Various ICS Malware are being used by Attackers for targeting those critical infrastructure sectors, at both local

and remote fa

This checklist have been compiled to assist with a basic ICS/SCADA(OT) Se

Function Category

Organizational Context

Risk Management Strategy

Roles, Responsibilities, and Authorities

Govern

Policy
 Oversight

Cybersecurity Supply Chain Risk Management

Asset Management

Identify

Risk Assessment

Improvement

Identity Management, Authentication, and Access Control

 Identity Management, Authentication, and Access Control

Awareness and Training

Data Security

Physical Security

Platform Security
Protect

Data Security

Maintenance
 Maintenance

Protective Technology

Remote Access Security

Change Management
System Hardening

Continuous Monitoring

Anomalies and Events

Detect

Security Continuous Monitoring

Detection Processes

Incident Management
 Incident Management

Response Planning

Communications
Respond

Analysis

Mitigation

Improvements

Incident Recovery Plan Execution

 Incident Recovery Plan Execution

Recover

Improvements

Communications

Recovery Planning
 Implementing ICS/

sectors, at both local and remote facilities. Such attacks can cause significant cyber-physical harm. E.g. opening and closing of valves, over
pote

assist with a basic ICS/SCADA(OT) Security Assessment. It is not an exhaustive questionnaire and it may not be exactly appropriate to your

Has
- Arethe organization
internal defined
stakeholders its OT
such cybersecurity
as plant managers, objectives and business
maintenance context?
engineers, Are OT
and safety cybersecurity
officers identifiedrisks
and aligned
engagedwith orgc
in OT
-- Are
Are external
legal andOT stakeholders
regulatory (e.g., contractors,
requirements specific toequipment
OT systemsvendors) documented
(e.g., power along
sector, oil with
& gas) their cybersecurity
identified roles and ac
and documented?
- Are vendor SLAs reviewed to ensure they include cybersecurity and patch support clauses for ICS devices?
Are the OT systems that deliver critical services documented and mapped to underlying assets such as PLCs, RTUs, HMIs, and h

Do you have a documented OT risk management strategy that is updated regularly?

- Are there defined cybersecurity objectives specific to OT environments (e.g., reduce downtime, protect control logic)?
-- Are those
Is risk objectives
appetite clearlyreviewed andOT
defined for updated annually
operations (e.g.,based
maximumon production
acceptable and threat landscape
downtime, tolerancechanges?
for legacy unpatched asset
-- Are Are cybersecurity
these limits communicated
risk management to system integrators
processes andwith
integrated ICS network engineers?
plant safety risk and process hazard assessments?
-- AreDoesoperators trained
your OT risk to recognize
strategy cybersecurity
include recovery time events that(RTO)
objectives may lead to physical degradation
and acceptable process failures?
modes for safety-critical syste
-- Are
Are OTbusiness continuity
engineers or fail-safe states
and cybersecurity teamsdocumented for keythrough
regularly engaged OT processes?
structured communication channels (e.g., shift handov
-- Are cross-functional
Is a consistent methodreview
(e.g.,meetings
CVSS, customscheduled to evaluate
OT impact score) control
used to system changes?
score and prioritize risks across engineering workstation
-- Are risk assessments updated after system changes (e.g., firmware upgrade, new
Are digital transformation initiatives (e.g., predictive maintenance, sensor integrations) vendorevaluated
access)? for their cybersecurity imp
- Are opportunities to reduce cybersecurity risk considered in control system upgrade roadmaps?
- Are OT cybersecurity roles and responsibilities clearly defined, covering operators, integrators, and OEMs?
- Is accountability for patching, hardening, and response activities assigned per asset type or function?
Have roles and responsibilities
- Are dedicated forroles
OT cybersecurity OT cybersecurity beenengineer,
(e.g., ICS security clearly defined?
plant OTAre OT staffed
lead) securitywith
responsibilities
appropriatedocumented in the jo
skillsets and access?
-- Are
Is funding allocated
HR policies for OT-specific
updated tooling (e.g.,
to cover personnel rolesasset
in ICSinventory, network
zones (e.g., accesssegmentation, anomaly detection)
control for engineering staff)? and incident res
- Are operators and third-party contractors trained on cybersecurity responsibilities during onboarding?
Is there a designated authority for approving OT security changes?
Is there a backup resource identified for key OT security roles?

Are OT security policies established?

Does your OT cybersecurity policy cover all levels of the Purdue Model/Security Zones and address device hardening, remote a
Is the policy formally approved and communicated to OEMs, contractors, and plant operations staff?
Is the OT cybersecurity policy reviewed at least annually to account for new threats, vulnerabilities, and changes in industrial p
Are audit results and incident lessons learned fed back into policy updates?
Do policies address both normal and emergency OT operations?
- Are security incidents from OT environments (e.g., PLC logic overwrite, SCADA misconfigurations) reviewed for strategy align
-- Is
Is the
executive oversight involved
OT cybersecurity strategyinperiodically
approving OT recovery
evaluated forand segmentation
effectiveness strategies?
through KPIs like Mean Time to Detect (MTTD) and p
-- Are misaligned or obsolete controls identified and removed from operational workflows?
Is there a defined cadence for cybersecurity review meetings covering OT zones and control network integrity?
- Are review outcomes documented and acted upon, especially for policy deviations or missed updates?
- Does your supply chain policy require OT vendors to follow secure development, vulnerability disclosure, and access provisio
-- Is Arecybersecurity
cybersecurity risk factored into
expectations vendorinselection
included or procurement
procurement scoring? with integrators or OEMs?
SLAs and contracts
-- Are suppliers required to disclose known vulnerabilities in OT products
Do you verify that suppliers of critical OT components (e.g., PLCs, firewalls) (PLCs, HMIs, firmware)?
implement secure development and testing practi
-- Are supplier-provided firmware and logic updates evaluated in a staging lab before production
Are suppliers categorized by their impact on critical process functions (e.g., safety PLC vs. label printer)? rollout?
-- Are Is there a documented
system integrators asset-to-supplier
and remote vendors mapping for to
required OTfollow
assets? baseline security requirements before network or system acce
-- Are third-party tool configurations (e.g., historians, remote
Are pre-deployment risk assessments conducted for new OT components HMIs) validated(e.g.,
for hardening
PLCs, patchcompliance?
panels, IIoT sensors) with respect
-- Are
Is due diligence
supplier performed
devices reviewedon OEMs and contractors
for backdoors, for incident
signed firmware history,
updates, anddefault
SBOMcredential usage, or support responsivenes
availability?
-- Are impact dependencies documented if supplier failure impacts operational safety or uptime?
Are third-party service providers (e.g., remote monitoring, field maintenance vendors) assessed for their impact on OT zones
-- Is
Arethere a documented
OT supply policy (e.g.,
chain controls for onboarding/offboarding third-party
hardware validation, inbound access to verification)
configuration OT systems?integrated into commissioning an
- Are vendor-supplied support laptops or tools reviewed before they interact with live ICS environments?
Have you addressed this requirement for OT environments where safety, uptime, and physical process impacts must be assess

Are Antivirus servers Deployed ? Is the Antivirus solution approved by OT Vendor ?

Do you have complete OT asset inventory (OT hardware and software) up to date ?
How are you maintaining Asset Inventory ? Are you using any Tools ? Or Excel based approach ?
Are assets in the inventory classified based on criticality?
Are the firewalls managed by site owners ? Or Vendors ? Do you "separation of duties" when assigning responsibilities betwee
Are OT switches managed by site owners.?
Is your OT asset inventory grouped by function (e.g., control, safety, monitoring) and mapped to critical zones in your ICS netw
Are all communications paths (e.g., Ethernet, serial, wireless) and protocols (Modbus, DNP3, OPC-UA) between OT assets docu
Do you track and document ownership, support responsibility, and physical access for all OT assets, including third-party main
Are cybersecurity roles and responsibilities assigned for each asset class (e.g., who manages switch firmware vs. PLC logic)?
Are interdependencies between ICS assets (e.g., which HMI controls which PLCs) documented to understand potential cascadi
Is there security authentication feature setup for accessing plants critical data?
Are the OT systems that deliver critical services documented and mapped to underlying assets such as PLCs, RTUs, HMIs, and h

Are known vulnerabilities and threat sources evaluated for OT systems?

Have you identified and documented threat scenarios specific to ICS environments such as manipulation of control logic, fieldb
Does your risk analysis account for legacy systems without security features (e.g., unauthenticated Modbus TCP), and have co
Are
- Arethe likelihood
threat impactand impact of ICS-specific
assessments cyber events
conducted considering assessed
safety, usingprocess
physical realisticdisruption,
consequences such as physical
and downtime in OT?damage, dow
-- Are Are impact-likelihood matrices
OT-specific risk models usedadapted to cascading
to assess reflect consequences of OT-specific
physical impacts from device attacks (e.g., valve
compromise stuck
(e.g., open)?
VFD failure triggering pu
-- Is Are risk assessments
historical for control
incident data systems conducted
(e.g., controller using asset criticality,
failures, unauthorized safety
changes) used tozones, andrisk
improve downtime tolerances?
prioritization for OT assets?
-- Are incident records from prior events analyzed for patterns in device types or access
Is threat intel from OT-specific sources (e.g., ICS-CERT, MITRE ATT&CK for ICS) reviewed regularly? paths exploited?
-- Is
Are threat alerts
firmware triaged
integrity with ICS
validation context (e.g.,
performed relevance
for critical to Siemens,
OT devices beforeGE,deployment?
or Mitsubishi environments)?
-- Are vendor-signed firmware or software images required for all field-deployed
Are critical OT vendors assessed for security maturity before procurement decisions? devices?
- Does the procurement process include cybersecurity risk evaluation for new PLCs, VFDs, or HMIs?
Are risk assessments conducted periodically for OT assets and systems?
- Are lessons learned from security incidents in OT (e.g., malware infections, logic misuse) documented for future improvemen
-- IsArethe change
results of management process updated
ICS security assessments post-incident
used to improve patch to reflect root cause
prioritization findings? baselines?
or hardening
-- Do
Arevulnerability
outcomes ofscan findings feed exercises
OT cybersecurity into change management
(e.g., for OT systems?
tabletop, incident simulations) used to enhance playbooks or runbooks?
-- Is
Is the
operator feedback
IR plan revised post-simulation documented
based on post-incident andorincorporated
debriefs lessons learnedintofrom
response
actualimprovements?
OT events?
- Are findings from near-miss incidents used to strengthen asset lockdown or segmentation?
- Are unique user credentials enforced for access to PLCs, HMIs, engineering workstations, and remote terminals?
-- Is
Areauthentication enforced
password policies (e.g.,on serial consoles,
minimum web interfaces,
length, complexity, or vendor
expiration) tools usedimplemented
consistently to access OT across
devices?
OT assets?
- Do embedded devices (e.g., PLCs) use vendor-supplied passwords or custom credentials?
- Is multi-factor authentication enforced for vendor and remote technician access into OT zones?
- Are jump servers with MFA in place for access to Level 2/3 zones of the ICS network?
Does Authentication to Firewall, Switches, Workstations and other components have unique strong passwords?
Are accounts for contractors and vendors disabled after use or deactivated on a schedule?
Is there a formal access review process for OT systems to ensure only authorized users have access to sensitive assets?
Are all the methods of remote access to the system authorized, monitored, and managed?

Is basic OT security awareness training provided to all system users before system access is granted ?
Are incident response tabletop exercises regularly conducted with OT operators and maintenance staff?
Do maintenance personnel receive specific training on securing physical ports (e.g., USB blocking, serial console protection)?
Is cybersecurity awareness included in onboarding of OEM vendor technicians and integrators?
Is cybersecurity training updated to reflect changes in OT threats?

Are OT data in transit and at rest protected using encryption or equivalent controls? Is configuration and control data (e.g., lad
Is access to OT sensitive data logged and monitored?
Are backups of ICS control logic stored securely and tested regularly?
Are logs from PLCs, RTUs, and HMIs protected from unauthorized tampering or deletion?
Are removable media (USB, SD cards) scanned and controlled before use on engineering workstations?
Does the organization restrict the use of system media that can't be sanitized?

Are all physical access points to the facility subject to physical access authorizations ?
Does the organization provide unique id card to each of its workers and visitors ?
Is physical access monitored for the purpose of detecting and responding to physical security incidents?
Are keys, combinations and other physical access devices secured ?
Is physical access to output devices controlled ?
Is the control of publicly accessible sites in accordance with the organization's risk assessment ?
Before allowing entry to the facility are individual access authorizations verified?
Is the access list and authorization credentials checked and approved at least once a year and are those that no longer need a
Are unused services disabled on OT systems to minimize attack surface?
Are system logs on OT platforms protected from tampering and stored securely?

Is there security authentication feature setup for accessing plants critical data?
Is there a disaster recovery plan in place for data recovery?
Are the servers deployed in RAID configuration
Does the plant use remote backup servers?
Does the plant encrypts data before transferring it to remote servers
Does the plant use plain text protocols like FTP, Telnet, HTTP?
Are the security keys revised at least yearly?
Are security keys revoked for the users who have left the organization?

Are all sessions and remote connections provided via jump servers, On-Demand basis and Monitored and terminated when re
If password-based authentication is used to perform remote maintenance, are passwords changed after each session?
Are remote maintenance and diagnostic sessions audited and do designated organisational individuals evaluate remote sessio
Is documentation available for the installation and operation of remote maintenance and diagnostic links?
-IsAre
theremote
use of system maintenance
maintenance sessionstools approved
authorized, and monitored?
logged, and monitored when vendors connect to OT assets?
-- Are
Are removable media devices (USB, SD cards) scanned disabled
remote access ports (e.g., TeamViewer, SSH, VNC) by terminals
on isolated default and enabled
before use only
on OTwith proper approval?
equipment?
- Is there a documented process for firmware updates and logic backups during field maintenance?
Are all media containing diagnostic and test programs checked for malicious code before the media are used in the system?
Is there maintenance support and spare parts available for security-critical system components?
Is remote maintenance and diagnostic work authorised, monitored, and controlled?
Are remote maintenance and diagnostic tools only utilised in accordance with policy and as documented in the system's secur
Are records for remote maintenance and diagnostic activities maintained?

Are Antivirus servers Deployed ? Is the Antivirus solution approved by OT Vendor ?

Does the patches get updated ? Are those patches approved by vendors ?
Organization has deployed IT SOC with OT Capabilities ?
Does the organization has OT specific threat intelligence service ?

Is multifactor authentication enforced for all remote access into OT networks?

Is there a formal change control process for OT device configurations and logic updates?
Are baseline security configurations applied to all OT devices including PLCs and HMIs?
Are
- Arethe OT systems
alerts that
generated fordeliver critical services
unauthorized documented
logic changes, anduploads,
firmware mappedortorepeated
underlying assets
failed such
logins toas
OTPLCs, RTUs, HMIs, and h
devices?
- Is configuration change detection integrated with OT asset monitoring tools?
Do you use baseline behavior profiles for ICS protocols to detect anomalous activity like repeated write requests or broadcast
Are the OT systems that deliver critical services documented and mapped to underlying assets such as PLCs, RTUs, HMIs, and h

Are all sessions and remote connections provided via jump servers, On-Demand basis and Monitored and terminated when re
Are events on the system monitored ?
Are system attacks detected? (Attacks can be detected via log monitoring, IDS system monitoring, Signature/indicators)
Is unauthorized use of the system identified? (e.g., log monitoring)
Are there monitoring devices strategically placed throughout the system to acquire critical data and track specific types of tran
Is the amount of system monitoring activities enhanced if there is a sign of heightened risk?
When it comes to system monitoring, does legal counsel become involved?
Are automated tools used to support near real-time analysis of events?
Does the system monitor inbound and outbound communications for unusual or unauthorized activities or conditions?
Is a real-time alert sent by the system when indications of compromise or possible compromise occurs ?

Are events on the system monitored?

Are system attacks detected? (Attacks can be detected via log monitoring, IDS system monitoring, Signature/indicators)
Does organization use NTP servers? Which stratum model ?
Is the time correct and consistent in critical systems?
Is intrusion monitoring application evaluated over a particular time period?
Is network access control used to prevent MITM attacks and the addition of rogue devices to the network?

Are all the methods of remote access to the system authorized, monitored, and managed?
Are automated mechanisms used to facilitate the monitoring and control of remote access methods?
Is cryptography used to protect the confidentiality and integrity of remote access sessions?
Does the system route all remote accesses through a limited number of managed access control points?
Is remote access for privileged commands and security-relevant information authorized only for compelling operational needs
Does the system terminate a network connection at the end of a session or after a defined time period of inactivity?
Is automatic session termination applied to local and remote sessions?
Are the terms and conditions established for authorized individuals to access the system from an external system?
Are the terms and conditions established for authorized individuals to process, store, and transmit organization-controlled info
Are authorized individuals prohibited from using an external system to access the system or to process, store, or transmit orga

When a new major incident is recorded, is the security risk assessment plan updated?
Are logs from OT assets centrally collected and used to reconstruct incident timelines during investigations?
Is an incident handling capability implemented for security incidents that include preparation, detection and analysis, containm
Are the Incidents communicated to appropriate stake holders including affected parties ?
- Are incident response plans tailored for ICS assets, including procedures for isolating infected controllers?
- Does the IR plan define roles for OEM vendors, operators, and IT responders?
Is an incident handling capability implemented for security incidents that include preparation, detection and analysis, containm
Are incident handling activities coordinated with contingency planning activities?
Are lessons learned from ongoing incident handling activities incorporated into incident response procedures?
Are system network security incidents tracked and documented on an ongoing basis?
Are cyber and control system security incident information promptly reported to authorities?
Is an incident response support resource provided that offers advice and assistance?
Are personnel required to report suspected security incidents to the organizational incident response authority within a define
Are automated mechanisms used to increase the availability of incident response-related information and support?
Does the organization implement an insider threat program that includes a cross-discipline insider threat incident handling tea
Is the incident response investigation and analysis process developed, tested, deployed, and documented?

Does the organization display common contact number for emergency situations ?
Does the Organization maintains the communication channels ?
Does the organization simulates a drill which includes communication ?
Does the organization maintain a list of personnel contact number for emergency situations ?
Does the organization maintain Alarming system including Alarm servers in OT ?

Is the incident response investigation and analysis process developed, tested, deployed, and documented ?
Are incident handling activities coordinated with contingency planning activities ?
Are lessons learned from ongoing incident handling activities incorporated into incident response procedures ?
Are system network security incidents tracked and documented on an ongoing basis?
Is an incident response support resource provided ? that offers advice and assistance?
Are personnel required to report suspected security incidents to the organizational incident response authority within a define
Are automated mechanisms used to increase the availability of incident response-related information and support?
Does the organization implement an insider threat program that includes a cross-discipline insider threat incident handling tea

Does the risk management process include risk mitigation ?

Does the organization document the vulnerability assessment result for mitigation steps taken ?
Does the organization considers environmental hazards as its risk mitigations ?
Are risk-reduction mitigation measures planned and implemented ?
Are potential accessibility problems to the alternate control centre identified in the event of an area-wide disruption or disaste
Are potential accessibility problems at the alternative storage site identified in the event of an area wide disruption or disaster

Does the organization establish an information security workforce development and improvement program ?
Does the organization update It's OT Security Incident Response program with ever-changing threats ?
Does the organization update its improvement program with every incident recorded ?

Does the organisation consider recovery improvements as part of its business continuity plan ?
Are recovery steps for PLC/HMI restoration validated through periodic simulation or drills?
Have you addressed this requirement for OT environments where safety, uptime, and physical process impacts must be assess
Are the OT systems that deliver critical services documented and mapped to underlying assets such as PLCs, RTUs, HMIs, and h
-Do communications
Are during
OT backups stored recovery
offline or in aevents includezone
segmented plant
tofloor teams,
ensure OEM vendors,
ransomware IT and management teams?
resilience?
- Are restoration processes validated for PLC configurations, HMI images, and system firmware?
Does the organization have Recovery management plan ?
Is the Recovery plan for the system reviewed on a defined frequency, annually at a minimum ?
Does the recovery plan align with the organization's enterprise architecture?
Is the authorizing official or designated representative who reviews and approves the recovery plan specified ?
Does the organization have a Configuration Management and Change Management Process in place ?

Does the organisation consider recovery improvements as part of its business continuity plan ?
Does the organization document Recovery improvements ?
Does the organization practices the new improvements developed for recovery?

Are the Incidents communicated to appropriate stake holders including affected parties ?
Is the status of recuperation communicated?
Do you have alternate communication channel for recovery communication ?
Is the average time of recovery is recorded and communicated across ?
Is the organization's average time to report for recovery communication defined ?
Are recovery procedures for critical OT systems tested on a periodic basis?
Are tested and updated recovery plans in place for all critical OT systems?
ystems. Connection of ICS/OT or business systems to the internet or to local area networks (LANs) can create vulnerabilities. Remote acces

your system, the risk to your system and the potential impact to your system, before deciding to use this checklist.
Evidence / Notes Comments or Corrective Actions if any
ection or processing agreements with the organizational entity hosting the external system?
orks (LANs) can create vulnerabilities. Remote access into ICS/OT can also create

deciding to use this checklist.

Responsible Team Target Completion Date