The Top 10

Methodology

How were the OT Top 10 created?

meetings every two weeks to gather the top 10 list
quantitative discussion to form the top 10

How did we make sure that we covered reality?

check existing OT incident reports and see if the proposed top 10 fit

Preliminary Top 10 List

In no particular order:

Structure of each Top 10 Item

Each entry in the OWASP OT Top 10 will be accompanied by a short description, public incidents exploiting that entry, recommended mitigation and countermeasures, as well as references and tooling to assist in addressing the identified risks.

Field	Description
Name	Name/Title of the Item
Description	Show description of the item
Rationale	Why did we find this item important enough for inclusion?
Known OT Attacks utilizing this Item	https://www.icsadvisoryproject.com, https://icsstrive.com/
Mitigation/Countermeasures	There will be multiple levels: 1) design and implementation level mitigations for developers/builders; 2) operational mitigations for integrators, e.g., air-gapping systems
References	Relevant standards
Tooling	Links to Tools that can be used to test for the vulnerability

Existing Lists/Top-11 Items

We might move these to the related standards section later on, but keep them here as food for thought for now:

Issuer	Title	Description
BSI	ICS Security Top 9 threats and countermeasures 2022	Focus on impact and vectors (malware, phishing, DDoS, sabotage)
CISA	Top Ten Cybersecurity Misconfigurations
ENISA	Power Sector Dependency on Time Service	rather specific
ENISA	Transport Threat Landscape
ENISA	Cyber security and resilience for Smart Hospitals
ENISA	ENISA Threat Landscape 2023	Figure 8 (Page 16), gives a per-sector attack overview