

• Planning/Policy/Procedures
• Administrative
• Configuration Management
• Audit & Accountability
• Development & Maintenance
• Physical & Environmental
• Access Control
• System & Information Integrity
• Network Architecture
• Communications
• Firewall
• Encryption

As the summary of each checklist, following is the description:
1. žPlanning/Policy/Procedures

• Corporate concern to ICS Cyber Security
• Management buy-in to security
• Corporate alignment to cover security concern as one of the critical aspect
• Written procedure/policy within the corporate to govern the security compliance
• Business continuity implementation
• Secure interface and deployment of IT into ICS

2. žAdministrative

• People awareness and knowledge development
• Plan and preparedness for disaster & emergency situation
• Third party security assurance
  • System, software/hardware, license, people
• Security assessment and mitigation controls

3. žConfiguration Management

• Management of Change process
• Inventory tools used for ICS inventory management
• Access protection against ICS configuration information and software

ž4. Audit & Accountability

• Periodic independent security audit for compliance assessment
• Auditing and log management tools
• Network logs

5. žDevelopment & Maintenance

• ICS maintenance program
• ICS testing facilities
• Secure software update and implementation
• Services and ports review process
• Patch management

6. žPhysical & Environmental

• Single failure and redundancy
• Environmental control
• Electronic noise protection
• Power outage protection
• Cabling installation

7. žAccess Control

• Access management governance
  • Local and remote
  • Physical and logical
• Role-Based access control/least privilege
• Password management
  • Usage policy, strength, confidentiality
• Web server secure access (ICS access by using web based platform services)

ž8. System & Information Integrity

• Data protection management on mobile devices (laptop, PDA, USB, Harddisk, DVD)
• DoS protection on ICS environment
• Antivirus and malware protection
• Data flow controls for system secure segregation
• Ports and connection secure management
• Real-time monitoring for network and system problem

9. žNetwork Architecture

• Security perimeter ICS vs Business
• Network security monitoring
• Protection from unauthorized connection
• Secure ICS network design and implementation
  • Prohibition of using dual NICs
  • DMZ/IDS management for each domain
  • The use of IDS/IPS
• Patch update and anvirus security server

10. žCommunications

• Secure data in communication
• Security checklist covering some ICS communication protocols
  • HTTP/HTTPS
  • FTP/TFTP/SFTP/SCP
  • Modbus/TCP, Ethernet/IP, DNP3,
  • SMTP, SNMP, DCOM
  • MAC address locking and VLAN

11. žFirewall

• Firewall rule set
• Firewall monitoring
• Communication delay due to firewall
• Firewall policy (username and password)
• Allow and block the traffic policy

12. žEncryption

• Encryption being used
• Latency due to encryption

ž
ž