OT Site Assessment


As industrial control systems become more connected, they also become more exposed to cyber threats. The consequences of a cyberattack could negatively affect the organization’s efficiency, continuity, and even safety. Addressing these risks is essential for organizations looking to protect their Industrial Control Systems (ICS).


Discover more about OT Site Assessment:

  1. The risks of cyberattacks on ICS and SCADA systems
  2. What is an OT Site Assessment?
  3. The deliverables of an OT Site Assessment
  4. Insights provided by Secura
OT Site Assessment - Solar Inverter Slider

Risks of Attacks on ICS and SCADA systems

Cyberattacks on ICS and SCADA systems can impact the safety, availability, and reliability of systems, operations, and value chains leading to catastrophic consequences. Organizations that are potentially impacted by these consequences are located in various industries, including but not limited to electric power, water, nuclear, manufacturing, infrastructure, transport (railways, ports, and airports), and oil & gas (upstream, midstream, downstream).

Organizations within these industries have a variety of concerns such as cyberattacks that could cause damage to reputation, shareholder confidence, environment, or cause system outage, loss of production, injury, or even loss of life. Organizations therefore must assess if they have the right mitigations in place to sustain ICS security. While IT and OT have been increasingly convergent over the years, a gap in understanding and solid practice between OT and IT security tends to remain. This critical skills gap contributes to security vulnerabilities, which are often overseen but must be identified and addressed appropriately.

What is an OT Site Assessment?

OT Site Assessment

Secura has developed a proven OT site assessment methodology that follows internationally recognized standards and best practices such as IEC 62443, NIST SP 800-82, and ALARP which are specifically tailored to Industrial Automation Control Systems (IACS). The OT Site Assessment is specifically designed to identify technical site-level risks as opposed to organizational-level risks. It is a bottom-up approach that includes site visits, system architecture reviews, and interviews with subject matter experts. Optionally the assessment can be expanded with high-level penetration testing to verify the level of protection between IT-OT or passive packet capture and analysis. The OT site assessment service includes the following IEC 62443 aspects and addresses the following subject areas within each aspect:

The Deliverables of an OT Site Assessment


A detailed OT site assessment report will be delivered with all identified risks, each with an explanation and recommendation. All findings are given a qualitative risk rating. Secura follows a standard risk rating system which can be adjusted based on your organization. Not only are the risks to the ICS identified, but areas to sustain are also included in the report indicating the security strengths of the facility in scope.

Cyber-physical attack scenarios are outlined by giving a detailed description of how an attacker could potentially target the specific site in scope. Cyber-physical attack scenarios could encompass all functional requirements of IEC 62443.


The Final Result


The results of the OT Site Assessment presented by Secura will provide you with the following insights:

  • How effective the implemented OT security controls are;
  • How these risks are mapped to relevant parts of the IEC 62443 requirements;
  • Were improvements might be required, including our recommendations.


Interested in an OT Site Assessment at your company?

For more information, please refer to our factsheet. We are happy to discuss how we can help you the best. You can contact us via the contact form, by telephone at +31 (0) 88 888 31 00, or by email at info@secura.com.

Fact sheets

OT Site Assessment

Identify technical site-level risks, as opposed to organizational-level risks.

Download fact sheet file_download

IEC 62443 functional requirements

IEC 62443
OT Site Assessment Areas
FR 1
Identification and authentication control

Assessing the extent of insider risks focusing on the impact that can be caused per group of insiders based on existing mitigating controls.

Assessing potential cyber-physical attack risks by analyzing process flow diagram outputs, conducting SME interviews, and analyzing industry incident reports deriving from real attack scenarios
FR 2
Use control
Investigating external exposure in the form of undesirable externally accessible domains, IPs, and modem connectivity as well as physical security vulnerabilities of the entire site, which could impact the availability and safety of the site.

FR 3
System integrity

Assessing OT Network Traffic analysis to discover various kinds of connectivity present on-site, exposure outside of designated areas and physical perimeters, and any security issues that can be identified passively.
Assessing the inherent cyber resilience of your organization both on an architectural and configuration level.
FR 4
Data confidentiality
Assessing data exfiltration risks such as obtaining intellectual property and corporate secrets up to obtaining technical information to prepare for sabotage.
FR 5
Restricted data flow
Collecting Network Traffic passively at agreed-upon locations utilizing passive network taps or monitor ports. No active scanning, man-in-the-middle, or other measures which might interfere with traffic will be used.
FR 6
Timely response to events
Assessing OT network and systems security aims to see if malicious entities can get into your OT network and see what they can potentially compromise (e.g., checking firewall configuration, lateral movement, and checking for insecure protocols).
FR 7
Resource availability
Conducting a discrepancy analysis between asset inventory, architecture maps, and perimeter to see whether ICS Visibility and Control is addressed coherently.


Secura Contact Shape
Partners of Secura

Cybersecurity is more than technology alone. Secura collaborates with partners in compliance and risk management, integrated application security, privacy, IT- and internet law and certification.