NIS2 Compliance for Oil & Gas Companies: A Practical Guide to ICS Cybersecurity and OT Security Solutions

The oil and gas (O&G) sector forms the backbone of modern economies, powering transportation, industry, and homes. At the same time, it is one of the most targeted industries for cyberattacks due to its critical role in national energy security and its reliance on complex industrial control systems (ICS). From pipeline control systems to offshore rigs and refining operations, O&G companies manage highly distributed, interconnected, and vulnerable infrastructures.

The NIS2 Directive, which came into effect in January 2023 and must be transposed into national law across the EU by October 2024, is a game-changer for how critical infrastructure operators, including oil and gas companies, must approach cybersecurity. Unlike its predecessor, NIS2 is broader, stricter, and more prescriptive, requiring robust governance, OT security solutions, and continuous risk management to ensure compliance.

Today’s blog will explore:

· The essentials of NIS2 from an O&G perspective

· A NIS2 compliance roadmap for oil and gas companies

· How IEC 62443-based OT security assessments support compliance

· Best practices for building resilience through ICS cybersecurity and OT security solutions

Don’t forget to read yesterday’s post on A practical guide to ICS asset inventory and visibility in the Pharma Sector

Why NIS2 matters for oil and gas companies

Energy is critical infrastructure

NIS2 designates energy, including oil, gas, electricity, and district heating, as an essential sector. This means O&G companies, upstream, midstream, and downstream, are under the directive’s strictest compliance obligations.

Expanded scope and accountability

Unlike NIS1, which applied mainly to large operators, NIS2 expands to cover medium-sized companies (250+ employees or €50M+ annual turnover). For O&G firms, this means even regional operators or service providers, such as pipeline maintenance contractors, fall under compliance obligations.

Stronger governance requirements

Under NIS2, management boards are directly accountable for cybersecurity risk management. Executives in oil and gas firms must now demonstrate not only awareness but active involvement in OT and IT security governance.

Mandatory risk management and reporting

Oil and gas companies must implement:

· Incident response protocols with 24-hour reporting obligations for significant cyber incidents

· Supply chain risk assessments (such as contractors managing SCADA systems or offshore drilling automation)

· Resilience measures, Such as redundancy, segmentation, and monitoring

· Compensatory controls: Where applicable to ensure security gaps are addressed in the short term wherever patches are unavailable

To summarize, compliance with NIS2 is not just about ticking boxes, it requires embedding ICS cybersecurity and OT security solutions into the operational fabric of the enterprise.

What aspects of NIS2 compliance should oil and companies address?

To simplify, let me break down the directive into five essentials that matter most for O&G companies:

OT cyber risk management measures

O&G companies must adopt technical, operational, and organizational measures. These include:

· Access control policies for OT environments

· Network segmentation between IT and OT

· Incident detection and response capabilities

· Regular vulnerability assessments of ICS

· Ensure adoption of security controls

Incident reporting requirements

· Early warning (24 hours): Initial notification of an incident

· Detailed report (72 hours): Incident severity, impact, and mitigation actions

· Final report (1 month): Root cause and long-term measures

These requirements demand the development of strong forensics and monitoring capabilities across OT and IT systems.

Supply Chain Security

Oil and gas operations rely on thousands of suppliers, from valve manufacturers to ICS software vendors. NIS2 requires operators to assess and manage third-party risks, meaning vendor audits and contractual cybersecurity clauses become essential.

Business Continuity and Crisis Management

NIS2 requires companies to demonstrate resilience planning for cyber incidents. In oil and gas, this means:

· Backup and recovery plans for SCADA and DCS environments

· Contingency planning for pipeline or refinery shutdowns

· Training staff in managing cyber crisis drills

Cybersecurity accountability of leadership

Executives must approve and oversee cybersecurity risk management practices, with potential legal liabilities for negligence. For O&G boards, this elevates cybersecurity from a “technical issue” to a boardroom priority.

A NIS2 Compliance Roadmap for Oil & Gas Companies

Transitioning to NIS2 compliance requires structured planning. Here’s a step-by-step roadmap for oil and gas operators:

Step 1: Gap assessment

· Conduct a baseline NIS2 readiness assessment across IT and OT environments

· Map requirements against existing ICS cybersecurity controls

· Identify gaps in governance, risk management, monitoring, and reporting

Step 2: Governance and accountability framework

· Establish a cybersecurity governance committee including IT, OT, and compliance leaders

· Assign board-level responsibility for NIS2 compliance

· Update policies to align with IEC 62443, ISO 27001, and NERC CIP where applicable

Step 3: Risk management and asset visibility

· Deploy OT asset inventory solutions such as Shieldworkz to gain visibility into ICS components

· Implement risk management processes based on IEC 62443-3-2 (security risk assessments)

· Prioritize risks by operational criticality (pipelines, compressors, offshore rigs)

Step 4: Technical controls and OT security solutions

· Network segmentation between IT and OT

· Implement intrusion detection and anomaly detection for ICS (e.g., NDR solutions such as Shieldworkz)

· Harden endpoints such as HMIs, PLCs, and remote access gateways

Step 5: Incident Response and Reporting

· Develop incident response playbooks tailored to OT environments

· Implement monitoring solutions for real-time threat detection

· Test reporting workflows to ensure compliance with 24-hour/72-hour timelines

Step 6: Supply Chain and Vendor Management

· Classify vendors by criticality (ICS software vs. office IT suppliers)

· Perform cybersecurity audits of OT vendors

· Include contractual clauses mandating IEC 62443 compliance

Step 7: Awareness and Training

· Conduct board-level training on NIS2 obligations

· Run OT cybersecurity training for operators and engineers

· Implement red-team exercises and simulations

Step 8: Continuous Monitoring and Improvement

· Regular OT vulnerability assessments

· Penetration testing of IT/OT interconnections

· Continuous improvement cycles aligned with IEC 62443-2-1 (security program management)

Role of IEC 62443-Based OT Security Assessments in NIS2 Compliance

Why IEC 62443 Matters

IEC 62443 is the global standard for industrial automation and control system (IACS) security. It provides a structured approach to risk assessment, security controls, and lifecycle management. For oil and gas companies, using IEC 62443-based assessments directly supports NIS2 compliance.

Key Ways Assessments Help:

1. Structured Risk Identification: IEC 62443-3-2 requires a thorough risk assessment of OT assets. This aligns directly with NIS2’s requirement for comprehensive risk management.

2. Defense-in-Depth Validation: IEC 62443 emphasizes defense-in-depth (segmentation, access control, monitoring). An OT security assessment tests whether these layers are implemented effectively.

3. Maturity Benchmarking: IEC 62443-2-4 helps measure the security maturity of suppliers, directly supporting NIS2’s supply chain obligations.

4. Continuous Compliance: Unlike one-off audits, IEC 62443 assessments can be integrated into ongoing OT cybersecurity programs, ensuring oil and gas companies maintain continuous NIS2 alignment.

5. Incident Preparedness: IEC 62443-based assessments often simulate cyber incidents, helping O&G operators validate their reporting readiness for the 24-hour and 72-hour NIS2 deadlines.

Best practices for ICS Cybersecurity in Oil and Gas

Beyond the compliance roadmap, oil and gas operators can strengthen NIS2 readiness through the following practices:

Unified IT-OT Security Architecture

Implement a converged SOC (Security Operations Center) that monitors both IT and OT environments. This enables early detection of attacks targeting both office systems and industrial control systems.

Zero Trust for OT

Adopt zero trust principles: never trust, always verify. For example:

· Multi-factor authentication for remote access

· Least privilege access for engineers and contractors

· Micro-segmentation of OT networks

Cyber Tthreat Intelligence for ICS

Subscribe to ICS-specific threat intelligence feeds from Shieldworkz to stay ahead of targeted malware (e.g., TRITON, Industroyer2). Customize your detection rules accordingly.

Digital twin for Risk Simulation

Leverage digital twins of pipeline or refinery control systems to simulate cyberattacks and test resilience measures in a safe environment.

Regular Red Teaming and Tabletop Exercises

Simulate ransomware attacks, insider threats, or supply chain compromises to validate resilience and response.

Conduct immersive incident response drills regularly

Ensure your incident response methods are in order. 

Challenges in achieving NIS2 compliance

While the roadmap and standards provide clarity, oil and gas operators face unique challenges:

· Legacy ICS Systems: Many pipelines and refineries run decades-old control systems with limited security features.

· Remote and Harsh Environments: Offshore rigs and remote pumping stations often lack physical and network protections.

· Complex Supply Chains: Thousands of suppliers with varying cybersecurity maturity levels complicate compliance.

· Cultural Divide Between IT and OT: Engineers prioritize availability and safety, while IT focuses on confidentiality and integrity. Aligning these priorities is critical.

Addressing these challenges requires tailored OT security solutions backed by executive support and sustained investment.

Turning NIS2 compliance into resilience

For oil and gas companies, NIS2 compliance is not optional, it’s existential. The directive’s stricter governance, reporting, and supply chain requirements demand that O&G operators rethink how they manage cybersecurity across both IT and OT landscapes.

By following a structured compliance roadmap, leveraging IEC 62443-based OT security assessments, and embedding ICS cybersecurity best practices, oil and gas companies can go beyond regulatory checkboxes. They can build resilience, protect national energy supplies, and earn trust with regulators, partners, and the public.

The path to compliance may be challenging, but for oil and gas operators, it is also an opportunity: to modernize OT security solutions, strengthen risk management, and position cybersecurity as a strategic enabler of operational resilience.

Go NIS2 compliant in just 5 weeks. Find out how.

Talk to an NIS2 expert now to plan your NIS2 roadmap. 

Download a NIS2 strategic guide