Talha Asif — Infrastructure & PMO Executive

Category: OT Cybersecurity

  • Saudi Arabia’s OTCC Framework: What Regulators Require and What It Means for Infrastructure Projects

    The Regulatory Context

    Saudi Arabia has one of the most developed OT cybersecurity regulatory frameworks in the Middle East. The National Cybersecurity Authority’s Operational Technology Cybersecurity Controls — known as the OTCC — establish the baseline requirements that critical infrastructure operators in the Kingdom are expected to meet. This is not a voluntary standard or a best-practice guideline. It is a regulatory expectation, and the NCA’s enforcement engagement across sectors has been progressively increasing.

    The OTCC applies to organizations that own or operate critical national infrastructure in Saudi Arabia: energy, water, transport, communications, health, and financial services. If you are delivering or operating infrastructure in any of these sectors in the Kingdom, the OTCC defines your regulatory baseline for OT security.

    The Five OTCC Domains

    OT Cybersecurity Governance is the first domain and the foundational one. It covers the organizational policies, roles, and responsibilities that define how OT security is managed at the institutional level. This includes having a designated OT security function — not just relying on the IT security team — documented policies for OT asset management, change control, and risk management, and integration of OT security into the organization’s overall risk management framework. Governance means accountability: someone in the organization needs to own OT security, have the authority to make decisions about it, and have the resources to execute those decisions.

    OT Risk Management is the second domain. It requires formal OT security risk assessments conducted on a defined cadence, maintenance of an accurate and current OT asset inventory (which most organizations do not have), and implementation of a risk treatment plan that addresses identified vulnerabilities in a prioritized and documented way. The risk management discipline the OTCC requires is not a one-time compliance exercise. It is an ongoing management practice that needs to be embedded in the organization’s standard operating procedures.

    OT Security Controls covers the technical measures that protect OT environments. Network segmentation between IT and OT networks is the most fundamental control — and the one most frequently absent in older facilities. Access controls including multi-factor authentication for remote connections. Configuration management for controllers and systems, ensuring that changes to OT system configurations are tracked, approved, and reversible. Patch management processes designed for the OT environment, which often cannot be patched on the same schedule as IT systems without affecting process continuity.

    OT Security Operations covers the monitoring, detection, and incident response capabilities that enable organizations to identify threats and respond to them. This is the area where most OT environments are most exposed. Network monitoring that is standard in enterprise IT — intrusion detection, anomaly alerting, traffic analysis — is frequently absent in OT networks. The monitoring gap is significant: you cannot detect and respond to threats you cannot see.

    OT Supply Chain Security addresses the security of third-party vendors, integrators, and service providers who have access to OT systems. This is particularly relevant for infrastructure projects where the controls vendor, commissioning team, and ongoing support provider all typically have remote access paths into the OT environment. The OTCC requires that these access paths be managed — not just opened and forgotten.

    What This Means for Project Design

    For infrastructure projects in design or construction, OTCC requirements translate into specific design decisions that need to be made while the project is still being engineered. Network architecture must provide appropriate IT/OT segmentation. Control system design must accommodate the access control requirements the OTCC specifies. Commissioning procedures must include OT security validation alongside process safety validation.

    The critical point is timing. These are not features that can be economically retrofitted after commissioning. They are design decisions. A network segmentation architecture specified at 30% design completion costs a fraction of what the same segmentation costs after a system has been commissioned with a flat network architecture.

    At Concept Dash, our OT cybersecurity team — working through our partnership with our NACSA-licensed cybersecurity partner — helps project teams translate OTCC requirements into design specifications and commissioning requirements before the design window closes. Reach out for a complimentary gap assessment if your infrastructure project has not yet addressed OT security in the design scope.

  • What an OT Security Assessment Actually Involves: A Practical Guide for Infrastructure Projects

    Making OT Cybersecurity Practical

    Over the past weeks I have made the case that OT cybersecurity is an engineering design problem, not an IT department problem. This article makes that case practical: what does an OT security assessment actually involve, what does it produce, and what does it mean for the way a project is designed and delivered?

    What an OT Security Assessment Is

    An OT security assessment is a structured evaluation of the cybersecurity posture of an operational technology environment. It covers the systems that control physical processes — PLCs (Programmable Logic Controllers), SCADA systems (Supervisory Control and Data Acquisition), DCS (Distributed Control Systems), SIS (Safety Instrumented Systems), HMI workstations (Human Machine Interfaces), and the network infrastructure that connects them.

    For infrastructure projects, the most relevant international framework is IEC 62443 — the international standard for industrial automation and control systems security. In Saudi Arabia, the NCA’s Operational Technology Cybersecurity Controls (OTCC) establish the regulatory baseline. These two frameworks overlap significantly and together define what good OT security looks like in this region and market.

    Scope of a Comprehensive OT Assessment

    Asset inventory and identification is the starting point. This sounds simple; it rarely is. Most operational facilities do not have an accurate, current inventory of their OT assets — what controllers they have, what software versions they run, how they are connected, who has access to them. Building that inventory is a prerequisite for everything else. Without it, you cannot assess vulnerability, cannot prioritize mitigation, and cannot demonstrate compliance.

    Network architecture review examines how the OT network is structured and how it relates to the corporate IT network and external connectivity. The fundamental principle of OT network security is segmentation — the OT network should be separated from the IT network by a defined boundary (typically a demilitarized zone) that controls and monitors the flow of information between them. Many operational facilities, particularly those built before OT cybersecurity became a serious design consideration, have flat network architectures where IT and OT systems are on the same network segment. This is the condition that made the Triton attack possible: the attackers could reach the safety controllers from the corporate network because the segmentation boundary did not exist.

    Vulnerability assessment identifies specific known vulnerabilities in the OT assets identified in the inventory. OT systems run specialized software, including real-time operating systems, controller firmware, and HMI applications that often run on versions of Windows that are no longer supported by Microsoft — because the OT vendor’s engineering software has not been updated to run on current Windows versions and the vendor’s update schedule is not aligned with Microsoft’s. This creates a patching problem that is fundamentally different from IT security: in IT, the answer to an unpatched operating system is to update it; in OT, the update may break the process control application, and the update cycle is measured in years, not months.

    Access control review examines who has access to OT systems and how that access is managed. Remote access — used by controls vendors for monitoring and support — is one of the most significant and most undercontrolled access paths in OT environments. Many OT systems have remote access channels installed by vendors during commissioning that remain active, unmonitored, and without multi-factor authentication for the life of the system.

    Incident response assessment covers the organization’s capability to detect, respond to, and recover from OT security incidents. In most OT environments, this capability is underdeveloped or absent. There is no OT-specific incident response procedure. There is no OT network monitoring that would alert operations staff to anomalous activity. The water treatment attack in Oldsmar, Florida succeeded in reaching the SCADA system because there was no monitoring that would have detected the intrusion — it was caught by a human who happened to be watching.

    Assessment Output and Project Integration

    A properly scoped OT security assessment produces a risk-ranked findings report, a gap analysis against the applicable framework (IEC 62443 and/or NCA OTCC), and a remediation roadmap that prioritizes findings by risk level and provides specific technical and procedural recommendations for each.

    For projects in design or construction, the assessment findings translate directly into design specifications. Network segmentation requirements become network architecture drawings. Access control requirements become commissioning standards. Monitoring requirements become scope items for the control system integrator.

    This is where the design stage timing matters most. Incorporating OT security requirements into the design scope costs a fraction of retrofitting them after commissioning. A network segmentation architecture specified at 30% design becomes a standard part of the control system procurement. The same requirement identified after a system has been commissioned requires physical network modifications, software reconfiguration, and often a controls vendor engagement that costs 10-20 times what the original specification would have cost.

    Concept Dash’s OT cybersecurity team offers complimentary gap assessments for infrastructure operators in Saudi Arabia. If your facility or program has not addressed OT security in the design scope, reach out before the design is committed — not after.

  • The Blind Spot in Infrastructure Delivery: OT Cybersecurity and the Triton Attack

    The Attack That Targeted Physical Destruction

    In 2017, a cyberattack hit a petrochemical facility in Saudi Arabia. Not the corporate network. Not the email server. The Safety Instrumented System — the engineered last line of defence designed to prevent explosions, chemical releases, and loss of life when process conditions exceed safe operating limits.

    The malware was called Triton. Also known as TRISIS. It was purpose-built to compromise Schneider Electric’s Triconex safety controllers — systems installed in facilities precisely because they are supposed to be the failsafe when everything else goes wrong. The intent of the attack was not data theft. It was not ransomware. It was physical destruction of the facility and harm to the people working in it.

    The only reason it did not succeed was a coding error in the malware that triggered a plant shutdown before the payload fully deployed. The attackers were sophisticated enough to develop malware targeting a specific safety controller platform. They made a programming mistake that triggered an emergency shutdown — which alerted the facility’s security team to the intrusion.

    That was 2017. The capability that failed in 2017 has had eight years to improve.

    This Is Not an Isolated Event

    In 2021, an attacker gained access to the SCADA system of a water treatment plant in Oldsmar, Florida, and attempted to increase sodium hydroxide levels to 100 times the safe concentration. The attack was spotted by an operator watching his screen in real time. There was no automated alert. No intrusion detection system. No OT network monitoring. Just a human who happened to be looking at the HMI at the right moment.

    In 2015 and 2016, coordinated cyberattacks on Ukraine’s power grid caused blackouts affecting hundreds of thousands of people. The attackers did not target the utility’s IT network primarily. They targeted the operational technology systems that control circuit breakers and distribution substations — the systems that physically switch power on and off across the grid.

    These are not IT security problems that the IT department should have caught and prevented. They are attacks on the Operational Technology systems that control physical processes — and they are successful precisely because OT environments are almost never designed with cybersecurity as a requirement.

    The Design Gap That Creates the Vulnerability

    Most infrastructure facilities being designed, built, and commissioned today have the following in common: the engineering team designed the SCADA architecture. The controls integrator programmed the PLCs and DCS. The facility was commissioned and handed over. And at no point in that process did anyone assess whether the OT network is properly segmented from the corporate IT network, whether the HMI workstations are running patched operating systems, whether the remote access paths used by the controls vendor for ongoing support are secured against unauthorized access.

    This is not a technology gap. The technologies for OT network segmentation, OT-appropriate access control, and OT network monitoring exist and are proven. It is a design gap. OT cybersecurity requirements are not included in project scope because they are not understood as engineering design requirements — they are perceived, incorrectly, as an IT operational concern that someone else will handle after commissioning.

    Why the Middle East Is a High-Priority Target

    The combination of factors that makes the Middle East a high-value target environment for OT-focused threat actors is well documented in the threat intelligence community. Concentration of critical infrastructure — energy, water, petrochemical, transport — in a geopolitically significant region. Rapid digitalization and connectivity of operational systems that were previously air-gapped. A geopolitical environment that motivates state-sponsored threat actors with the capability and patience to conduct sophisticated OT attacks.

    Triton targeted a Saudi facility. The most capable OT malware ever publicly analysed was built specifically to attack infrastructure in this region. That is not a coincidence, and it is not a threat that has diminished since 2017.

    What Infrastructure Engineers Need to Do Now

    OT cybersecurity should be on every infrastructure project’s risk register, from early design through commissioning and into operations. Not as a future consideration. Now. Specifically, this means including OT security requirements in the project scope at the design stage, engaging OT security specialists to review the control system architecture before it is locked, and ensuring that commissioning procedures include OT security validation alongside process safety validation.

    The frameworks exist. IEC 62443 provides the international standard for industrial control system security. In Saudi Arabia, the NCA’s Operational Technology Cybersecurity Controls (OTCC) establish the regulatory baseline that critical infrastructure operators are expected to meet. Understanding and designing to these frameworks is a professional responsibility for anyone delivering infrastructure in this region.

    Concept Dash’s OT cybersecurity team — working through our partnership with a NACSA-licensed cybersecurity firm — provides OT gap assessments and security design services for infrastructure projects in Saudi Arabia and the GCC. The cost of an assessment at design stage is a fraction of the cost of a compliance finding, a breach, or a physical safety incident after commissioning.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by