NWTS Consulting advises chemical, energy full-stream, wholesale and retail fuel, offshore and maritime, and critical infrastructure operators on operational technology cybersecurity and governance — aligned across the three domains that actually matter to the asset: process and functional safety, regulatory exposure, and operational continuity. Led by a certified ISA/IEC 62443 Cybersecurity Expert and Assessor.
Most first-time conversations start with one specific upcoming decision. Choose the role that fits your situation for typical scenarios and starting points — or browse by topic to navigate the practice itself. Top navigation jumps between sections without returning to this index.
You operate or contract offshore drilling rigs, production installations, or marine support assets. The cyber regulatory perimeter has moved decisively: IACS UR E26 and UR E27 apply to vessels contracted for construction from 1 July 2024; IMO Resolution MSC.428(98) is now an audit point under the ISM Code Document of Compliance; BSEE has signaled cyber expectations for OCS facilities under 30 CFR 250 and SEMS; MTSA cyber addenda apply where the asset touches U.S. waterfront. Cyber risk on rigs is now a contractual question, a class question, a flag-state question, and a regulatory question — sometimes all four on the same asset.
Independent assessment of as-built or as-delivered controls against operator and contractor expectations — pre-contract or pre-mobilization, with written reporting that supports the acceptance decision.
On-site oversight during the shipyard period — vendor management, integration assurance, commissioning hand-off, and verification that as-delivered controls match the contracted specification. IACS UR E26 / E27 readiness for newbuilds.
Cyber controls assessment for OCS operators — SEMS program integration, alignment with USCG cyber advisories, and preparedness for the cyber elements increasingly required for safety-critical OCS systems.
Cyber risk management embedded in the Safety Management System per IMO Resolution MSC.428(98) and MSC-FAL.1/Circ.3 guidance. Document of Compliance audit support; flag-state and class interface.
Where the rig is contracted by an operator: aligning the cyber expectations of the operator's CSMS with the contractor's actual implementation. Drilling contract addenda, MSA cyber clauses, and contractor cyber maturity validation.
For vessels and marine support assets: navigation, propulsion, ballast, cargo, and integrated platform management systems. IACS UR E27 onboard-systems alignment and class interface.
You operate a chemical, petrochemical, refining, or process-manufacturing site. NIS2 has tightened obligations across EU operations and brings personal liability for management bodies. SEVESO III makes security-and-safety crossover explicit for major-accident hazard sites. OSHA PSM applies wherever cyber compromise can affect mechanical integrity. And pre-acquisition diligence on a target asset requires a fundamentally different lens than steady-state operations.
Gap analysis against essential or important entity obligations (NIS2 Article 21), risk-management measure mapping, and incident-reporting readiness. UK NIS Regulations 2018 (as amended) for UK operations.
Where cyber compromise can drive major-accident hazard scenarios: integration of cyber controls into the safety case and the inspection regime. Bridging the cybersecurity and process-safety domains explicitly required by IEC 61511 and TR84.00.09.
Consequence-driven cyber hazard analysis run alongside the existing PHA, producing target security levels engineering and operations both accept. SIS interaction reviewed in line with IEC 61508 / 61511 and ISA TR84.00.09.
End-to-end Cybersecurity Management System aligned with corporate ISMS, the site safety management system, and the corporate risk function. Multi-site rollout where the practice spans more than one facility.
Target site assessment for chemical or process plant acquisitions: estate inventory, hidden liabilities, regulatory exposure, integration risk pricing. Pre-LOI and pre-close phases.
29 CFR 1910.119 implications wherever cyber affects mechanical integrity, MOC, or incident investigation. Cyber-affected safety controls mapped to PSM elements that the regulator will inspect.
You're underwriting or renewing cyber and property coverage for an industrial asset — a chemical plant, an offshore rig, a fuel terminal, a process facility. Standard IT-control scoring doesn't tell you what loss-scenario you're actually pricing. You need defensible, asset-specific risk assessment that ties cyber to the operational, safety, and regulatory consequence categories the policy actually covers.
Risk assessment formatted for new-rig binding or renewal: 62443-3-2 zone-and-conduit risk picture, mapped explicitly to BI, CBI, safety, and regulatory consequence categories rather than generic control scores.
OT-specific loss scenarios for chemical, refining, process, and energy assets — grounded in real operational consequence categories, not generic IT loss patterns.
Cyber risk explicitly mapped to safety, regulatory, and operational consequence categories — the categorization the underwriter, the broker, and the reinsurer can all audit against the policy.
Business-interruption and contingent-business-interruption scenarios driven by OT compromise rather than IT loss — explicitly differentiating cyber-physical perils from data-only events.
Independent OT cyber diligence before policy issuance — particularly on offshore rigs, terminal assets, refining facilities, and chemical sites where the loss scenario can include process-safety consequence.
Annual or renewal-cycle reassessment of insured assets: control evidence, residual risk delta, regulatory delta (NIS2, IACS UR E26, 30 CFR 250 evolutions). What's changed since last bind.
You're evaluating a target asset, business unit, or platform — chemical, energy, downstream fuel, offshore, marine, or process manufacturing. OT cybersecurity carries hidden liabilities that don't surface in a standard quality-of-earnings analysis: legacy DCS estates, undocumented remote access, regulatory exposure that conditions exit. The deal calendar and the audience that has to sign — sponsor, lender, counsel — drive the deliverable format.
First-pass diligence based on VDR materials and limited management access — sized for the early-stage decision to proceed or pass. Identifies the deal-breakers before significant diligence cost is committed.
Full diligence including site walk-downs once exclusivity is in place — control architecture, segmentation, vendor inventory, regulatory posture, residual risk quantification.
The legacy controls, the undocumented remote access, the ITAR exposure, the cyber-affected safety controls that condition deal terms or require disclosure. The line items that shift the price or kill the deal.
Quantification of post-close cyber and controls integration cost — the figure that should appear in the sponsor's underwriting model, not surface as a surprise in the first 100 days.
Multi-site transactions: wholesale fuel rack networks, retail forecourt portfolios, multi-plant chemical platforms, offshore rig fleets. Sampling strategy, tiered diligence depth, portfolio-level liability picture.
Integration support post-close: prioritized remediation, governance integration, board reporting cadence. The plan the sponsor or new owner needs to execute against the diligence findings.
You need quarterly OT risk reporting that the board can act on. Not vanity dashboards. Not generic framework score-cards that reset every audit cycle. The reporting must tie cyber to the safety, production, and regulatory exposure the board already owns — and it must produce defensible answers to the questions directors are increasingly being asked, including under NIS2 Article 20 governance obligations.
Key Risk Indicators sized to the board's stated risk appetite, mapped to safety, production-continuity, and regulatory consequence rather than to control-coverage percentages.
Reporting layer the board reads, not the binder it ignores. Calibrated to engineering depth where the audit committee can absorb it, with clean escalation paths when material change occurs between cycles.
For when the board needs an external voice — pre-CISO mandate baseline, controversy resolution, or an annual independent posture review against the operator's own self-assessment.
For EU board members and management bodies: documenting discharge of NIS2 Article 20 governance obligations — oversight, training, and personal-liability framework. Increasingly material in EU operations.
Board-facing deliverables for transaction approval: cyber diligence summary, integration-risk price, conditions to close, post-close remediation timeline. Calibrated to the deal-approval audience.
Independent assessment before a new CISO mandate begins — what the incoming executive is inheriting vs. what the org tells itself. Quarterly checkpoint thereafter, against the original baseline.
You're starting a new mandate, or you're in one and you need a defensible independent baseline. The first 90 days will determine whether the next 24 months are productive or remedial. You need an honest, independent picture of what you've inherited — what's actually true vs. what the org tells itself — and a quarterly checkpoint thereafter that lets you measure progress against reality, not against shifted goalposts.
Independent OT cyber posture assessment before or at the start of the mandate. What the actual estate is, what the actual control reality is, what the actual regulatory exposure is. Privileged to the executive, scoped for honest answers.
Independent review of the 100-day plan once drafted — does it address the actual issues, or the ones the organization is comfortable hearing about. A reality check before the plan goes to the board.
Independent quarterly checkpoint thereafter — progress measured against the original baseline, not against shifted goalposts or reframed metrics.
Annual or on-demand independent estate review — what's running, what's exposed, what's drifting from spec, what's been added without the program knowing.
Setting up the reporting cadence the board will actually read and act on — KRI library, escalation paths, and risk-appetite calibration. Calibrated to the audit committee's existing risk vocabulary.
Strategic positioning of the OT cyber program against safety, regulatory, and operational reality — what the program should look like in 24 months and how to get there from where it is today.
Most OT cybersecurity work is delivered in isolation — assessed against a single framework, scored, and handed back. NWTS Consulting works the way industrial assets actually run. Every engagement evaluates cyber risk simultaneously against process and functional safety, regulatory exposure, and operational continuity. The output is one defensible risk picture that engineering, compliance, operations, and the board can each use without reconciling three different reports.
Cyber risk is assessed against the operator's existing process hazard analysis, LOPA, and SIS design — not in parallel to them. Where the asset is offshore or marine, the work integrates with SEMS, the ISM Code, and class-society expectations. Findings route into the same safety case the regulator already reads.
Multi-framework gap analysis with sequencing logic — identifying overlapping obligations across NIS2, SEVESO III, OSHA PSM, MTSA, 30 CFR 250, TISAX, and TSA Security Directives so that one control set, properly evidenced, satisfies multiple regulators rather than being re-engineered for each.
Roadmaps that respect plant turnaround windows, drilling and voyage cycles, vendor patch cadences, and engineering MOC. Recommendations are sequenced for the asset's actual operating rhythm — not a generic remediation calendar that engineering will quietly ignore.
Every engagement starts in one of these six domains and frequently spans several. The work is technical when it must be and executive when it should be — the through-line is defensible decisions, documented to the standard the auditor will reach for and tied to the consequences the operator actually owns.
Quantitative and qualitative risk assessment grounded in ISA/IEC 62443-3-2, NIST SP 800-30, and SP 800-82 Rev. 3, mapped to plant safety consequence and tied to the operator's existing process hazard analysis. Results route into the same risk register the COO already reads.
Cybersecurity Management Systems built to ISA/IEC 62443-2-1 and NIST CSF 2.0, scoped to operate alongside the corporate ISMS, the site's safety management system, and the corporate risk function. Not a binder — a working operating system for OT security.
Translating regulatory text into engineering decisions. NIS2 essential-entity obligations, SEVESO III safety-and-security crossover, 30 CFR 250 for offshore, MTSA for waterfront and marine, TISAX for OEM supply, ITAR for technical data, OSHA PSM where cyber affects mechanical integrity.
Reference architectures for level-0 to level-3.5 segmentation, secure remote access, data diode and DMZ patterns, IDMZ design, behind-the-meter generation and DER assets, and integration with safety instrumented systems. Vendor-neutral, defensible, and built to survive the next plant turnaround.
Pre-acquisition technology diligence, post-deal integration risk, underwriter-grade cyber risk assessments, and CISO benchmarking before or during a new mandate. Reporting calibrated to the audience — engineering depth for engineers, decision clarity for boards, loss-scenario rigor for underwriters.
Deep-sector engagements where the asset class itself shapes the methodology. Offshore drilling and production, marine and shipyard, wholesale fuel rack and terminal automation, and retail fuel and forecourt OT. Each carries its own regulator, its own controls vocabulary, and its own operating cadence.
A non-exhaustive index of the deliverables most often requested. Each is sized to the asset, the regulator, and the decision the client is trying to defend. Every capability is delivered against the safety / regulatory / operational triad described above.
A working catalogue, not an aspirational one. Each framework below is one we routinely apply, map across, or interpret for clients — and where multiple jurisdictions collide, sequence so the operator isn't paying twice for the same control.
The technical core. Where cyber risk and process-safety integrity meet. The four standards in this group are routinely cross-applied in chemical, energy, and offshore engagements — and the cyber-functional-safety bridge is the discipline most operators still under-invest in.
The standards that codify the discipline most chemical and process operators have not yet absorbed at scale. See § 05 Forward Practice for the diagnostic.
The site-level safety regulation regimes where cyber compromise can drive consequence into safety-relevant scope. Increasingly material under SEVESO inspection and OSHA enforcement.
The live regulatory and class perimeter for offshore drilling, production, and marine assets. IACS UR E26 / E27 became mandatory for vessels contracted for construction from 1 July 2024; IMO MSC.428(98) is now embedded in the ISM Code as a Document of Compliance audit point.
The horizontal regulatory regimes governing cyber risk management, incident reporting, and product-side security obligations. Multi-jurisdictional sequencing matters here — the same control set, properly evidenced, can satisfy more than one regulator.
The methodology stack and management-system standards used as translation layers, evidence frameworks, and ISMS interfaces. Rarely the primary driver, regularly the supporting reference.
Compliance is the floor, not the ceiling. NWTS Consulting maintains an active forward practice in two areas where the next decade of industrial cyber will be decided: human factors in operating control systems — drawing on the aviation and academic lineage that defined the discipline, and which the chemical and process industries have so far largely left on the table — and the trajectory of Industry 5.0. These work areas inform every other engagement.
Most OT incidents touch a human decision somewhere — an alarm flood that obscured the warning, an HMI that confused the response, a remote-access procedure bypassed because it was operationally awkward. The discipline that takes this seriously was not invented in industrial cyber. It came out of aviation — military and commercial — through the academic work that turned post-accident analysis into a body of practice. The chemical and process industries have not absorbed it at scale, despite owning the very standards (ISA-101, ISA-18.2) that codify parts of it. The standards sit on the shelf; the discipline that animates them has stayed thin on the ground.
The practice draws on this heritage and applies it to OT cybersecurity: designing systems and procedures around predictable human error rather than expecting the operator to be the infinitely robust last line of defense. Cyber risk gets more durable when the human-facing surface is engineered to ISA-101, ISA-18.2, and ISO 11064 — and softer when it isn't.
Industry 4.0 was a layer of networked automation and the data fabric above it. Industry 5.0 is the corrective: human-centric, resilience-oriented, and sustainable by design. For OT cybersecurity that means human-machine teaming with auditable authority boundaries, cobot integration that doesn't compromise SIS functions, AI-assisted operations under defensible human oversight, and resilience that survives the operational year rather than just the audit window. The advisory work happens now, before the regulator catches up.
Every engagement is bespoke, but most map to one of three commercial structures. Tell us the decision you're trying to make and we'll tell you which model fits.
Fixed-scope, fixed-fee work with a defined deliverable. Best for assessments, architecture reviews, CSMS builds, rig selection reports, terminal automation reviews, and audit-readiness sprints.
Ongoing senior advisory presence — for the operator who needs the perspective without the headcount. Includes board reporting, KRI cadence, on-call regulatory interpretation, and shipyard or turnaround period oversight.
Time-boxed diligence work for M&A counsel, PE sponsors, underwriters, and reinsurers — including site-portfolio and terminal acquisitions. Reporting calibrated to the deal calendar and the audience that has to sign.
NWTS Consulting is the technical consulting division of Northwest Technical Services LLC, a Texas limited liability company headquartered in Magnolia, Texas. The practice was established in 2021 and reorganized as an LLC to deliver focused, vendor-neutral OT/IACS cybersecurity, governance, and risk advisory to asset owners and operators in regulated industries.
The practice is built around a simple premise: OT cyber risk is fundamentally an engineering problem with a governance wrapper, and it cannot be managed apart from the safety and regulatory regimes the asset already lives within. Every engagement aligns cyber to safety, regulatory, and operational consequence simultaneously — producing a coordinated risk picture that engineering, compliance, and operations all defend together.
Direct hands-on experience with OT/IACS environments spans chemical manufacturing; energy full-stream including downstream wholesale fuel rack and terminal operations and retail forecourt OT; offshore drilling and production; marine and shipyard; process and discrete manufacturing; and site acquisition, architecture, automation, and compliance work across new-site and portfolio-acquisition contexts.
The forward practice in human factors and Industry 5.0 is deliberate, and pointed. The chemical and process industries have engaged with the human factors discipline far less than they should have — and OT cybersecurity that ignores the operator and the trajectory of human-centric automation will age badly.
Engagements are scoped to the asset, the regulator, and the decision being made. Where the work calls for capabilities or credentials beyond those carried in the practice, NWTS Consulting assembles teams from a curated network of senior independent practitioners — each engagement disclosing the named specialists involved, with the client approving every individual before commencement. The practitioner the client scopes with is the practitioner who delivers; subcontracting, where it occurs, is declared up-front.
Statement of Qualifications, individual practitioner credentials, professional references, and insurance documentation are furnished to qualified prospects under NDA. A consulting practice that advises on cyber risk and social engineering should not itself be a soft target — the absence of detailed practitioner profiles published online is a deliberate operational control, not an oversight.
Most useful first conversations are 30 minutes, under NDA, and focused on a specific upcoming decision: an audit, an acquisition, a rig selection, a shipyard period, a terminal due diligence, a board cycle, a regulator inquiry, a new role. Send a one-paragraph note — we'll respond within one business day.
For new engagements, diligence inquiries, and counsel-routed introductions. Encrypted email available on request — PGP key on file. Statement of Qualifications and Certificate of Insurance furnished on request.
Northwest Technical Services LLC · NWTS Consulting division. Texas-headquartered, U.S.-based. Engagements delivered globally; site work scheduled around plant turnaround, drilling, terminal, and shipyard timelines.
▸ NWTSERV.COM · NWTS CONSULTING · EST. 2021