Mapping table
The following table maps the OWASP OT top 10 items to relevant standard and legislative requirements.
| OWASP OT top 10 item | Standard/Law | Requirement-ID |
|---|---|---|
| 1. Unknown Assets and Unmanaged External Access | IEC 62443 | FR 2 |
| IEC 62443-2-1:2019 | CM 1 | |
| IEC 62443-2-1:2019 | NET 3.X | |
| IEC 62443-3-2:2020 | ZCR 1 | |
| IEC 62443-3-2:2020 | ZCR 3.6 | |
| IEC 62443-3-3:2020 | SR 2.X | |
| IEC 62443-3-3:2020 | SR 7.8 | |
| NIST CSF 2.0 | ID.AM | |
| NIST CSF 2.0 | PR.AA | |
| NIST CSF 2.0 | PR.IR-01 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 6.7 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 11.X | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 12.2 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 12.4 | |
| MITRE ATT&CK | M0800 | |
| MITRE ATT&CK | M0801 | |
| MITRE ATT&CK | M0804 | |
| MITRE ATT&CK | M0807 | |
| MITRE ATT&CK | M0813 | |
| MITRE ATT&CK | M0918 | |
| MITRE ATT&CK | M0922 | |
| MITRE ATT&CK | M0926 | |
| MITRE ATT&CK | M0932 | |
| NIST SP 800-82:v3 | CM-8 | |
| NIST SP 800-82:v3 | AC-20 | |
| NIST SP 800-82:v3 | AC-17 | |
| NIST SP 800-82:v3 | CM-2 | |
| 2. Devices with known Vulnerabilities/Issues | IEC 62443 | FR3 |
| IEC 62443 | FR4 | |
| IEC 62443-3-2:2020 | ZCR 5.2 | |
| IEC 62443-3-3:2020 | SR 3.X | |
| IEC 62443-3-3:2020 | SR 4.X | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 6.5 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 6.6 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 6.10 | |
| NIST CSF 2.0 | ID.RA | |
| NIST CSF 2.0 | PR.PS | |
| NIST SP 800-82:v3 | SI-2 | |
| NIST SP 800-82:v3 | RA-5 | |
| NIST SP 800-82:v3 | CM-6 | |
| 3. Inadequate Supplier/Supply Chain Management | IEC 62443-2-1:2019 | ORG 1.6 |
| IEC 62443-3-2:2020 | ZCR 5.X | |
| NIST CSF 2.0 | GV.OC-02 | |
| NIST CSF 2.0 | GV.OC-04 | |
| NIST CSF 2.0 | GV.SC | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 5.X | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 6.1 | |
| MITRE ATT&CK | M0817 | |
| NIST SP 800-82:v3 | SR-2 | |
| NIST SP 800-82:v3 | SR-3 | |
| NIST SP 800-82:v3 | SR-5 | |
| NIST SP 800-82:v3 | SR-6 | |
| 4. Insufficient Access Control | IEC 62443 | FR 1 |
| IEC 62443 | FR 2 | |
| IEC 62443-2-1:2019 | SPE 2 | |
| IEC 62443-3-3:2020 | SR 1.X | |
| IEC 62443-3-3:2020 | SR 2.X | |
| NIST CSF 2.0 | PR.AA | |
| NIST CSF 2.0 | PR.IR-01 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 6.7 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 11.X | |
| MITRE ATT&CK | M0800 | |
| MITRE ATT&CK | M0801 | |
| MITRE ATT&CK | M0804 | |
| MITRE ATT&CK | M0807 | |
| MITRE ATT&CK | M0813 | |
| MITRE ATT&CK | M0918 | |
| MITRE ATT&CK | M0922 | |
| MITRE ATT&CK | M0926 | |
| NIST SP 800-82:v3 | AC-2 | |
| NIST SP 800-82:v3 | AC-3 | |
| NIST SP 800-82:v3 | AC-6 | |
| NIST SP 800-82:v3 | AC-5 | |
| 5. Missing Incident Detection/Reaction Capabilities | IEC 62443 | FR 6 |
| IEC 62443-2-1:2019 | ORG 2.2 | |
| IEC 62443-2-1:2019 | SPE 7 | |
| IEC 62443-3-2:2020 | ZCR 5.1 | |
| IEC 62443-3-2:2020 | SR 6.X | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 3.X | |
| MITRE ATT&CK | M0919 | |
| MITRE ATT&CK | M0931 | |
| NIST CSF 2.0 | DE.CM | |
| NIST CSF 2.0 | DE.AE | |
| NIST CSF 2.0 | RS.MA | |
| NIST CSF 2.0 | RS.AN | |
| NIST SP 800-82:v3 | IR-4 | |
| NIST SP 800-82:v3 | SI-4 | |
| NIST SP 800-82:v3 | AU-6 | |
| NIST SP 800-82:v3 | IR-6 | |
| 6. Broken Zones and Conduits Design | ISO27001 Annex | A.8.22 |
| IEC 62443 | FR 5 | |
| IEC 62443-2-1:2019 | SPE 3 | |
| IEC 62443-3-2:2020 | ZCR 3.X | |
| IEC 62443-3-2:2020 | SR 5.X | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 6.7 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 6.8 | |
| MITRE ATT&CK | M0930 | |
| MITRE ATT&CK | M0935 | |
| MITRE ATT&CK | M0937 | |
| NIST SP 800-82:v3 | SC-7 | |
| NIST SP 800-82:v3 | AC-4 | |
| NIST SP 800-82:v3 | SC-2 | |
| 7. Missing Awareness | IEC 62443-2-1:2019 | ORG 1.4 |
| IEC 62443-3-3:2020 | SR 7.6 | |
| IEC 62443-3-3:2020 | SR 7.7 | |
| NIST CSF 2.0 | PR.AT | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 8.1 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 8.2 | |
| MITRE ATT&CK | M0917 | |
| NIST SP 800-82:v3 | AT-2 | |
| NIST SP 800-82:v3 | AT-3 | |
| 8. Components/Protocols with Insufficient Security Capabilities | IEC 62443-2-4:2024 | SP.03.03 |
| IEC 62443-3-2:2020 | ZCR 5.X | |
| IEC 62443-4-2:2020 | CCSC 2 | |
| NIST CSF 2.0 | PR.AA-02 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 6.3 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 6.5 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 6.10 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 12.2 | |
| NIST SP 800-82:v3 | PM-1 | |
| NIST SP 800-82:v3 | CA-2 | |
| NIST SP 800-82:v3 | CA-7 | |
| 9. Loss of Availability | IEC 62443 | FR 7 |
| IEC 62443-2-1:2019 | DATA 1.3 | |
| IEC 62443-2-1:2019 | DATA 1.4 | |
| IEC 62443-2-1:2019 | SPE 8 | |
| IEC 62443-3-3:2020 | SR 7.X | |
| NIST CSF 2.0 | PR.IR-02 | |
| NIST CSF 2.0 | PR.IR-03 | |
| NIST CSF 2.0 | PR.IR-04 | |
| NIST CSF 2.0 | RC | |
| NIST CSF 2.0 | PR.AA-02 | |
| NIST CSF 2.0 | DE.CM | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 4.X | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 6.4 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 13.1 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 13.2 | |
| MITRE ATT&CK | M0803 | |
| MITRE ATT&CK | M0811 | |
| MITRE ATT&CK | M0812 | |
| MITRE ATT&CK | M0815 | |
| MITRE ATT&CK | M0953 | |
| NIST SP 800-82:v3 | CP-2 | |
| NIST SP 800-82:v3 | CP-7 | |
| NIST SP 800-82:v3 | CP-9 | |
| NIST SP 800-82:v3 | CP-10 | |
| 10. Missing Hardening | IEC 62443-2-1:2019 | ORG 1.5 |
| IEC 62443-2-1:2024 | COMP 1.1 | |
| IEC 62443-2-4:2024 | SP.02.03 | |
| IEC 62443-3-3:2024 | ||
| IEC 62443-4-1:2018 | SG-3 | |
| IEC 62443-4-2 | ||
| NIST CSF 2.0 | PR.PS | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 6.3 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 6.9 | |
| EU NIS2 Directive Commission implementing Regulation C(2024) 7151 - ANNEX | 12.3 | |
| MITRE ATT&CK | M0806 | |
| MITRE ATT&CK | M0818 | |
| MITRE ATT&CK | M0921 | |
| MITRE ATT&CK | M0924 | |
| MITRE ATT&CK | M0927 | |
| MITRE ATT&CK | M0928 | |
| MITRE ATT&CK | M0934 | |
| MITRE ATT&CK | M0936 | |
| MITRE ATT&CK | M0938 | |
| MITRE ATT&CK | M0942 | |
| MITRE ATT&CK | M0944 | |
| MITRE ATT&CK | M0949 | |
| MITRE ATT&CK | M0950 | |
| MITRE ATT&CK | M0951 | |
| MITRE ATT&CK | M0954 | |
| NIST SP 800-82:v3 | CM-6 | |
| NIST SP 800-82:v3 | CM-7 | |
| NIST SP 800-82:v3 | SI-3 | |
| NIST SP 800-82:v3 | SC-28 |