Checklist for ICS/SCADA OT Cybersecurity

Self-Assessment

Function Category Questions

Identify Asset Is your OT asset inventory up to date? How is it

Management maintained (tools or Excel-based)?

Are firewalls managed by site owners or vendors? Is

"separation of duties" applied between IT and OT teams?

Are OT switches managed by site owners?

Is firmware for OT network devices (e.g., switches,
firewalls) updated?

Are authentication mechanisms for firewalls, switches,

workstations, and other components configured with
unique strong passwords?

Do site owners apply application patches/updates at

least annually?
Is there a defined patch management program for OT
assets?
Are OT workstations secured with unique user
passwords?
Are operating system-level patches applied by site
owners?
Business
Environment Is confidential information (e.g., production-specific or
business-sensitive data) restricted to authorized users?

Are "system security requirements" defined during

business case planning?
Is security authorization for different OT systems updated
periodically?

Is an OT security officer designated to develop and

maintain an organization-wide OT security program?

Has the organization established an OT security

improvement and workforce development program?

Are documented processes for technical and

management operations in OT clearly defined and
approved?
Are business continuity procedures (BCP) followed
strictly?
Governance
Are OT security responsibilities clearly defined and
assigned to the appropriate team members?

Is there a supply chain risk management program in

place? Have OT security requirements been integrated
into contracts and FAT/SAT procedures?

Are policies and procedures for network segmentation

(e.g., DMZs) established based on equipment sensitivity,
user roles, and system types?

Are OT security policies, guidelines, and procedures

accessible to authorized staff?

Is a process defined for integrating new systems into the

network, including necessary approvals?
 Are environmental risks (e.g., fire, flood, earthquakes)
considered during risk assessments?

Are there policies for securing standalone, lost, or

misplaced equipment?

Are physical protections implemented against risks such

as fire, floods, explosions, or civil unrest?

Risk Assessment
Has the organization conducted risk assessments?

How frequently are risk assessments conducted, and are

crown jewel sites (high, medium, low criticality)
identified?
Does the risk management process include threat
modeling?
Are risk assessment policies and procedures regularly
reviewed and updated?

Is there a defined frequency for reviewing risk

assessment results and implementing corrective actions?

Risk Management Is the security risk assessment plan updated after

Strategy recording major incidents?
Are auditable parameters revised as new threats are
identified?
Are system connections monitored to ensure compliance
with security requirements?
Is a security assessment report generated to document
findings?
Do site owners follow a standard procedure to address
existing vulnerabilities?

Is there a comprehensive risk management plan coveing

organizational operations, assets, and personnel (people,
process, technology)?

Supply Chain Risk Does the organization have a supply chain risk
Management management policy?
Is vendor screening (e.g., NDA) conducted before
awarding contracts?
Does the organization have a supply chain risk
management team?
Are vendors escorted within the plant from entry to exit?
Do vendors use restricted user accounts for system
access?
Is a software bill of materials (SBOM) maintained?

Are data, documentation, tools, or system components

disposed of following predefined techniques?

Protect Physical Security Are all physical access points to the facility governed by
access authorizations?
Does the organization provide unique ID cards for
workers and visitors?
Is physical access monitored to detect and respond to
security incidents?
Are keys, combinations, and physical access devices
secured?
Is physical access to output devices controlled?

Is the management of publicly accessible areas aligned

with the organization's risk assessment?

Are access authorizations verified before allowing entry

to the facility?
 Is the access list and authorization credentials reviewed
annually, and are unnecessary access permissions
revoked?
Awareness and Is basic OT security awareness training provided to all
Training system users before granting access?

Does the organization conduct fire drills?

Are visitors provided with "Do's and Don'ts" training?

Are individual training activities documented,

maintained, and monitored?
Is refresher training provided at least annually?

Does OT security awareness training include practical

scenarios simulating real cyber-attacks?

Data Security Is security authentication implemented for accessing

critical plant data?
Is there a disaster recovery plan in place for data
recovery?
Are servers deployed with RAID configuration?

Does the plant utilize remote backup servers?

Is data encrypted before transferring to remote servers?

Does the plant use plaintext protocols like FTP, Telnet, or

HTTP?
Are security keys updated annually?
Are security keys revoked for users who have left the
organization?
Information Is the use of non-sanitizable system media restricted?
Protection
Processes and
Procedures
Does the organization manage USB device access, and
are Sheep Dip Stations used?
Are data storage devices erased before redeployment?

Are cryptographic mechanisms in place to protect

information?
Are portable storage devices sanitized before connecting
to systems as per defined conditions?

Is media storage determined based on material

sensitivity?
Maintenance Are all remote connections via jump servers on-demand,
monitored, and terminated post-maintenance?

Are passwords changed after remote maintenance

sessions if password-based authentication is used?

Are remote maintenance and diagnostic sessions

audited, and are session records evaluated by
designated individuals?
Is documentation available for the installation and
operation of remote maintenance links?

Is the use of system maintenance tools monitored and

approved?
Are diagnostic media checked for malicious code before
use?
Are maintenance support and spare parts available for
security-critical components?
Are remote maintenance activities authorized,
monitored, and controlled?
 Are remote tools used only as per documented policies
and security plans?
Are records for remote maintenance activities
maintained?
Protective Are antivirus servers deployed, and are the solutions
Technology approved by OT vendors?
Are patches updated, and are they vendor-approved?

Does the organization have an IT SOC with OT

capabilities?
Does the organization utilize OT-specific threat
intelligence services?
Detect Anomalies and Are system events monitored?
Events
Are system attacks detected? (via log monitoring, IDS
systems, signatures/indicators)

Is unauthorized system usage identified? (e.g., via log

monitoring)
Are monitoring devices placed strategically to collect
critical data and track key transactions?

Is the intensity of system monitoring increased when

heightened risk is detected?
Is legal counsel involved in system monitoring activities?

Are automated tools used for near real-time event

analysis?
Does the system monitor inbound and outbound
communications for unusual or unauthorized activities?

Does the system send real-time alerts when signs of

compromise or potential compromise are detected?

Security Are system events continuously monitored?

Continuous Are attacks detected using log monitoring, IDS systems,
Monitoring or other signature/indicators?
Does the organization utilize NTP servers? If so, which
stratum model?
Is the time in critical systems accurate and consistent?

Is intrusion monitoring evaluated over specific periods of

time?
Is network access control in place to prevent MITM
attacks and unauthorized devices on the network?

Detection Are all remote access methods authorized, monitored,

Processes and managed?
Are automated systems used to facilitate the monitoring
and control of remote access?
Is cryptography used to ensure the confidentiality and
integrity of remote access sessions?

Are remote accesses routed through a limited number of

managed access points?
Is remote access for privileged commands and sensitive
information granted only for operational needs, and is
the rationale documented?

Does the system terminate network connections after a

session or a defined period of inactivity?

Are automatic session terminations applied to both local

and remote sessions?
 Are terms and conditions defined for authorized
individuals accessing the system from external systems?

Are terms and conditions set for individuals processing,

storing, and transmitting organization-controlled data
using external systems?

Are authorized individuals prohibited from using external

systems to access, process, store, or transmit
organizational information unless security controls are
verified, or agreements are made with external system
hosts?

Respond Response Is there a capability in place to handle security incidents,

Planning covering preparation, detection, analysis, containment,
eradication, and recovery?

Are incident handling activities coordinated with

contingency planning activities?
Are lessons learned from ongoing incident handling
incorporated into response procedures?

Are network security incidents tracked and documented

on an ongoing basis?
Are cyber and control system security incidents reported
to authorities in a timely manner?

Is there a support resource for incident response that

offers advice and assistance?
Are personnel required to report suspected incidents to
the incident response authority within a defined period?

Are automated tools used to enhance the availability of

incident response information and support?

Does the organization have an insider threat program

with a cross-discipline handling team?

Is the incident response process developed, tested,

deployed, and documented?
Communications Does the organization display a common contact number
for emergency situations?
Does the organization maintain communication channels
for emergency situations?

Does the organization simulate drills that include

communication exercises?
Does the organization maintain a list of personnel
contact numbers for emergency situations?

Does the organization maintain an alarming system,

including alarm servers, in OT environments?

Analysis Is the incident response investigation and analysis

process developed, tested, deployed, and documented?

Are incident handling activities coordinated with

contingency planning activities?
Are lessons learned from ongoing incident handling
activities incorporated into response procedures?

Are network security incidents tracked and documented

continuously?
 Is there a support resource available for incident
response, offering advice and assistance?

Are personnel required to report suspected security

incidents to the organizational response authority within
a defined time period?

Are automated systems used to enhance the availability

of incident response-related information and support?

Does the organization implement an insider threat

program, including a cross-discipline handling team?

Mitigation Is risk mitigation included in the organization's risk

management process?
Does the organization document vulnerability
assessment results and mitigation steps taken?

Does the organization consider environmental hazards in

its risk mitigation plans?

Are risk-reduction measures planned and implemented?

Are accessibility issues to alternate control centers

identified in the event of an area-wide disruption, and are
mitigation actions outlined?

Are accessibility issues to alternate storage sites

identified, and are explicit mitigation actions outlined in
the event of a disruption or disaster?

Improvements Does the organization have an information security

workforce development and improvement program?

Is the OT Security Incident Response program updated to

address evolving threats?

Does the organization update its improvement program

with each recorded incident?

Recover Recovery Does the organization have a formal recovery

Planning management plan?
Is the recovery plan reviewed regularly, at least
annually?
Does the recovery plan align with the organization’s
enterprise architecture?
Is the authorized official or their designated
representative identified to review and approve the
recovery plan?

Does the organization have a Configuration Management

and Change Management Process in place?

Improvements
Does the organization consider recovery improvements
as part of its business continuity planning?

Are recovery improvements documented within the

organization?
Does the organization regularly practice the newly
developed recovery improvements?
Communications
Are incidents communicated to the appropriate
stakeholders, including those affected?

Is the recovery status communicated in a timely manner?

Communications

Is there an alternate communication channel available

for recovery-related communications?

Is the average time for recovery tracked and

communicated across relevant departments?

Is the organization’s average recovery reporting time

clearly defined and communicated?
urity

Comments or
Target
Corrective Actions
Completion Date
(if any)