The Top 10
Methodology
How were the OT Top 10 created?
- meetings every two weeks to gather the top 10 list
- quantitative discussion to form the top 10
How did we make sure that we covered reality?
- check existing OT incident reports and see if the proposed top 10 fit
Preliminary Top 10 List
In no particular order:
- Supplier/Supply Chain Management
- Devices out there in the Field with known Vulnerabilities/Issues
- Unknown Assets and Unmanaged External Access
- Insufficient Access Control
- Broken Zones and Conduits Design
- Missing Incident Detection/Reaction Capabilities
- Availability
- Missing Awareness
- Components/Protocols with Insufficient Security Capabilitites
Structure of each Top 10 Item
Each entry in the OWASP OT Top 10 will be accompanied by a short description, public incidents exploiting that entry, recommended mitigation and countermeasures, as well as references and tooling to assist in addressing the identified risks.
Field | Description |
---|---|
Name | Name/Title of the Item |
Description | Show description of the item |
Rationale | Why did we find this item important enough for inclusion? |
Known OT Attacks utilizing this Item | https://www.icsadvisoryproject.com, https://icsstrive.com/ |
Mitigation/Countermeasures | There will be multiple levels: 1) design and implementation level mitigations for developers/builders; 2) operational mitigations for integrators, e.g., air-gapping systems |
References | Relevant standards |
Tooling | Links to Tools that can be used to test for the vulnerability |
Existing Lists/Top-11 Items
We might move these to the related standards
section later on, but keep them
here as food for thought for now:
Issuer | Title | Description |
---|---|---|
BSI | ICS Security Top 9 threats and countermeasures 2022 | Focus on impact and vectors (malware, phishing, DDoS, sabotage) |
CISA | Top Ten Cybersecurity Misconfigurations | |
ENISA | Power Sector Dependency on Time Service | rather specific |
ENISA | Transport Threat Landscape | |
ENISA | Cyber security and resilience for Smart Hospitals | |
ENISA | ENISA Threat Landscape 2023 | Figure 8 (Page 16), gives a per-sector attack overview |