Skip to content

Mapping table

The following table maps the OWASP OT top 10 items to relevant standard and legislative requirements.

OWASP OT top 10 item Standard/Law Requirement-ID
1. Unknown Assets and Unmanaged External Access IEC 62443 FR 2
IEC 62443-2-1:2019 CM 1
IEC 62443-2-1:2019 NET 3.X
IEC 62443-3-2:2020 ZCR 1
IEC 62443-3-2:2020 ZCR 3.6
IEC 62443-3-3:2020 SR 2.X
IEC 62443-3-3:2020 SR 7.8
NIST CSF 2.0 ID.AM
NIST CSF 2.0 PR.AA
NIST CSF 2.0 PR.IR-01
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 6.7
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 11.X
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 12.2
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 12.4
MITRE ATT&CK M0800
MITRE ATT&CK M0801
MITRE ATT&CK M0804
MITRE ATT&CK M0807
MITRE ATT&CK M0813
MITRE ATT&CK M0918
MITRE ATT&CK M0922
MITRE ATT&CK M0926
MITRE ATT&CK M0932
NIST SP 800-82:v3 CM-8
NIST SP 800-82:v3 AC-20
NIST SP 800-82:v3 AC-17
NIST SP 800-82:v3 CM-2
2. Devices with known Vulnerabilities/Issues IEC 62443 FR3
IEC 62443 FR4
IEC 62443-3-2:2020 ZCR 5.2
IEC 62443-3-3:2020 SR 3.X
IEC 62443-3-3:2020 SR 4.X
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 6.5
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 6.6
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 6.10
NIST CSF 2.0 ID.RA
NIST CSF 2.0 PR.PS
NIST SP 800-82:v3 SI-2
NIST SP 800-82:v3 RA-5
NIST SP 800-82:v3 CM-6
3. Inadequate Supplier/Supply Chain Management IEC 62443-2-1:2019 ORG 1.6
IEC 62443-3-2:2020 ZCR 5.X
NIST CSF 2.0 GV.OC-02
NIST CSF 2.0 GV.OC-04
NIST CSF 2.0 GV.SC
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 5.X
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 6.1
MITRE ATT&CK M0817
NIST SP 800-82:v3 SR-2
NIST SP 800-82:v3 SR-3
NIST SP 800-82:v3 SR-5
NIST SP 800-82:v3 SR-6
4. Insufficient Access Control IEC 62443 FR 1
IEC 62443 FR 2
IEC 62443-2-1:2019 SPE 2
IEC 62443-3-3:2020 SR 1.X
IEC 62443-3-3:2020 SR 2.X
NIST CSF 2.0 PR.AA
NIST CSF 2.0 PR.IR-01
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 6.7
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 11.X
MITRE ATT&CK M0800
MITRE ATT&CK M0801
MITRE ATT&CK M0804
MITRE ATT&CK M0807
MITRE ATT&CK M0813
MITRE ATT&CK M0918
MITRE ATT&CK M0922
MITRE ATT&CK M0926
NIST SP 800-82:v3 AC-2
NIST SP 800-82:v3 AC-3
NIST SP 800-82:v3 AC-6
NIST SP 800-82:v3 AC-5
5. Missing Incident Detection/Reaction Capabilities IEC 62443 FR 6
IEC 62443-2-1:2019 ORG 2.2
IEC 62443-2-1:2019 SPE 7
IEC 62443-3-2:2020 ZCR 5.1
IEC 62443-3-2:2020 SR 6.X
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 3.X
MITRE ATT&CK M0919
MITRE ATT&CK M0931
NIST CSF 2.0 DE.CM
NIST CSF 2.0 DE.AE
NIST CSF 2.0 RS.MA
NIST CSF 2.0 RS.AN
NIST SP 800-82:v3 IR-4
NIST SP 800-82:v3 SI-4
NIST SP 800-82:v3 AU-6
NIST SP 800-82:v3 IR-6
6. Broken Zones and Conduits Design ISO27001 Annex A.8.22
IEC 62443 FR 5
IEC 62443-2-1:2019 SPE 3
IEC 62443-3-2:2020 ZCR 3.X
IEC 62443-3-2:2020 SR 5.X
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 6.7
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 6.8
MITRE ATT&CK M0930
MITRE ATT&CK M0935
MITRE ATT&CK M0937
NIST SP 800-82:v3 SC-7
NIST SP 800-82:v3 AC-4
NIST SP 800-82:v3 SC-2
7. Missing Awareness IEC 62443-2-1:2019 ORG 1.4
IEC 62443-3-3:2020 SR 7.6
IEC 62443-3-3:2020 SR 7.7
NIST CSF 2.0 PR.AT
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 8.1
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 8.2
MITRE ATT&CK M0917
NIST SP 800-82:v3 AT-2
NIST SP 800-82:v3 AT-3
8. Components/Protocols with Insufficient Security Capabilities IEC 62443-2-4:2024 SP.03.03
IEC 62443-3-2:2020 ZCR 5.X
IEC 62443-4-2:2020 CCSC 2
NIST CSF 2.0 PR.AA-02
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 6.3
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 6.5
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 6.10
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 12.2
NIST SP 800-82:v3 PM-1
NIST SP 800-82:v3 CA-2
NIST SP 800-82:v3 CA-7
9. Loss of Availability IEC 62443 FR 7
IEC 62443-2-1:2019 DATA 1.3
IEC 62443-2-1:2019 DATA 1.4
IEC 62443-2-1:2019 SPE 8
IEC 62443-3-3:2020 SR 7.X
NIST CSF 2.0 PR.IR-02
NIST CSF 2.0 PR.IR-03
NIST CSF 2.0 PR.IR-04
NIST CSF 2.0 RC
NIST CSF 2.0 PR.AA-02
NIST CSF 2.0 DE.CM
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 4.X
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 6.4
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 13.1
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 13.2
MITRE ATT&CK M0803
MITRE ATT&CK M0811
MITRE ATT&CK M0812
MITRE ATT&CK M0815
MITRE ATT&CK M0953
NIST SP 800-82:v3 CP-2
NIST SP 800-82:v3 CP-7
NIST SP 800-82:v3 CP-9
NIST SP 800-82:v3 CP-10
10. Missing Hardening IEC 62443-2-1:2019 ORG 1.5
IEC 62443-2-1:2024 COMP 1.1
IEC 62443-2-4:2024 SP.02.03
IEC 62443-4-1:2018 SG-3
IEC 62443-4-2
NIST CSF 2.0 PR.PS
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 6.3
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 6.9
EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX 12.3
MITRE ATT&CK M0806
MITRE ATT&CK M0818
MITRE ATT&CK M0921
MITRE ATT&CK M0924
MITRE ATT&CK M0927
MITRE ATT&CK M0928
MITRE ATT&CK M0934
MITRE ATT&CK M0936
MITRE ATT&CK M0938
MITRE ATT&CK M0942
MITRE ATT&CK M0944
MITRE ATT&CK M0949
MITRE ATT&CK M0950
MITRE ATT&CK M0951
MITRE ATT&CK M0954
NIST SP 800-82:v3 CM-6
NIST SP 800-82:v3 CM-7
NIST SP 800-82:v3 SI-3
NIST SP 800-82:v3 SC-28