Welcome to the Athens Group
Cyber Maturity Self-Check

This self-check analysis is designed to provide information that you can use to help determine if an asset has the capabilities necessary to establish a minimally acceptable level of cybersecurity.

You will be asked to provide your evaluation of how well the asset has implemented 47 cybersecurity practices which Athens Group has identified as essential to establishing a minimal acceptable level of cybersecurity maturity.

Athens Group derived the practices from the National Institute of Standards and Technology (NIST) cybersecurity framework and the US Dept of Energy Oil and Natural Gas cybersecurity capability maturity model (ONG-C2M2).

The critical practices cover nine cybersecurity domains:

  • Asset, Change, and Configuration Management
  • Risk Management
  • Identity and Access Management
  • Threat and Vulnerability Management
  • Workforce Management
  • Information Sharing and Communications
  • Situational Awareness
  • Event and Incident Response
  • Continuity of Operations

After submitting the self-check, you will be able to immediately review your results. A copy of your results will be emailed to the address you provide.

Click "Start" to begin

 

Definitions of Key Terms used in the Analysis

"Cybertechnology" encompasses the computers, servers, SBCs, PLCs, mobile devices, electronic systems, sensors/actuators, networks, software, and data necessary to operate the systems integrated with the operation of the asset. Cybertechnology is divided into operational technology (OT) and information technology (IT) systems. OT refers to cybertechnology systems used to manage and control operational activities. Examples include SBCs, PLCs, ECDIS, GPS, SCADA, engine and cargo control, measurement sensors, actuation equipment, or dynamic positioning. IT refers to cybertechnology systems used to manage and control data. Examples include email, planned maintenance, admin accounts, spares management, electronic manuals, or electronic certificates.

"Asset" is used as a scoping mechanism. It encompasses the vessel or installation that you are evaluating. All cybertechnology (both local and remote) integrated with the operation of the asset should be considered when answering the evaluation questions.

Responses

All questions must be answered in order to complete and submit the self-check.

Each question can be answered as “Fully Implemented”, "Partially Implemented”, “Not Implemented”, or “Unsure”.

  • "Fully Implemented" means that the practice described is fully implemented on all cybertechnology integrated with the operation of the asset.
  • "Partially Implemented" means that there is an active plan in progress to implement the practice.
  • "Not Implemented" means that there is NO active plan to implement the practice.
  • "Unsure" means that you do not have the information necessary to evaluate the implementation status of the practice.

Click "Next" to continue


Before we begin - Please provide the following information:

Personal Information

* First Name
* Last Name
* Position/Title
* Email Address
Phone Number
* Company Name

Click "Next" to continue

Please describe the asset you are evaluating

Name of the Asset you are evaluating:
Are you responsible for the design, maintenance, or evaluation of the CYBERTECHNOLOGY integrated with the operation of this asset?
Are you responsible for the design, maintenance, or evaluation of the CYBERSECURITY of the cybertechnology integrated with the operation of this asset?
Why are you evaluating this asset (select all that apply)
Please provide the reason for the evaluation

Click "Next" to continue

Asset, Configuration, and Change Management

The first set of 10 questions will address how well the asset's cybertechnology inventory is managed.

You will be asked to evaluate the practices related to:

  • Establishing and maintaining a current cybertechnology inventory
  • Managing the configuration information for the cybertechnology inventory, and
  • Managing changes to the configuration of the cybertechnology inventory.

Click "Next" to begin the self-check

Inventory Management

There is an inventory of the cybertechnology hardware integrated with the operation of the asset.

This inventory includes both the operational (OT) and information (IT) technology integrated with the operation of the asset.

There is an inventory of the cybertechnology software, data, and information integrated with the operation of the asset.

This inventory includes all software, data, and information necessary to initialize, configure, and execute the operations of the asset.

There is an inventory of cybertechnology access points.

An access point is any physical or logical point where the cybertechnology can be controlled, communicated with, queried, updated, or reconfigured. Examples include the HMI, USB ports, wired or WiFi network connections, and remote access for control, data transfer, maintenance and debug.

The cybertechnology inventories include the information necessary to manage the operation, maintenance, and security of the inventoried item.

For example, this would include a specific and unique identifier, physical or logical location, OEM, owner, current configuration and software revisions, installation/in service dates, last maintenance etc.

Configuration Management

Hardware and software configuration baselines are documented for the cybertechnology integrated with the operation of the asset.

A configuration baseline contains the hardware, software, and data settings necessary to configure the cybertechnology for use. This may include hardware switch settings, software setpoints, calibration data etc.

The established hardware and software configuration baselines are used to configure the cybertechnology whenever it is initially deployed, or re-deployed after maintenance, repair, upgrade, or modification.

Change Management

Hardware and software configuration changes to cybertechnology integrated with the operation of the asset are evaluated before being approved for implementation.

This evaluation should include a review of any revision release, maintenance or service notes, and a risk analysis of the impact the changes may have on the operations.

Hardware and software configuration changes to cybertechnology integrated with the operation of the asset are documented.

The changes should be recorded in a change management log and the relevant asset inventory management records should be updated to reflect the change.

Hardware and software configuration changes to cybertechnology are tested prior to being used in the operation of the asset.

Stakeholders

Resources responsible for cybertechnology inventory, configuration, and change management activities are identified and involved.

Specific resources are assigned the responsibilities, those resources are aware of those responsibilities and are actively engaged in managing the activity.

Risk Management

The next set of 6 questions will address how well a cybersecurity risk management program is established, operated, and maintained for the cybertechnology integrated with the operation of the asset.

Cybersecurity risk is defined as risk to the asset’s operations, resources, and other organizations due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of cybertechnology.

A cybersecurity risk management program should specify the process and activities used to identify, analyze, and mitigate cybersecurity risk to the asset.

You will be asked to evaluate the practices related to

  • Establishing a cybersecurity risk management strategy, and
  • Managing cybersecurity risk according to the strategy.

Click "Next" to continue

Risk Management Strategy

There is a documented cybersecurity risk management strategy.
The cybersecurity risk management strategy specifies how cybersecurity risks are identified, analyzed, prioritized, and mitigated for cybertechnology integrated with the operation of the asset.

Risk Management

Cybersecurity risk assessments are performed to identify and document risks in accordance with the risk management strategy.
The disposition of identified cybersecurity risks are documented.

For example, each risk could be dispositioned as "mitigated" to reduce or eliminate its impact, "accepted" as a tolerable risk, "tolerated" as a risk that is not acceptable, but necessary to accept, or "transferred" to another responsible stakeholder.

Identified cybersecurity risks are analyzed to prioritize response activities in accordance with the risk management strategy.

Stakeholders

Resources responsible for risk management activities are identified and involved.

Specific resources are assigned the responsibilities, those resources are aware of those responsibilities and are actively engaged in managing the activity.

Identity and Access Management

The next 9 questions will address the creation and management of identities for people or entities that may be granted access to the cybertechnology integrated with the operation of the asset.

Access can be either physical or logical.

Physical access is one where a person directly interacts with the cybertechnology at the location. Examples include an operator logging on to a system or a service technician updating software or joining the network with their own laptop. Access includes the ability to enter the location where the cybertechnology is housed.

Logical access is typically between two cybertechnology systems. Examples include a remote service technician's access through remote network connections or entities such as automated remote monitoring or update processes that do not involve a person.

An identity is the unique identifier and authentication credential assigned to any person, organization, or external cybertechnology that is granted access to the cybertechnology integrated with the operation of the asset. An example of an identifier would be a login name. An example of an authentication credential would be a password, smart card, certificate, or physical key to a room or cabinet.

You will be asked to evaluate the practices related to

  • Controlling access, and
  • Establishing and maintaining identities

Click "Next" to continue

Controlling Access

Requirements which define the types of people and entities that are allowed to access the cybertechnology integrated with the operation of the asset, the limits of that allowed access, and the method of authentication are defined.
Access requests are reviewed and approved by the cybertechnology owner.
Access is granted based on consistent documented requirements.
Access is revoked when no longer required.

Establishing and Maintaining Identities

Identities are provided for personnel and systems that are given access to the cybertechnology integrated with the operation of the asset.

An Identity is made up of a unique identifier such as a login, and an authentication credential such as passwords, smart cards, certificates, or access keys to physical locations.

Identities are periodically reviewed, confirmed, and updated to ensure validity.

For example - to ensure that the identities still need access.

Identities are revoked and removed when no longer required.
Credentials are periodically reviewed to ensure that they are associated with the correct person or entity.

For example – to ensure that hard credentials such as physical keys, smart cards, ID cards, or other tokens have not been transferred, given, or loaned to unauthorized people or entities.

Root privileges, administrative access, emergency access, and shared accounts receive additional scrutiny and monitoring.

Threat and Vulnerability Management

The next 7 questions will address the capability to detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities to the cybertechnology integrated with the operation of the asset.

A cybersecurity threat is defined as any circumstance or event with the potential to adversely impact the operations of the cybertechnology integrated with the operation of the asset. Threats vary and may include malicious actors (for example a disgruntled employee or service technician), malware (e.g., viruses and worms), accidents, and weather emergencies.

A vulnerability is any part of the cybertechnology where a potential cybersecurity threat can gain access and adversely impact the operations of the cybertechnology integrated with the operation of the asset. Examples include an open USB port, an obsolete version of an operating system, a person opening an infected email, an unlocked equipment room or cabinet, or a Wi-Fi network with no or poor password protection.

You will be asked to evaluate the practices related to

  • Identifying and responding to threats, and
  • Reducing cybersecurity vulnerabilities

Click "Next" to continue

Identifying and Responding to Threats

Cybersecurity threat information is gathered and analyzed for the cybertechnology integrated with the operation of the asset.

A cybersecurity threat is defined as any circumstance or event with the potential to adversely impact the operations of the cybertechnology integrated with the operation of the asset.

Threat information should include information about successful, unsuccessful, or attempted threats to the asset or similar assets, as well as perceived or potential threats to the asset or similar assets.

A cybersecurity threat profile for the cybertechnology integrated with the operation of the asset is established.

A cybersecurity threat profile should contain information which quantifies the threat source, access point, target/impacted cybertechnology, trigger mechanism, and impact.

Identified cybersecurity threats are analyzed and prioritized.
Cybersecurity threats are actively addressed.

Threats are addressed through procedures such as mitigation controls or threat status monitoring.

Reducing Cybersecurity Vulnerabilities

Cybersecurity vulnerability information is gathered and analyzed for the cybertechnology integrated with the operation of the asset.

A vulnerability is any part of the cybertechnology where a potential cybersecurity threat can gain access and adversely impact the operations of the cybertechnology integrated with the operation of the asset.

Cybersecurity vulnerability assessments are performed.

Vulnerability assessments include architectural reviews, penetration testing, cybersecurity exercises, and vulnerability identification tools.

Cybersecurity vulnerabilities are actively addressed.

Vulnerabilities are addressed through procedures such as regular patching of operating systems to keep them up to date.

Workforce Management

The next 9 questions will address establishing and maintaining a culture of cybersecurity and the ongoing competence of personnel with respect to cybersecurity.

You will be asked to evaluate the practices related to

  • Assigning cybersecurity responsibilities,
  • Controlling the workforce life cycle,
  • Developing the cybersecurity workforce, and
  • Increasing cybersecurity awareness

Click "Next" to continue

Assigning Cybersecurity Responsibilities

Cybersecurity responsibilities for the cybertechnology integrated with the operation of the asset are identified.

Cybersecurity responsibilities include the ongoing management, execution, and monitoring of the practices evaluated in this self-check (asset inventory, risk threats, identity and access etc.)

Cybersecurity responsibilities are assigned to specific people.

Specific resources are assigned the responsibilities, those resources are aware of those responsibilities and are actively engaged in managing the activity.

Controlling the Workforce Life Cycle

Personnel vetting is performed at hire for positions that have access to the cybertechnology integrated with the operation of the asset.

Vetting includes activities such as background checks and drug tests.

Personnel termination procedures address cybersecurity.

These procedures should include revoking and removal of all access, identities, and credentials for the personnel being terminated.

Developing the Cybersecurity Workforce

Cybersecurity training is made available to personnel with assigned cybersecurity responsibilities.
Cybersecurity knowledge, skill, and ability gaps are identified for personnel with assigned cybersecurity responsibilities.
Identified cybersecurity knowledge, skill, and ability gaps are addressed through recruiting and/or training.

Increasing Cybersecurity Awareness

Cybersecurity awareness and best practice training is provided for all personnel with access to the cybertechnology integrated with the operation of the asset.

This training should include awareness of cybersecurity threats via email, attachments, websites and other social media.

Stakeholders

Resources responsible for cybersecurity workforce management activities are identified and involved.

Specific resources are assigned the responsibilities, those resources are aware of those responsibilities and are actively engaged in managing the activity.

Information Sharing
Situational Awareness
Event and Incident Response

The final 6 questions will address:

  • How well information about threats and vulnerabilities is collected, analyzed, used, and shared, and
  • How prepared the asset is to react and respond to a cyber threat.

You will be asked to evaluate the practices related to:

  • Sharing cybersecurity information,
  • Event and data logging,
  • Monitoring, and
  • Planning for continuity

Click "Next" to continue

Sharing Cybersecurity Information

Cybersecurity related information is collected from and provided to relevant individuals and/or organizations.

Event and Data Logging

Cybersecurity related event and data logging is occurring for the cybertechnology integrated with the operation of the asset.

Monitoring

Cybersecurity monitoring activities are performed.

Monitoring activities include periodic review of the event and log data.

Planning for Continuity

The activities necessary to sustain minimum operations of the cybertechnology integrated with the operation of the asset are identified.

Minimum operations are defined as the functions necessary to keep the asset, systems, and equipment in a known safe state.

There are continuity plans to sustain and restore operation of the cybertechnology integrated with the operation of the asset following a cybersecurity event.

A continuity plan defines the personnel and procedures that are necessary to re-establish and maintain the minimum operations and the restore and restart of the full operation.

The sequence of activities necessary to return the cybertechnology integrated with the operation of the asset to normal operation following a cybersecurity event are identified.

These activities would include restoring hardware and software, data, and configurations to a known good state necessary to restart the operation.

Thank you for completing the Athens Group Online
Cyber Maturity Self-Check

Just two more questions before displaying your results.

An Athens Group cybersecurity subject matter expert can follow up with you to provide an extended analysis of your results.

Would you like us to contact you with an extended analysis?

Would you like to sign up to receive the Athens Group Newsletter?

Click the "Submit" button to view the results of the analysis.
You will also be receiving an email from Athens Group documenting your analysis results.

Our system experienced an error while submitting your answers. We apologize, please try again


© 2020 Athens Group

Powered by Catch Engine