The OWASP Top 10 is a list published by the Open Worldwide Application Security Project Foundation (OWASP) of the most important security risks in a specific application area. They serve as a practical orientation to make typical vulnerabilities visible, create awareness of cyber risks and initiate concrete improvements in the development, operation and protection of systems. If you are familiar with the topic, you will probably think of the ten most common vulnerabilities in web applications first. And you’re in good company, because it’s not for nothing that the OWASP Top 10 have been among the most frequently referenced standards in the field of web security for years.
However, a lot has also happened at OWASP in recent years. In addition to numerous projects, there are now also top 10 lists for other areas such as IoT, API security, machine learning and applications with LLM integration. We welcome this development, of course, but we have always felt that a crucial building block is still missing. OT security is becoming more and more important – there are more attacks and regulatory requirements are increasing. After more than ten years of experience in this area, it was important for us to take action together with partners from industry and research – under the leadership of OWASP. This resulted in the OWASP OT Top 10, which celebrated its anniversary in October 2025.
The OWASP OT Top 10 at a Glance
The ten points were selected based on expert knowledge, advisory evaluations and empirical data collection from offensive and defensive OT security projects of the participating companies. We at Limes Security are particularly proud to have been able to contribute our experience from many OT penetration tests and the know-how gained from numerous tested environments.
Each point contains a detailed description, a justification and, where appropriate, is supplemented with known examples of attacks and specific recommendations for action. This gives those affected a quick overview of the most relevant threats and what they can do about them. In addition, the top 10 have been compared with the most important standards and regulations, including IEC 62443, NIST SP 800-82:v3, NIST CSF 2.0, MITRE ATT&CK and EU NIS2. This enables a quick comparison.
Why does the OWASP OT Top 10 exist?
Security for OT People – OT for Security People: The OWASP OT Top 10 aims to create awareness of the most important, security-relevant risks in OT environments and to provide readers with practical, directly implementable recommendations. The Top 10 can be applied to the entire spectrum of OT. Traditional office IT devices and non-OT-relevant edge devices, on the other hand, have been deliberately excluded. A central idea in the development of the Top 10 was to create added value through clear recommendations for the design, implementation, and secure operation of the components considered. These recommendations benefit a wide range of professional groups, such as software developers, administrators, OT project staff, as well as security and quality managers.
The top 10 are also intended to raise awareness of OT security. OT and the associated security requirements often follow their own rules, which are difficult to grasp for managers with a traditional IT background. In order to unite these worlds and promote greater mutual understanding, each OT Top 10 includes a “crash course” that provides OT know-how for IT security specialists on the one hand and security know-how for OT specialists on the other.
Why is this necessary? Because this mutual understanding is essential for a holistic security strategy. Here are a few examples: The inherent inertia of OT systems is often difficult to grasp, whereas IT systems appear to be quite agile and are usually subject to a relatively short life cycle. The aforementioned “sluggishness” of OT systems is particularly evident in the operation of established components, which often spans decades. In addition, for financial and operational reasons, they usually cannot simply be restarted for a security update. The elimination of known vulnerabilities must therefore usually be planned well in advance in maintenance periods – if they are planned and supported by integrators at all.
The frequent alternative: mitigating measures. These reduce immediate risks through workarounds, but do not eliminate the actual causes. Although this increases security in the short term, the fundamental vulnerability of the system remains. In the end, an attacker only has to bypass these protective measures – for example through faulty network segmentation – in order to access insecure devices. Added to this are high performance requirements, a focus on availability and safety (as opposed to confidentiality in IT) and, in some cases, completely different working cultures between IT and OT.
What’s next?
The first step has now been taken with the publication of the OT Top 10 – but the journey has only just begun! The living document will be refined in the future based on the experience and contributions of numerous experts and constantly adapted to the current threat landscape.
If you need support in implementing the measures listed in the OWASP OT Top 10 or if you are generally wondering which points you need to take a closer look at, please do not hesitate to contact us! Whether in the form of targeted consulting, structured training through our in-house academy, or a comprehensive assessment: we are happy to support you so that you can look at the OWASP OT Top 10 without worrying, knowing that you have addressed all points in the best possible way.
Our colleagues Nino Fürthauer and Felix Eberstaller will be presenting the project at the annual Security Forum on May 5th and 6th, 2026 in Hagenberg. Take the opportunity and talk to us at our exhibition stand. We look forward to hearing from you!
