EU Cyber Resilience Act Guide for Chemical & Process Plant Automation Vendors

Automation products supplied to EU chemical manufacturers — including distributed control systems (DCS), safety instrumented systems (SIS), emergency shutdown systems (ESD), process SCADA platforms, and process historian systems — are products with digital elements under Article 3(1). For products deployed at Seveso III upper-tier sites, the risk profile is exceptional: a cyberattack causing loss of process control could trigger chemical releases with major accident consequences. DCS and SIS products are strong candidates for Class II Important Products given their role in both process control and safety function implementation. The Seveso III Directive requires major hazard operators to include malicious acts in their major hazard analysis — CRA-compliant automation equipment provides a documented security baseline that supports this requirement. Vendors must assess classification for each product, noting that the same hardware may function as either a DCS component or a SIS component depending on deployment configuration.

Chemical process automation systems present the most demanding security engineering challenge in the OT sector: security failures can have immediate life safety and environmental consequences. Annex I requirements include: segregating SIS (safety) networks from DCS (process control) networks with no direct IP connectivity between them; implementing authenticated access for all engineering workstation connections to DCS controllers; ensuring firmware updates to field controllers are authenticated and integrity-verified, and can be applied without bypassing safety shutdowns; providing tamper-evident audit logs for all setpoint changes, configuration modifications, and alarm acknowledgments; eliminating shared engineering workstation credentials; and implementing remote access security for vendor support connections equivalent to on-site access. The SBOM must cover DCS controller firmware, engineering workstation software, historian server components, and any third-party process optimisation or simulation modules integrated with the control system.

Article 13 requires a published CVD policy. Chemical automation vendors operate in a sector where security vulnerabilities can have catastrophic consequences, and the CVD programme must reflect this risk. The policy must: establish accelerated response timelines for vulnerabilities affecting SIS or ESD systems; specify coordination procedures with the European Chemicals Agency (ECHA), national major hazard competent authorities (e.g. HSE in the UK context, national Seveso authorities in EU member states), and relevant ICS security organisations including ICS-CERT national equivalents; and define how security advisories are communicated to major hazard site operators with appropriate urgency. For vulnerabilities affecting safety-critical functions, interim mitigations — isolation of affected components, implementation of manual backup procedures, enhanced safety monitoring — must be specified in security advisories alongside the patch. Chemical sector customers require highly detailed security advisories to support their own major hazard risk assessments.

Article 14 requires CSIRT notification within 24 hours of confirmed active exploitation. For chemical automation vendors, exploitation of a DCS or SIS system is a major hazard event that triggers simultaneous notifications to: the relevant national CSIRT (Article 14); the relevant major hazard national competent authority (Seveso III); and potentially ECHA and cross-border affected authorities for Seveso upper-tier sites near national borders. A confirmed cyberattack on a major chemical site's control systems may trigger activation of national emergency response plans. Vendors must have pre-established communication protocols for this scenario, with authorised personnel identified and contact lists maintained for relevant national authorities across EU member states where products are deployed. The 24-hour CSIRT notification must communicate the potential for major hazard consequences to enable appropriate response coordination.

Class II chemical process automation products require notified body assessment. Given the major hazard context, notified bodies with IEC 62443 and IEC 61511 (functional safety for process industry) expertise are preferred. The CRA technical file for chemical automation must include a security case that explicitly addresses the interaction between security controls and the functional safety case — demonstrating that security measures do not introduce common cause failures into the SIS, and that the SIS retains its protective function under cyberattack scenarios. This is the most technically demanding aspect of CRA conformity for this sector. IEC 62443-3-3 (system security requirements) and IEC 62443-4-2 (component security requirements) provide the most directly applicable security standards framework. Vendors with existing IEC 61511 certification will find the safety case methodology familiar but must extend it explicitly to address cybersecurity threats.