SECTOR: OT-TOOLS
IEC 62443 / NERC CIP-015
SYS: QSECDEF-TOOLS
STATUS: ACTIVE
OT Security Teams · Free Tool

OT Cryptographic Asset
Prioritisation Matrix

Enter your operational technology assets. The tool scores each one across five dimensions specific to OT environments: asset lifecycle, cryptographic vulnerability, operational impact, migration feasibility, and regulatory exposure. The output is a ranked migration register with pathways, a Mosca inequality analysis, and a PDF report. No account required. Asset data is not stored or transmitted.

No email or company details are transmitted or stored 5-dimension OT scoring model SIL 3/4 hard ceiling applied Mosca inequality analysis PDF report included
OT Security Engineers · Plant Managers · Industrial Architects
About this tool

OT environments present a PQC migration challenge that IT-focused tools cannot address: assets with 15 to 25 year operating lives, patching windows measured in planned shutdowns rather than software releases, and safety classifications that make unplanned firmware updates impermissible. This tool applies a five-dimension scoring model specifically constructed for operational technology. The dimensions are Asset Lifecycle Exposure (how long the asset will remain in service), Cryptographic Vulnerability (the current encryption state and protocol), Operational Impact (Purdue level and safety classification), Migration Feasibility (vendor support, SDL certification, PQC roadmap, and crypto agility), and Regulatory Exposure (NERC CIP-015 monitoring posture and EU Cyber Resilience Act applicability).

Safety Integrity Level 3 and SIL 4 assets are placed in the Immediate priority band regardless of other scores: their migration is constrained by functional safety law and cannot be deferred to match a standard firmware cycle. Mosca inequality analysis flags assets where the remaining operational life combined with the migration lead time exceeds the estimated window before a cryptographically relevant quantum computer becomes available, identifying harvest-now-decrypt-later exposure. Regulatory context panels are generated from your sector and country, covering IEC 62443, NERC CIP-013 and CIP-015, NIS2, NIST SP 800-82, and the EU Cyber Resilience Act as applicable. No asset data is stored. Country and sector are recorded anonymously to support industry benchmarking.

Important Information / Data Disclosure

What is stored: The following information is recorded anonymously to support industry benchmarking: country (ISO code), sector (enum value), number of assets assessed, priority band distribution (count per band), Mosca flag count, and CRA flag count. No personal data, company name, IP address, sub-dimension scores, or individual asset details are stored. Timestamps are recorded at weekly granularity only.

What is not stored: Your name, company, email, individual asset scores, asset configurations, encryption states, protocol selections, SIL classifications, and all other per-asset inputs remain in your browser only. They are never transmitted to any server. The PDF report is generated entirely in your browser.

Q-Day timing: This tool uses a central estimate of 10 years (approximately 2036) consistent with NIST IR 8547 (ipd). This is not a prediction. Published estimates range from 5 to 30 years across analysts.

Disclaimer: This tool is a self-assessment aid. It is not a compliance attestation or security audit. Treat the output as a directional document for project planning. Ensure expert peer review for all OT equipment decisions.

OT Asset Assessment
Answer session questions, select your asset types, then complete per-asset questions to generate your prioritised migration register.
Session Step 1 of 3: Your Location 0%
Session Step 1: Your Location
Which country are these assets located in?
Country determines which regulatory standards apply to your assets and generates anonymised industry benchmarks. It does not affect the priority score itself.
Auto-detected from connection. Change if needed.
Country is recorded anonymously alongside your results for industry benchmarking. No personal data, company name, or IP address is stored.
Session Step 2: Industry Sector
Which industrial sector do these assets operate in?
Sector determines which regulatory framework applies. NERC CIP applies to bulk electric system operators in North America. NIS2 applies to essential and important entities in the EU and EEA. IEC 62443 applies across all OT sectors.

The Industry selection is required and recorded anonymously. Your industry may impact your score. Be sure to choose your nearest industry category.

Session Step 3: EU Cyber Resilience Act
Are the products in your OT estate placed on the EU market by their manufacturers?
The EU Cyber Resilience Act (Regulation (EU) 2024/2847) imposes obligations on manufacturers who place products with digital elements on the EU market. Full Annex I compliance is mandatory from 11 December 2027. CRA scope follows where the product is placed for sale, not where the manufacturer is headquartered.
Asset Selection
Which types of OT assets are present in your estate?
Select all asset types you want to assess. The tool will ask twelve questions for each selected asset type. If you have multiple assets of the same type with different characteristics, you can add additional instances within each asset block.
Review and Generate Report
Review your asset entries below. Make any corrections before generating your report.
The tool will score each asset and produce a ranked migration register. You can add further assets or edit existing entries before generating.
Asset ID Type Purdue Protocol Encryption SIL Life Edit
0 assets ready to score
QSECDEF Membership

Access the full OT security resource library

Members receive sector-specific case studies and weekly technical briefings from the QSECDEF team. Tools remain free and open to all.

Explore Membership View all tools