Whisper · Docs
OT

OT compliance: map identity, egress and attribution to your evidence

EU CRA, IEC 62443-4-2 and -3-3, NIST SP 800-82r3, CISA CPG 2.0, RFC 8520 MUD, NIS2 and the TSA Security Directives all press an OT program on the same three points. Which asset is this, what is it allowed to talk to and what did it reach, and can you prove it and cut it off across an org boundary?

A flat network that trusts an IP and a topology cannot answer any of them. A routable, DANE-provable, one-call-revocable IPv6 /128 per asset can. It produces the identity, the egress record and the kill-switch these frameworks ask for as evidence, not as a paragraph in an audit binder. This page is the honest crosswalk: where the shipped primitive is direct evidence, where it is only partial, and where it is out of scope and we say so before your assessor does.

Read this first. Whisper is additive: a network-layer identity, egress and attribution primitive that complements your 62443 program, your OPC UA TrustList, your 802.1AR / BRSKI onboarding and your MUD profiles. It is not a compliance product and it never "makes you compliant": NIS2, TSA and the CISA CPGs are organisational obligations, and Whisper supplies checkable evidence toward specific technical measures within them. Every mapping below is graded honestly, and every "shipped" claim is checkable today with dig, curl and one control-plane call.

What every framework is really asking

Read the OT frameworks side by side: a European market-access regulation, an ISA/IEC engineering standard, a NIST guide, a CISA goal set, an IETF RFC, a directive from a transport regulator. The same three questions surface in seven vocabularies:

None of these is a logging problem you close with more log lines. They are identity problems: you cannot attribute, segment or contain an asset that has no stable, provable identity in the first place. Whisper's job is to give every asset on the IP / DNS / transport boundary exactly that identity, then let the standard OT toolchain read the evidence off it. It does not reach into the Modbus, DNP3 or PROFINET wire and adds no authentication to those protocols. It changes who may reach and speak to an asset, and records what each asset did.

The evidence: real, and shipped

Everything this page maps to a framework is a surface that exists and answers today. Five shipped primitives do the work; each is checkable with dig, curl, or one control-plane call over the public API.

Provisioning is one control-plane call: POST https://graph.whisper.security/api/query with your X-API-Key. Hand it the device's base64 SPKI and the ApplicationUri; it returns the deterministic /128:

curl -sS https://graph.whisper.security/api/query \
  -H 'X-API-Key: whisper_live_xxx' \
  -H 'content-type: application/json' \
  --data @- <<'JSON'
{"query":"CALL whisper.agents({op:'connect', args:{tier:'wireguard', identity_public_key:'<base64 SPKI>', device_id:'urn:example-plant:line2:PLC7:server'}}) YIELD op, ok, status, result, error RETURN op, ok, status, result, error"}
JSON
# -> the deterministic /128 + a WireGuard config. Same key + ApplicationUri -> same /128 (idempotent).
#    A different device_id for a key already on your tenant -> 409; a non-string device_id -> 400.
i

device_id is generic: pass an OPC UA ApplicationUri, an 802.1AR IDevID serial, or a bare nameplate serial. A dedicated --applicationuri / --mud CLI flag is on the roadmap; asset provisioning is the control-plane call above, which is live. See Asset & PLC identity for the full derivation and CLI & one-command for the shipped verbs.

one verifiable /128 → the evidence seven frameworks ask for Verifiable /128 identity DNSSEC · DANE 3 1 1 · RDAP Default-deny egress policy · firewall · budget Per-/128 logs + lookups outbound trail · recon tripwire Revoke + transparency log worldwide · audited One evidence set keyless-verifiable · replayable EU CRA · Annex I 2(d)(i)(j)(l) IEC 62443-4-2 · CR 1.2 IEC 62443-3-3 · zones & conduits CISA CPG 2.0 RFC 8520 · MUD NIST 800-82r3 · CSF 2.0 · 8259A NIS2 · TSA Security Directives additive to your 62443 program, IDevID / BRSKI, OPC UA TrustList and MUD, never a replacement
One shipped primitive set, graded honestly against seven frameworks. The /128 is the identity, egress governance is the conduit, logs and lookups are the record, revoke is the response, and the transparency log makes issuance auditable. The map below says exactly how far each mapping goes.

The compliance map, at a glance

Each row is a framework clause, what it asks, the shipped evidence that answers it, and an honest fit grade. The deep sections below unpack each one.

Fit legend: strong: the shipped primitive is direct evidence · partial: real evidence, but the clause needs more than we supply · stretch: we contribute context, not the control · not applicable: out of scope, stated plainly.

Framework & clause What it asks Whisper evidence (shipped) Fit
EU CRA, Annex I Part I (2)(d): identity & access management Protection from unauthorised access through authentication, identity or access-management systems; report on unauthorised access Verifiable, revocable per-asset /128 (DANE + RDAP); revoke = de-provisioning; lookups surfaces unauthorised enumeration
EU CRA, Annex I Part I (2)(i) + (2)(j): minimise impact & limit attack surface Limit external attack surface; reduce an incident's impact on other devices and networks Default-deny egress governance bound to the /128: a MUD-style allow-list at asset granularity
EU CRA, Annex I Part I (2)(l): record & monitor Record and monitor access to, and modification of, the product's data, services and functions Per-/128 egress logs + lookups (network-side record) (host / SIEM audit still required)
EU CRA, Annex I Part I (2)(f): integrity Protect the integrity of stored/transmitted data, commands and configuration DNSSEC + DANE protect the identity and channel setup, not the payload
EU CRA, Annex I Part II (1): SBOM Draw up a software bill of materials for the product The OEM ships its own SBOM; Whisper produces none
IEC 62443-4-2, CR 1.2: device identification & authentication A component uniquely identifies and authenticates itself to any other (unique-ID at SL2; HW/PKI-backed at SL3 through SL4) Globally-unique, externally-verifiable /128 + a DANE pin of the asset's existing cert/key identity / auth
IEC 62443-4-2, CR 1.1: human user I&A Identify and authenticate human users Out of scope: we identify assets and processes, not people
IEC 62443-3-3, SR 5.1: zones & conduits Segment the network; restrict data flow between zones through defined conduits /128-per-asset + egress allow-list = a conduit at asset granularity, keyed to a verifiable identity
IEC 62443-4-1: secure development lifecycle A secure product-development lifecycle (SDLA) Supplier-credibility context only, not evidenced by an asset's /128
NIST SP 800-82r3 (OT security) Device I&A, network segmentation, hardened remote access, monitoring Direct alignment on all four via the primitives above
NIST CSF 2.0: ID.AM + PR.AA Asset management; identity, authentication and access control /128 = an IPv6-addressable asset register + a verifiable identity
NISTIR 8259A: device identification A unique logical identifier for the device DNSSEC/DANE-anchored /128 = a strong, externally-verifiable logical ID
CISA CPG 2.0: asset inventory + segmentation Maintain an IP/IPv6 asset inventory (incl. OT); segment logically by trust boundary, permitting only required communications Near-verbatim: an IPv6-addressable asset register + default-deny egress
RFC 8520 (MUD) A device declares its intended communications; a manager enforces a default-deny allow-list Egress governance keyed to a verifiable /128, not a spoofable MUD URL (needs a control point in the path)
NIS2: Art. 21(2) Access control, asset management, network security, logging, supply-chain measures Evidence for the access-control / network-security / logging measures (an organisational obligation)
TSA Pipeline / Rail Security Directives Network segmentation (OT survives IT compromise), access control / MFA, continuous monitoring Per-asset segmentation + attribution + per-/128 logs segmentation / MFA

EU CRA: the deadline that turns hygiene into law

The EU Cyber Resilience Act (Regulation (EU) 2024/2847) is the urgency wedge. It converts OT security hygiene into binding CE-marking, market-access law for every product with digital elements: PLCs, RTUs, gateways, sensors and the software that runs on them. It entered into force on 10 December 2024; the vulnerability- and incident-reporting obligations (Article 14, with a 24-hour early-warning) apply from 11 September 2026; the main obligations and conformity assessment (the CE mark) apply from 11 December 2027; and non-compliance carries fines up to €15 million or 2.5% of worldwide annual turnover. For a device OEM's PSIRT this is the hardest deadline on the roadmap, and three of the essential requirements it sets are exactly the ones a network identity layer evidences.

the CRA deadline is the wedge: the identity, attack-surface and logging clauses ship now 10 Dec 2024 CRA enters into force today ▸ 11 Sep 2026 reporting obligations begin 24 h early-warning · Art. 14 11 Dec 2027 full application · CE conformity fines ≤ €15M / 2.5% turnover evidence Annex I 2(d) identity · 2(i)/(j) attack-surface · 2(l) logging, no firmware re-spin
Between the reporting deadline and full CE application, the clauses a network identity layer answers (2(d), 2(i)/(j) and 2(l)) can be evidenced now, without touching the asset's firmware roadmap.

The mapping into Annex I, Part I (2), the essential cybersecurity requirements relating to a product's properties:

The OEM message is narrow and honest: the CRA hands you a 2027 hard deadline on unique device identity (2(d)), attack-surface (2(i)/(j)) and security logging (2(l)); Whisper is the drop-in identity, egress and attribution layer that evidences those on day one, without touching your firmware, your SBOM or your patching, which remain yours.

!

The CRA ↔ 62443 crosswalk is still settling. The harmonised standards that will presume CRA conformity are not final, and much of industry expects IEC 62443 to carry that weight. Until they land, map your evidence to 62443 today (the section below) and treat the CRA clauses as the outcome those 62443 controls satisfy.

IEC 62443: the OT lingua franca

Where the CRA is the law, IEC 62443 is the engineering standard an OT program is actually audited against, and the one the CRA's harmonised standards are most likely to lean on. Three parts matter here.

62443-4-2, CR 1.2: device identification & authentication ( identity / auth). CR 1.2 requires a component to uniquely identify and authenticate itself to any other component, with a unique-identifier enhancement at SL2 and hardware/PKI-backed identity at SL3 through SL4. The requirement is technology-neutral and organisation-scoped: silent on the identifier scheme and on cross-org, public verifiability. A globally-unique /128, DANE-pinning the asset's existing certificate key, satisfies the identity half with an identifier that also holds across conduits, the cross-zone, cross-vendor, remote-maintenance channels where a private TrustList can't be checked.

Be candid about the other half: the mutual-authentication handshake is still performed by the asset, its OPC UA application-instance certificate, its TLS stack. Whisper makes that identity globally verifiable and attributable; it does not replace the handshake, and it is not end-to-end CR 1.2 authentication. The precise claim is verifiable identity plus key-pinning, additive to the asset's own authentication.

# CR 1.2, the verifiable-identity half: keyless, no account, no shared CA
whisper verify --trustless opcua-plc7.asset.<tenant>.agents.whisper.online
✓ DNSSEC chain valid to the IANA root
✓ DANE-EE (TLSA 3 1 1) leaf matches the asset's OPC UA cert key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32
identity: VERIFIED (our own API was never trusted)

62443-4-2, CR 1.1: human user I&A ( not applicable). Human identification and authentication is out of scope. Whisper identifies assets and processes, not people; CR 1.1 stays with your IAM.

62443-3-3, SR 5.1: zones & conduits ( strong). SR 5.1 (Restricted Data Flow) mandates network segmentation and defined conduits between zones. A /128-per-asset plus a default-deny egress allow-list is a conduit, but at asset granularity, keyed to a verifiable identity rather than a VLAN tag a foothold inherits. It complements your zone model; it does not replace your firewalls.

# A conduit at asset granularity: this PLC may reach ONLY its historian, controller and vendor OTA
CALL whisper.agents({op:'firewall', args:{agent:'2a04:2a01:7a2::4840',
  deny:['0.0.0.0/0'], allow:['historian.example-plant.com:4840','controller.line2.local:4840']}})
CALL whisper.agents({op:'budget', args:{agent:'2a04:2a01:7a2::4840', max_mb_per_day:50}})

62443-4-1: secure development lifecycle ( stretch). The SDLA is about how the product is built: a supplier-credibility control, not something an asset owner evidences with a /128. Whisper contributes context (a verifiable identity primitive you integrate) but does not stand in for a 4-1 assessment.

NIST: SP 800-82r3, CSF 2.0, NISTIR 8259A

CISA CPG 2.0: the near-verbatim fit

The CISA Cross-Sector Cybersecurity Performance Goals 2.0 read almost like a spec for this primitive. Two goals in particular: maintain an IP/IPv6 asset inventory that includes OT and is refreshed regularly; and segment logically by trust boundary, permitting only required communications. A per-asset /128 is an IPv6-addressable asset register that updates itself at provisioning and revoke; default-deny egress governance is the segmentation-by-trust-boundary control. This is the mapping where the framework's words and the product's mechanism line up most closely.

# The asset register, straight from authoritative DNS + RDAP: no spreadsheet to drift
dig -x 2a04:2a01:7a2::4840 +short
opcua-plc7.asset.<tenant>.agents.whisper.online.
curl -s https://whisper.online/ip/2a04:2a01:7a2::4840 | jq
# -> the registry object: who holds the address, under which allocation, since when

RFC 8520 MUD: the device's declaration, made enforceable

Under MUD (RFC 8520), a device already declares what it should communicate with: a manufacturer-signed manifest of from-device and to-device ACLs, emitted over DHCP (options 161/112), an LLDP vendor TLV, or the id-pe-mud-url X.509 extension co-located with an 802.1AR IDevID. Whisper enforces that declaration as default-deny egress governance, bound to the asset's verifiable /128 and checkable cross-org: a genuine strengthening over a manifest pinned to a spoofable manufacturer URL and enforced only at the nearest switch ( strong).

!

The honest MUD caveat. MUD at OT scale needs a control point in the path: egress governance enforces where traffic leaves via the asset's /128, so the asset must route through Whisper egress for enforcement to bite. Much brownfield gear never emits a MUD URL at all. Our value there is the verifiable identity plus an externally-managed profile that plain RFC 8520 lacks; the enforcement point is a deployment decision, not a given.

NIS2 & TSA: organisational obligations we supply evidence for

NIS2, Article 21(2) ( partial). For important and essential entities (manufacturing and critical manufacturing among them), Article 21 requires access control, asset management, network security, supply-chain measures and logging, backed by fines up to €10M or 2% of turnover. These are organisational obligations on the entity, not product controls. Whisper supplies checkable technical evidence toward the access-control, network-security and logging measures; it does not, and cannot, make an organisation NIS2-compliant on its own.

TSA Pipeline & Rail Security Directives ( segmentation / MFA). The SD-Pipeline-2021-02 series and the 2024 rail rulemaking require network segmentation so OT survives an IT compromise, access control with MFA, and continuous monitoring. Per-asset segmentation, attribution and per-/128 logs serve the segmentation and monitoring measures strongly; MFA is a partial fit: Whisper governs machine-to-machine identity and egress, and the operator-facing MFA controls stay with your access stack.

The audit trail: nothing issued in the dark

Every identity mint and every revoke lands in a public, append-only Merkle transparency log (RFC 6962 tlog-tiles with C2SP signed-note checkpoints), Ed25519-signed and anchored to Bitcoin via OpenTimestamps. For a regulated OT program that is a non-repudiable issuance-and-revocation trail an assessor can replay independently: the provenance of every asset identity, and the exact moment a compromised one was cut off.

# the signed checkpoint (the log's current root): anyone can fetch and verify it
curl -s https://whisper.online/checkpoint

# one asset identity's ordered lifecycle: mint -> (governance changes) -> revoke
curl -s https://whisper.online/ip/2a04:2a01:7a2::4840/transparency | jq
i

Honest status. The log is tamper-evident, Ed25519-signed and Bitcoin-anchored today, but not yet independently witnessed (co-signing across our own nodes is availability, not independence). It already speaks the C2SP tlog-witness protocol, so an external witness can co-sign; independent witnessing is the next step, and we state it plainly rather than imply an audit guarantee we haven't earned.

SIEM & threat-intel export

The evidence above is pullable now via the logs op and the graph API, and it exports to Splunk today (signed, replayable JSON → CEF / ECS fields). Broader connectors are on the roadmap, labelled honestly so nobody plans a control around vapour:

Destination Status
Splunk (CEF / ECS) Shipped
Microsoft Sentinel connector Shipped
OpenCTI Shipped
STIX 2.1 over TAXII Roadmap
Sector-ISAC (E-ISAC / WaterISAC) machine-readable JSON export Roadmap

Until the roadmap items land, the same records are already reachable. The exports are a convenience layer over evidence you can pull today, not a prerequisite for it.

What this is, and is not

Whisper anchors one boundary: the IP / DNS / transport interface between an asset and whatever it talks to. It is deliberate about what it does not touch, and every mapping on this page inherits these caveats:

Everything on this page described as working is checkable today with dig, curl and one control-plane call; everything on the roadmap is labelled as such. That is the point of the whole exercise: not a paragraph asserting a control, but a routable identity, an egress record and a revoke you (or your integrator, or your assessor) can independently replay. Evidence you can hand an auditor, not a promise you ask them to take on faith.

Next