| layout | title | tags | level | type | pitch |
|---|---|---|---|---|---|
col-sidebar |
OWASP OT Top Ten |
example-tag |
2 |
documentation |
A very brief, one-line description of your project |
The OWASP OT Top Ten project aims to tackle the security risks emerging from the combined efforts to easily interconnect operational technology (OT) systems with our more familiar information technology (IT) environments. Many of us are familiar with IT systems, the application software, and networking infrastructure that we use daily. OT systems, however, consist of specialized hardware and software that controls and monitors everything from manufacturing processes to the electrical network and generators that power our daily lives, to medical equipment and industrial robots, as well as the process control systems in critical infrastructure that allow us to safely drink water, treat our waste and power our communities. These processes must continue to run uninterrupted for us to survive and thrive, making OT systems invaluable for operational efficiency. Organizations that rely on OT systems are rightfully worried as they become increasingly vulnerable to cyber threats associated with disruption, theft of sensitive data, physical damage to processes, and even loss of life.
The deliverables will be a curated OT Top Ten security risks, growing out of a community-driven list of critical security risks in OT environments. Much like the widely used OWASP (Open Web Application Security Project) API, Web and LLM (Low-Level Machine) Top Ten lists are bolstered by detailed risk profiles and actionable advice. Organizations and security professionals will have a better understanding and practical advice to secure their OT systems.
Phase 1: Initial Research and Community Involvement Conduct a broad survey of OT security professionals and industry leaders to gather insights on the most prevalent OT security risks. Host community calls or workshops to discuss potential risks and collect feedback from the OWASP community.
Phase 2: Risk Identification and Categorization Develop a preliminary list of risks based on the research and feedback collected. Refine the risk categories, ensuring each is clearly defined, relevant to OT environments, and supported by real-world incidents or vulnerabilities. Begin drafting detailed risk profiles, including descriptions, examples, and mitigation strategies.
Phase 3: Public Review and Iteration Publish the initial draft of the OT Top Ten list and open it for public comment and community feedback. Incorporate feedback to refine the list and improve the accuracy and relevance of the risks identified. Collaborate with OT security experts and OWASP contributors to ensure thorough vetting of the risks.
Phase 4: Finalization and Publication Finalize the OT Top Ten list, risk profiles, and all supporting documentation. Publish the official OWASP OT Top Ten report. Promote the release across the community and hold webinars or presentations to introduce the list to relevant stakeholders.
Phase 5: Ongoing Updates and Maintenance (Ongoing) Continuously monitor developments in OT security and update the OT Top Ten list as new risks or trends emerge.