New Release: ISA/IEC 62443 Content Pack

New Release: ISA/IEC 62443 Content Pack

Note: This Content Pack has been updated with version 2.0. You can download it and learn about the updates in our blog.


Today we are pleased to announce the availability of a new Content Pack for Nozomi Networks users who are working towards compliance with the ISA/IEC 62443 series of standards and best practices. In this blog, we’ll review how organizations can leverage this Content Pack for ISA/IEC 62443, as well as how we help with Parts 2-1 and 3-3.

How Can the Nozomi Networks Content Pack Help with ISA/IEC 62443?

ISA/IEC 62443 is widely adopted within the OT space, and addresses cybersecurity for industrial control systems in a more detailed and prescriptive manner than other, higher-level standards, such as those offered by NIST or CIS. Each has their place in the world, but we’ve had more requests from the field for a 62443 Content Pack than almost any other Content Pack. Due to the detailed nature of the standard, it only makes sense that our solution would be leveraged in various ways to meet the goals set.

Our Content Pack technology is well equipped to bring everyone together around a set of reports and queries that helps users access the details needed to assist in the compliance efforts. Rather than reinvent the wheel each time a customer needs this data, we can create a single file, distribute it, where it can then be imported into a Guardian, run as-is or edited, and then re-distributed to the public, across Guardians, or to partners, collaborators, user groups, wherever you want to share it. You can learn more in our introduction to Content Packs.

Like any regulatory or compliance supporting system, it’s rare that a technology or solution checks boxes by itself, but it can produce valuable details to help teams assemble the datasets necessary to ensure the organization is adhering to the standards. Although the Content Pack helps, it’s not a one-stop solution to following 62443, and should be used in accordance with the existing processes.

Due to the wide variety of types of assets, shaping of traffic, configurations of Guardians, network configuration, and operational characteristics, not all of the queries or reports contained in the Content Pack will be usable as-is — some could require modifications. Fortunately, the imported queries and reports from a Content Pack are editable by the user and can be changed as needed. A good example is a query that returns a certain type of alert. One user could have one or no alerts that match, but another user could have hundreds or thousands of alerts, and would benefit from fine-tuning the source query (i.e. last 30 days, or just on certain assets, zones, tags, etc.) to reduce the quantity of records returned, and then reported upon.

Addressing IEC 62443 Parts 2-1 and 3-3

In the spirit of trying to help whenever possible, we’ve identified two main Parts of ISA 62443 that we could provide benefit to, Parts 2-1 and 3-3. 2-1 outlines best practices for establishing a security program, while 3-3 defines system security requirements and security capability levels to build an IACS that meets the target security level. Within those parts, we have a number of requirements where we could provide valuable data for those efforts. 

In 2-1, we can help with 26 out of 126 requirements. In 3-3 we can help with 32 out of 50 security requirements. In some cases, we can only provide advice on how to use our system for tasks that support those efforts, in other cases, we execute a query and provide the exact data needed in a report. Although nothing out there should be considered a silver bullet, we’re confident that any organization working on ISA/IEC62443 should find some value in the data generated when running this Content Pack.

Based on the usage of Security Levels 1-3 with the standards, organizations will need to understand what Security Level applies, and to which assets the specific security requirements apply to. These requirements are highly dependent on the configuration and architecture. 

How to Use the ISA/IEC 62443 Content Pack

  1. Deploy the Nozomi Networks solution and obtain as much visibility and tuning as possible beforehand.
  2. Import the Content Pack onto one Guardian (see “How do I import a Content Pack?”).
  3. Browse the new folders containing the queries and reports.
  4. Execute the reports and view the outputs of each section.
  5. Tune the queries as needed, for example, a query that returns too many records can be tuned to display just the top 10, most recent X days, or just high severity alerts. Assets can be divided into zones, levels, etc to focus queries on relevant assets.
  6. Tune the reports as needed, for example, a global report filter can be set on assets, alerts, nodes, cpes, cves, urls, logs, and more. When executing a report, you can optionally filter on only alerts following security profiles. Re-run the reports and adjust queries further, if needed.
  7. Export your updates queries and reports to your own custom Content Pack.
  8. Distribute the updated Content Pack to each of your Guardians.
  9. If little-to-no tuning was needed, you can distribute the original Content Pack to each Guardian and tune on each, instead.
  10. Schedule the reports to run on a regular basis, and leverage the reporting GUI to retrieve the reports at your leisure.

After executing the report, the .pdf file will have a hyperlinked Table of Contents that should be leveraged to navigate the pdf. Keep in mind that the report can be long; when it comes to generating data to prove compliance or support other tasks, it’s normal to have a report that spans hundreds or thousands of pages. The report without any data whatsoever is several dozen pages. The report jobs execute in the background, so it’s best to schedule it, perhaps overnight, and download the report when convenient…rather than waiting and watching. 

This ISA/IEC 62443 Content Pack is meant to serve as a starting point, customization is encouraged, so enjoy your journey mining data to support your 62443 efforts.

Covers Parts:

SR 1.1, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 1.11, SR 1.13, SR 2.2, SR 2.3, SR 2.5, SR 2.6, SR 2.8, SR 2.9, SR 2.11, SR 3.1, SR 3.2, SR 3.4, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.4, SR 7.5, SR 7.6, SR 7.8

Covers Parts:

4.2.3.4 , 4.2.3.5 , 4.2.3.6 , 4.2.3.7, 4.2.3.9 , 4.2.3.12 , 4.2.3.13  , 4.2.3.14  , 4.3.3.3.6, 4.3.3.3.7 , 4.3.3.3.9 , 4.3.3.4.2, 4.3.3.4.3, 4.3.3.5.4 , 4.3.3.5.7, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4 , 4.3.3.6.6 , 4.3.3.7.2 , 4.3.4.2.1 , 4.3.4.2.2, 4.3.4.3.2 , 4.3.4.3.7 , 4.3.4.5.1 , 4.3.4.5.3 , 4.3.4.5.6 , 4.3.4.5.7