Skip to content

OWASP Operational Technology (OT) Top 10

TBD: Broken Zones and Conduits Design

Broken Zones and Conduits Design

Short Description (one paragraph)

Description

risk-based approach (mention threat modeling)
goal: least functionality vs. over-exposure of services
errors in network segregration
potentially can also contain 'external admin access'?
potentially 'forgotten hardware debug interfaces'?
available JTAG/SWD interface left enabled on production devices

Rationale

why did we include this item in the top 10?

Known Attacks/Examples

The Register: Iranian hacktivists .. likely broke into the facilities by using defautl passwords for internet-accessible PLCs

Potential Sources

https://www.icsadvisoryproject.com
https://icsstrive.com/
https://emb3d.mitre.org/
https://attack.mitre.org/techniques/ics/
please add more

How-To Test (have to discuss)

maybe add this to a separate section?

Mitigation/Countermeasures

Design and Implementation

mitigations for developers/builders

Operational

mitigations for integrators/builders

References

Standards

links to relevant standards

Background information

links to blogs, etc.

Tooling

for testing, etc.