What OTWarden supports — and what it doesn't

NERC CIP

CIP-007-6 (Systems Security Management) · CIP-010-4 (Configuration & Vulnerability Management)

• Identifies new security advisories for your OT vendors — satisfies the CIP-007-6 R2 requirement to identify patches at least every 35 days
• Timestamped alert log shows exactly when you were notified of each vulnerability
• Status tracking (New → Investigating → Patched / Not Applicable) documents your assessment of each advisory
• Remediation deadline tracking shows your intended response timeline
• Monthly PDF report and CSV export provide the audit trail CIP-007-6 auditors expect

• Categorising assets by NERC CIP impact level (High/Medium)
• Patch testing documentation before deployment
• Formal change management process
• Security event monitoring and logging (CIP-007-6 R4/R5)
• Access control and physical security requirements

IEC 62443

Primarily IEC 62443-2-3: Patch Management in the IACS Environment

• IEC 62443-2-3 requires a documented process to identify, assess, and respond to patches — OTWarden provides the identification and tracking half of that process
• Alert log documents when each advisory was received and how it was assessed
• Status and notes fields support the evaluation documentation requirement
• Monthly report provides a periodic review record

• Full IEC 62443 security programme (network zones, conduits, security levels)
• Risk assessment methodology
• Access control, authentication, and authorisation requirements
• Incident response procedures
• IEC 62443 certification — OTWarden is a tool, not a certifying body

NIS2

Article 21 — Cybersecurity risk management measures, including vulnerability handling

• NIS2 Article 21(2)(e) requires "vulnerability handling and disclosure" policies — OTWarden supports the vulnerability identification and tracking part of that requirement
• Demonstrates a systematic, automated process for monitoring known vulnerabilities
• Alert history provides evidence of ongoing vulnerability awareness
• Remediation tracking documents your response to identified vulnerabilities
• BSI CERT-Bund feed provides EU-sourced advisories relevant to NIS2-regulated entities

• NIS2 incident reporting obligations (Article 23 — significant incident notification to authorities)
• Governance and risk management framework requirements
• Supply chain security obligations
• Business continuity requirements
• Cryptography and access control policies

IMO 2021 — MSC-FAL.1/Circ.3

Cyber risk management integrated into the ISM Safety Management System from January 2021

• Systematic monitoring of published vulnerabilities affecting your vessel's OT vendors
• Timestamped evidence that vulnerabilities were identified and assessed
• Alert history suitable for ISM auditor review
• Asset inventory to document your onboard OT equipment

• Network segmentation and access controls (Protect)
• On-vessel anomaly detection or IDS (Detect)
• Incident response procedures and drills (Respond)
• Recovery planning and backup procedures (Recover)
• Full ISM cyber procedure documentation

IACS UR E26

Cyber Resilience of Ships — applies to vessels contracted on or after 1 July 2024

• E26.1.2.3 requires owners to "ensure all known vulnerabilities are identified and managed" — OTWarden's advisory monitoring directly addresses this
• E26 requires maintaining an inventory of onboard OT/IT systems — OTWarden's asset inventory feature supports this
• Alert history provides the documentation trail required for class audits
• Remediation status tracking demonstrates active vulnerability management

• Network architecture documentation required for class submission
• Access control and network segmentation requirements
• Cybersecurity management plan documentation
• Incident response and recovery planning
• Class survey — OTWarden produces evidence, not certification