Skip to content

The Top 10

Methodology

How were the OT Top 10 created?

  • meetings every two weeks to gather the top 10 list
  • quantitative discussion to form the top 10

How did we make sure that we covered reality?

  • check existing OT incident reports and see if the proposed top 10 fit

Preliminary Top 10 List

In no particular order:

Structure of each Top 10 Item

Each entry in the OWASP OT Top 10 will be accompanied by a short description, public incidents exploiting that entry, recommended mitigation and countermeasures, as well as references and tooling to assist in addressing the identified risks.

Field Description
Name Name/Title of the Item
Description Show description of the item
Rationale Why did we find this item important enough for inclusion?
Known OT Attacks utilizing this Item https://www.icsadvisoryproject.com, https://icsstrive.com/
Mitigation/Countermeasures There will be multiple levels: 1) design and implementation level mitigations for developers/builders; 2) operational mitigations for integrators, e.g., air-gapping systems
References Relevant standards
Tooling Links to Tools that can be used to test for the vulnerability

Existing Lists/Top-11 Items

We might move these to the related standards section later on, but keep them here as food for thought for now:

Issuer Title Description
BSI ICS Security Top 9 threats and countermeasures 2022 Focus on impact and vectors (malware, phishing, DDoS, sabotage)
CISA Top Ten Cybersecurity Misconfigurations
ENISA Power Sector Dependency on Time Service rather specific
ENISA Transport Threat Landscape
ENISA Cyber security and resilience for Smart Hospitals
ENISA ENISA Threat Landscape 2023 Figure 8 (Page 16), gives a per-sector attack overview