Cybersecurity Self-assessment Tools: Evaluating the Importance for Securing Industrial Control Systems in Critical Infrastructures

  • Georgia Lykou
  • Argiro Anagnostopoulou
  • George Stergiopoulos
  • Dimitris GritzalisEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11260)


Periodically assessing the security status of Industrial Control Systems (ICS) is essential to enable cybersecurity compliance and performance evaluation against an organization’s risk appetite. Ensuring appropriate security level is especially important in Critical Infrastructures (CI). Existing cybersecurity risk management methodologies provide frameworks through which CI stakeholders can enhance security and better protect their assets, against cybersecurity risks. Following traditional risk assessment procedures, a self-assessment tool can support an organization to build up on knowledge and security awareness, check implemented cybersecurity practices and responsibilities. Such methods and tools, when systematically implemented, can identify security weaknesses, establish cybersecurity targets and improve resilience. This paper aims to provide a review and analysis of available cybersecurity Self-Assessment tools, which can be used by ICS owners and CI operators. We also focus on questionnaire content analysis, used in these self-assessment tools, with the purpose to create a classification of questions content, according to core functions of NIST Cybersecurity Framework.


Cyber security Self-assessment tools Industrial control systems security Critical infrastructure protection 


  1. 1.
    NIST: Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82 (2015)Google Scholar
  2. 2.
    NIST: The Five Functions 2018 (2018). Accessed 2 May 2018
  3. 3.
    Swanson, M., Lennon, E.: Security Self-Assessment Guide for Information Technology Systems. NIST (2001). Accessed 12 Apr 2018
  4. 4.
    ENISA: Analysis of ICS-SCADA Cyber Security Maturity Levels in Critical Sectors (2015)Google Scholar
  5. 5.
    NIST: System protection profile – industrial control systems (ver. 1.0) (2004)Google Scholar
  6. 6.
    US Department of Energy: Infrastructure Security and Energy: 21 steps to improve cyber security of SCADA networks (2007)Google Scholar
  7. 7.
    CPNI: Good practice guide – Process control and SCADA security (2017)Google Scholar
  8. 8.
    ENISA: Window of exposure a real problem for SCADA systems? Recommendations for Europe on SCADA patching (2013)Google Scholar
  9. 9.
    ENISA: Communication network dependencies for ICS/SCADA Systems (2016)Google Scholar
  10. 10.
    NERG: Project 2014-02 Critical Infrastructure Protection Standards (ver. 5) (2014).
  11. 11.
    Piggin, R.S.H.: Development of Industrial Cyber Security Standards: IEC 62443 for SCADA and ICS Security (2018)Google Scholar
  12. 12.
    Stergiopoulos, G., Vasilellis, E., Lykou, G., Kotzanikolaou, P., Gritzalis, D.: Critical infrastructure protection tools: classification and comparison. In: Proceedings of the 10th International Conference on Critical Infrastructure Protection, USA, March 2016Google Scholar
  13. 13.
    Cherdantseva, Y., et al.: A review of cyber security risk assessment methods for SCADA systems. Comput. Secur. 56, 1–27 (2016)CrossRefGoogle Scholar
  14. 14.
    Lee, K.: CS2SAT: The Control Systems Cyber Security Self-Assessment Tool. No. INL/CON-07-12810. Idaho National Laboratory (INL) (2008)Google Scholar
  15. 15.
    ICS-CERT: Cyber Security Evaluation Tools (2018). Accessed 12 Apr 2018
  16. 16.
    SANS: SCADA SAT (SSAT) (2018). Accessed 12 Apr 2018
  17. 17.
    NIST: Guide for Conducting Risk Assessments, SP-800-30 (Rev. 1) (2012)Google Scholar
  18. 18.
    DHS: Cyber Resilience Review (CRR): Self-Assessment Package (2016)Google Scholar
  19. 19.
    US-CERT (2016) Cyber Resilience Review (CRR). Accessed 2 May 2018

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Georgia Lykou
    • 1
  • Argiro Anagnostopoulou
    • 1
  • George Stergiopoulos
    • 1
  • Dimitris Gritzalis
    • 1
    Email author
  1. 1.Information Security and Critical Infrastructure Protection (INFOSEC) Laboratory, Department of InformaticsAthens University of Economics and BusinessAthensGreece

Personalised recommendations