NIS2 for the Chemical Industry: Specifics and OT Security

Why the Chemical Industry Falls Under NIS2

The chemical industry is the backbone of numerous value chains. Without chemical products, there are no pharmaceuticals, no plastics, no fertilizers, no cleaning agents, and no modern building materials. A production outage at a chemical manufacturer can trigger cascading effects in dozens of downstream industries — and that is precisely why the European legislator included the chemical industry in the scope of the NIS2 Directive.

The chemical industry falls under Annex II of the NIS2 Directive as part of the sector "Manufacturing." Within this sector, chemical products are explicitly mentioned, including the manufacture of basic pharmaceutical products and preparations. Specifically affected are:

• Basic chemicals manufacturers: Companies producing base chemicals, petrochemicals, inorganic chemicals, or polymers
• Specialty chemicals manufacturers: Producers of fine chemicals, additives, adhesives, coatings, pigments, agrochemicals
• Pharmaceutical precursor manufacturers: Companies producing active pharmaceutical ingredients (APIs) and intermediates
• Plastics and rubber processors: If they exceed the size thresholds

The thresholds are the same as for all NIS2 sectors: at least 50 employees or at least 10 million EUR in annual revenue. The German chemical industry consists largely of mid-market companies: around 90 percent of operations have fewer than 500 employees, but many of them exceed the NIS2 thresholds.

Important: Since the chemical industry is listed in Annex II, affected companies are classified as important entities, not essential entities. This means somewhat lower fine limits (7 million EUR or 1.4 percent of global annual revenue) and reactive rather than proactive supervision by the BSI. However, the reporting obligations (24h/72h/1 month) are identical.

The Special Risk Landscape of the Chemical Industry

What makes the chemical industry particularly complex under NIS2 is the fact that a cyberattack can lead not only to business interruptions and data loss but potentially to physical damage with impacts on people and the environment. This dimension fundamentally distinguishes chemicals from most other industries.

When IT Security Becomes a Question of Physical Safety

Chemical production processes often work with hazardous substances under extreme conditions: high temperatures, high pressures, toxic or explosive substances. Process control technology ensures that these processes operate within safe parameters. If an attacker manipulates these control systems, the consequences can extend far beyond the IT domain.

Specific scenarios:

• Manipulation of setpoints: An attacker changes the target temperature of a reactor by a few degrees. An exothermic reaction spirals out of control. In the best case, the batch is destroyed; in the worst case, an explosion occurs.
• Deactivation of safety systems: Safety Instrumented Systems (SIS) monitor critical process parameters and trigger a safe shutdown in emergencies. If an attacker manipulates or deactivates the SIS, the last line of defense no longer functions.
• Disruption of cooling systems: Many chemical processes require precise temperature control. If cooling systems fail due to a cyberattack, thermally unstable substances can react in an uncontrolled manner.
• Manipulation of dosages: In batch production, raw materials are dosed according to exact formulations. Altered dosages can lead to hazardous intermediates or the release of toxic substances.

These scenarios are not theoretical. The Stuxnet attack on Iranian uranium enrichment facilities demonstrated in 2010 that targeted manipulation of industrial controls can cause physical destruction. The Triton/TRISIS attack on a petrochemical plant in Saudi Arabia in 2017 explicitly targeted the Safety Instrumented System — the last line of defense against catastrophic accidents.

Process Control Technology: The Nervous System of Chemical Production

Process control technology (Process Control System, PCS) is the central control system of a chemical plant. In practice, various terms are used that partially overlap:

• DCS (Distributed Control System): The distributed control system manages and monitors the entire production process. Typical vendors include Siemens (SIMATIC PCS 7/PCS neo), ABB (System 800xA/Ability Symphony Plus), Honeywell (Experion PKS), Emerson (DeltaV), and Yokogawa (CENTUM VP).
• SCADA (Supervisory Control and Data Acquisition): Remote monitoring and control systems often used for distributed facilities (pipeline networks, tank farms, remote stations).
• SIS (Safety Instrumented System): Safety-oriented controllers that operate independently of the DCS and trigger a safe shutdown when critical thresholds are exceeded.
• PLC/SPS (Programmable Logic Controller): Decentralized controllers at individual plant components, coordinated by the DCS.

These systems form a complex network that has grown over decades and requires thorough OT security. Older plant components communicate via protocols that were never designed for a networked world: Modbus (unencrypted, without authentication), PROFINET, OPC Classic (based on DCOM, known for security issues), or HART.

The lifecycles are extremely long: a DCS is typically operated for 15 to 25 years. The base platform (operating system, hardware) is migrated at most once or twice during this period, and each migration is a major project that takes months and is carried out during a planned shutdown (turnaround).

OT Networks: Grown Over Decades, Rarely Documented

In many chemical plants, OT networks have grown over decades. New plant components were connected, remote maintenance access was established, temporary connections for commissioning were installed and never removed. The result is often a network that is neither fully documented nor consistently segmented.

Typical issues that surface during the NIS2 inventory at chemical plants:

• Flat networks without segmentation between DCS, SIS, and office IT
• Remote maintenance access from plant manufacturers that is permanently active and unmonitored
• Windows XP or Windows 7 machines in the OT network serving as engineering workstations or HMI clients
• Shared accounts for DCS operators instead of individual user accounts
• USB drives as the transfer medium between office IT and OT, without malware scanning
• Incomplete or outdated network documentation

Major Accident Ordinance and NIS2: Two Worlds Converging

Many chemical companies are subject to the Major Accident Ordinance (Störfall-Verordnung / 12. BImSchV), which requires measures to prevent major accidents involving hazardous substances. The Major Accident Ordinance distinguishes between lower-tier and upper-tier establishments, depending on the quantity of hazardous substances.

Upper-tier establishments must operate a safety management system (SMS) and produce a safety report. Lower-tier establishments must submit a concept for the prevention of major accidents.

Leveraging Overlaps

The Major Accident Ordinance and NIS2 address different aspects but overlap on a critical point: both require the protection of the control systems responsible for the safe operation of chemical processes.

Companies that already operate a safety management system under the Major Accident Ordinance have a solid foundation for the NIS2 ISMS. The hazard analysis in the safety report can be extended to include cyber threats. The alarm and emergency defense plan can be merged with the IT incident response plan.

The Gap: Cyber Threats in the Safety Report

The Major Accident Ordinance requires the identification and assessment of all hazard sources that could lead to major accidents. Traditionally, this analysis focuses on technical failure, human error, and external impacts (earthquakes, flooding, lightning). Cyberattacks on control systems have so far been addressed either not at all or only marginally in many safety reports.

NIS2 changes this. If a cyberattack on process control technology can lead to a major accident within the meaning of the Major Accident Ordinance, then this threat must be considered in the hazard analysis. For many chemical companies, this means: the safety report must be supplemented with a cyber threat analysis, and the measures to prevent major accidents must include cybersecurity measures.

NIS2 Measures for the Chemical Industry

The ten minimum measures from Article 21 of the NIS2 Directive apply in full. Some of them have a special interpretation in the chemical industry.

Network Segmentation Following the Purdue Model

The Purdue Enterprise Reference Architecture Model (PERA) is the de facto standard for segmenting IT and OT networks in the process industry. It defines six levels ranging from the physical processes (Level 0) to enterprise IT (Level 5).

The most important rule: only defined, controlled data flows may pass between levels. In particular, there must be no direct connection between Level 5 (Enterprise) and Levels 0 to 3 (OT). All data flows must pass through the DMZ (Level 3.5).

In practice, this looks like: the historian server in the DMZ collects process data from the DCS and makes it available to the ERP system. Communication is unidirectional: data flows from bottom to top (OT to IT) but not in reverse. When formulations or production orders need to be transferred from the ERP to the DCS, this happens through a dedicated, secured channel in the DMZ.

Securing Safety Instrumented Systems (SIS)

The SIS is the last line of defense against catastrophic accidents. A compromised SIS is the worst-case scenario in the chemical industry. Therefore, particularly strict requirements apply to SIS:

• Physical separation: The SIS network must be physically separated from the DCS network and certainly from the IT network. No shared switches, no shared cable runs.
• No remote maintenance: SIS systems should generally not be remotely maintainable. Changes to SIS programming require physical access with documented authorization.
• Independent power supply: The SIS must be powered independently from the DCS so that it functions even during a DCS failure.
• Regular testing: SIS functional tests (proof tests) must be documented and anchored in the ISMS as a security measure.

Remote Maintenance: The Biggest Entry Point

Remote maintenance by plant manufacturers and system integrators is common practice in the chemical industry. ABB, Siemens, Honeywell, and other manufacturers offer remote support for their control systems. Additionally, there are remote maintenance connections for analytical instruments, compressors, dosing systems, and numerous other components.

From an NIS2 perspective, these remote maintenance connections represent a significant risk. A compromised remote maintenance connection gives an attacker direct access to OT systems. Securing them includes:

• No permanent access: Remote maintenance connections are only enabled when needed and deactivated after maintenance is complete.
• Two-factor authentication: For every remote maintenance connection, where technically feasible.
• Session recording: All remote maintenance sessions are recorded and can be reviewed afterward.
• Jump host: Remote maintenance access does not lead directly into the OT network but through a dedicated jump host in the DMZ.
• Contractual regulation: The remote maintenance contract must contain NIS2-compliant security requirements (patching obligations, incident notification, access documentation).

Incident Response: When a Cyberattack Becomes a Major Accident

A chemical company's incident response plan must cover the interface between a cyber incident and a potential major accident. The critical question is: at what point does an IT security incident become a major accident within the meaning of the Major Accident Ordinance?

The incident response plan must contain the following elements:

• Escalation criteria: Clear definition of when a cyber incident has the potential to impact process safety. In this case, the on-call engineer and plant management must be immediately involved.
• Safe shutdown: Procedures for the controlled shutdown of production facilities when a cyberattack on process control technology is suspected. Safe shutdown takes precedence over IT forensics.
• Parallel reporting channels: BSI notification (24 hours for NIS2), responsible emissions protection authority (if a major accident has occurred or is imminent), data protection authority (if personal data is affected).
• Coordination with the plant fire brigade/hazard response: If a cyberattack could lead to a physical hazard, the plant fire brigade and potentially the external fire brigade must be informed and coordinated.

Practical Example: Specialty Chemicals Manufacturer with 180 Employees

To make the NIS2 requirements tangible, let us look at a specific example.

Starting point:

ChemSpec GmbH (fictitious example) is a specialty chemicals manufacturer based in Hesse. 180 employees, 55 million EUR annual revenue. The company produces additives for the plastics and coatings industry in batch processes. Production operates in three shifts. The company is subject to the Major Accident Ordinance (lower tier) and maintains a safety concept.

The IT and OT infrastructure:

• Process control system: Siemens SIMATIC PCS 7, Version 9.0 SP1. Two redundant servers, 12 operator stations, 8 engineering stations.
• Control level: 25 Siemens S7-400/S7-1500 PLCs, distributed across four production halls.
• Safety system: Siemens S7-400F (failsafe PLC) for safety-related functions (emergency shutdown, overpressure protection, leak detection).
• Laboratory Information System (LIMS): For quality control of intermediate and final products.
• ERP system: SAP ECC 6.0 (migration to S/4HANA planned).
• Warehouse and logistics system: Management of the tank farm and container logistics.
• Server infrastructure: 10 physical servers, split between IT and OT.
• Workstations: 60 PCs (production, laboratory, administration, engineering).
• Remote maintenance connections: Siemens (DCS), 3 analytical instrument manufacturers, 2 compressor manufacturers, 1 dosing system manufacturer.

The IT department comprises four employees: an IT manager, two system administrators, and an automation technician. The automation technician manages PCS 7 and forms the bridge between IT and OT. An ISMS does not exist. The safety concept under the Major Accident Ordinance was updated in 2022 and contains no explicit cyber threat analysis.

Phase 1: Inventory and Regulatory Classification (Months 1-2)

Applicability analysis: ChemSpec, with 180 employees and 55 million EUR revenue, falls under NIS2. The chemical industry is listed in Annex II. Classification: important entity.

Regulatory inventory: In addition to NIS2, ChemSpec is subject to the following regulations: Major Accident Ordinance (lower tier), REACH Regulation (chemical registration), GHS/CLP (classification and labeling), GDPR (employee and customer data), Industrial Safety Regulation (Betriebssicherheitsverordnung).

Appoint ISB: The IT manager takes on the ISB role at 50 percent time allocation. Close cooperation with the automation technician (OT expertise) and the major accident officer is essential.

Create asset inventory:

Notable finding: OT network segmentation is incomplete. A firewall exists between the DCS network and the office network, but the rule sets are permissive. The historian system has direct connections to both the DCS network and the office network. Three remote maintenance connections are permanently active. The safety system shares physical network switches with the DCS, although it is logically separated.

Phase 2: Risk Analysis (Months 3-4)

The risk analysis integrates IT risks, OT risks, and major accident risks — in ISMS Lite, this three-dimensional assessment can be mapped with dedicated risk categories for process safety.

Identified as especially critical: The lack of segmentation between IT and OT, which enables a lateral attack from the office network into process control technology. This risk is treated with the highest priority.

Phase 3: Technical Measures (Months 5-8)

Network segmentation following the Purdue model (Months 5-7):

The entire network architecture is restructured according to the Purdue model — rigorous network segmentation is the central protective measure here:

• Level 5 (Enterprise): SAP, email, office. Standard IT security.
• Level 3.5 (DMZ): New historian server that receives process data from the DCS and provides it to the SAP system. Communication is controlled by an application-level firewall.
• Level 3 (Manufacturing Operations): Engineering stations, batch management, DCS servers. Access only through dedicated workstations with chip card-based authentication.
• Level 2 (Control): Operator stations, PLCs. Strictly isolated, communication only with Level 3.
• Level 1 (SIS): Physically separated network switches and cable runs. No connection to other levels except the dedicated SIS engineering workstation.

The single most important measure: an industrial-grade firewall is installed between Level 5 and Level 3 that only permits the defined data flows. All other connections are blocked and logged.

Secure remote maintenance (Month 6):

• All permanent remote maintenance connections are deactivated
• A central remote maintenance server (jump host) is installed in the DMZ
• Remote maintenance sessions are only enabled on demand (four-eyes principle: request by manufacturer, approval by IT or automation)
• All sessions are recorded
• MFA is introduced for all remote maintenance connections

Physically separate the safety system (Month 7):

The SIS receives its own network switches and cable runs. The only connection to the outside world is the SIS engineering workstation, which is operated exclusively locally and has no network access.

OT monitoring (Months 7-8):

An OT-specific anomaly detection system is installed at the network transition points. It monitors data traffic between the Purdue levels and alerts on unusual communication patterns, unknown protocols, or access attempts from outside the defined communication matrix.

Phase 4: Organizational Measures (Months 8-10)

Integration of ISMS and safety concept (Major Accident Ordinance):

The existing safety concept under the Major Accident Ordinance is supplemented with a cyber threat analysis, with a tool like ISMS Lite enabling the linking of major accident measures and ISMS controls in one place. The hazard analysis (HAZOP study) is reviewed: for each identified hazard node, it is checked whether a cyberattack can have the same effects as the previously considered causes (technical failure, human error). Where this is the case, cybersecurity measures are documented as additional protective barriers.

Training program:

• All employees: 30-minute module on cyber hygiene, integrated into the annual safety instruction (which already takes place for the Major Accident Ordinance and occupational safety)
• Plant operators: Deeper training on recognizing unusual process states that could indicate manipulation. Clear instruction: when in doubt, safely shut down the facility — damage to the plant is acceptable, damage to people is not
• Automation technician and IT team: IEC 62443, OT security, Purdue model, incident response in OT environments
• Executive management: NIS2 obligations, personal liability, interplay of NIS2 and the Major Accident Ordinance
• Major accident officer: Cyber threats as a component of hazard analysis

Supplier assessment:

Business continuity plan:

The plan is tested in a tabletop exercise. Scenario: An attacker has gained access to the DCS through a compromised remote maintenance connection. Anomaly detection raises an alarm because unusual write commands are being sent to PLCs. Result: Plant operators safely shut down the affected facilities. The IT manager isolates the OT network from the internet. The reporting chain (BSI, emissions protection authority, executive management) is triggered. Time to safe shutdown: 25 minutes. Room for improvement: a pre-defined network isolation script would reduce response time to under 5 minutes.

Phase 5: Audit and Continuous Improvement (Months 10-12)

Internal audit: Systematic review of all NIS2 minimum measures, cross-referenced with Major Accident Ordinance requirements and IEC 62443 recommendations.

Audit findings:

1. Two engineering stations in the OT network run on Windows 7 and cannot be migrated because PCS 7 Version 9.0 does not support Windows 10. Compensating measure: maximum network isolation, no USB, no internet access. Medium-term: plan migration to PCS 7 V9.1 or PCS neo during the next turnaround.
2. The HAZOP study only considers cyber threats for the reactors, not for the tank farm controls. Corrective action: HAZOP extension for the tank farm in the next quarter.
3. The business continuity plan for the SAP outage has not yet been practically exercised. Corrective action: schedule tabletop exercise.

Management review: Executive management approves the residual risk catalog, the budget for the following year (priorities: DCS migration, OT monitoring expansion), and the training plan.

Budget Overview

Not included are the costs for the DCS migration (PCS 7 to the current version or PCS neo), which must be budgeted separately as a capital investment project. However, this migration is not only a NIS2 requirement but also makes sense from the perspective of the Major Accident Ordinance and plant availability. For comparison: ISMS Lite costs 500 EUR per year and covers risk management, measure tracking, policies, and audit documentation in one tool, without seat licenses.

What You Should Do Now

If you are in the chemical industry and need to implement NIS2, the following first steps are critical:

1. Create an OT asset inventory. Before you do anything else, you need to know what you have. Which process control systems, which PLCs, which safety systems, which remote maintenance connections? In many chemical plants, this knowledge is not centrally documented but distributed across the automation technician and the plant manufacturers.

2. Check network segmentation. Is your OT network separated from the IT network? Are there uncontrolled connections? Is the safety system physically isolated? Network segmentation is the most effective single measure, and deficiencies here represent the greatest risk.

3. Think the Major Accident Ordinance and NIS2 together. If you operate a safety management system under the Major Accident Ordinance, use it as a foundation for the ISMS. Extend the hazard analysis to include cyber threats and connect the emergency plans.

4. Check remote maintenance connections immediately. Are remote maintenance connections permanently active? Are they monitored? Are sessions recorded? Here you can often significantly reduce risk with minimal effort.

The chemical industry operates at the intersection of IT security and physical safety. An ISMS that only covers office IT and ignores process control technology meets neither the NIS2 requirements nor protects the company from its most severe risks. The key is to view IT and OT as an integrated whole and to use the existing safety structures of the Major Accident Ordinance as the foundation.

Further Reading

• NIS2 für den Mittelstand: Was du wissen musst und was jetzt zu tun ist
• NIS2 für Maschinenbau und produzierende Unternehmen
• Risikobewertung im ISMS: Methoden, Kriterien und Praxisbeispiele
• Netzwerksegmentierung im Mittelstand: Praxisleitfaden für KMU
• NIS2-Meldefristen im Überblick: 24h, 72h, 1 Monat - was wann fällig ist