Related Frameworks, Standards, and Regulations
While this document explores the unique challenges in OT networks and systems, there are established standards both from OWASP and other organizations that can provide useful information for suppliers, integrators and operators alike.
Additionally, like mentioned in the introduction, there is also a number of frameworks, laws, and regulations.
Frameworks
MITRE ATT&CK Framework
The MITRE ATT&CK framework is a comprehensive knowledge base of cyber adversary tactics, techniques and procedures (TTPs). It is widely used in cybersecurity to help understand, detect and respond to cyber attacks. The MITRE ATT&CK framework is a living framework that is regularly updated based on real-world observations of attacker behaviour. It provides a structured way to describe how attackers operate, with a focus on how they compromise systems and move through a network.
Standards of Other Organizations
IEC 62443
IEC 62443 is the series of standards for OT environments. The series aims to develop cybersecurity robustness and resilience in the industrial control systems and their environments. It offers several standards for operators, integrators and suppliers, for example:
Operators:
- IEC 62443-2-1 Security program requirements for IACS asset owners
- IEC 62443-2-4 Requirements for IACS service providers
Integrators:
- IEC 62443-2-4 Requirements for IACS service providers
- IEC 62443-3-2 Security risk assessment and system design
- IEC 62443-3-3 System security requirements and security levels
Suppliers:
- IEC 62443-4-1 Secure product development lifecycle requirements
- IEC 62443-4-2 Technical security requirements for IACS components
NIST SP 800-82r3
NIST’s Special Publication 800-82 Revision 3 “Guide To Operational Technology (OT) Security” offers comprehensive guidelines on how to securely deploy and operate OT systems and devices. The document provides an overview of OT and typical architectures and system topologies, looks and common OT threats and vulnerabilities and also gives recommendations on mitigations for identified risks. Due to this, the publication is especially relevant for operators and integrators.
NIST Cybersecurity Framework (NIST CSF)
NIST CSF is a framework introduced by NIST to standardize the approach to managing cyber risk across sectors. In 2024 the second version was released. CSF is applicable to IT as well as OT and therefore is a helpful resource for all operators.
ISO/IEC 27000
The ISO/IEC 27000 standard series – best known for the 27001 standard – defines requirements to establish an information security management system (ISMS). While ISO/IEC 27001 includes those definitions and controls in its annex, ISO/IEC 27002 provides proven guidelines on how to implement those controls. Widely established in IT environments, ISO/IEC 27000 series nonetheless can be valuable for operators and integrators, as many of the processes and the security management from IT can also be adopted to OT. This becomes even more true, when IT and OT security are integrated in a holistic approach to security throughout the whole organization.
[//]:<### NERC CIP>
[//]:
[//]:<### TISAX>
[//]:<Trusted Information Security Assessment Exchange (TISAX) is another standard for information security management systems. Originally based on ISO/IEC 27001 and adopted for the automotive industry, TISAX nowadays is quite different to ISO/IEC 27001. In 2024, version 6.0 was released. TISAX is only applicable to stakeholders active in the automotive sector.>
[//]:<### IEC 62351>
[//]:
Regulations
EU NIS 2 Directive
NIS 2, superseding NIS 1, is a EU-wide legislation aiming at improving the overall level of cybersecurity in the European Union. Published in 2022, all EU member states must adopt the directive through national law starting with 17 October 2024. All enterprises and organizations in scope of NIS 2 are required to fulfill technical and organizational security measure (details have to be defined by the member states) and are subjected to strict mandatory reporting in case of incidents with significant impact. All medium and large-sized companies meeting a certain threshold in 18 critical sectors are included in the scope of NIS 2. It is therefore a highly relevant legislation for operators.
[//]:<### European Cyber Resilience Act (CRA)>
[//]:
[//]:<### EU Machinery Regulation>
[//]:
[//]:<### EU Radio Equipment Directive>
[//]:
Existing Vulnerabilty Lists
| Issuer | Title | Description |
|---|---|---|
| BSI | ICS Security Top 9 threats and countermeasures 2022 | Focus on impact and vectors (malware, phishing, DDoS, sabotage) |
| CISA | Top Ten Cybersecurity Misconfigurations | |
| ENISA | Power Sector Dependency on Time Service | rather specific |
| ENISA | Transport Threat Landscape | |
| ENISA | Cyber security and resilience for Smart Hospitals | |
| ENISA | ENISA Threat Landscape 2023 | Figure 8 (Page 16), gives a per-sector attack overview |
Mapping Table
A Mapping table linking the OWASP OT Top 10 items to some of the mentioned relevant standard and regulation requirements is provided.