The Regulatory Context
Saudi Arabia has one of the most developed OT cybersecurity regulatory frameworks in the Middle East. The National Cybersecurity Authority’s Operational Technology Cybersecurity Controls — known as the OTCC — establish the baseline requirements that critical infrastructure operators in the Kingdom are expected to meet. This is not a voluntary standard or a best-practice guideline. It is a regulatory expectation, and the NCA’s enforcement engagement across sectors has been progressively increasing.
The OTCC applies to organizations that own or operate critical national infrastructure in Saudi Arabia: energy, water, transport, communications, health, and financial services. If you are delivering or operating infrastructure in any of these sectors in the Kingdom, the OTCC defines your regulatory baseline for OT security.
The Five OTCC Domains
OT Cybersecurity Governance is the first domain and the foundational one. It covers the organizational policies, roles, and responsibilities that define how OT security is managed at the institutional level. This includes having a designated OT security function — not just relying on the IT security team — documented policies for OT asset management, change control, and risk management, and integration of OT security into the organization’s overall risk management framework. Governance means accountability: someone in the organization needs to own OT security, have the authority to make decisions about it, and have the resources to execute those decisions.
OT Risk Management is the second domain. It requires formal OT security risk assessments conducted on a defined cadence, maintenance of an accurate and current OT asset inventory (which most organizations do not have), and implementation of a risk treatment plan that addresses identified vulnerabilities in a prioritized and documented way. The risk management discipline the OTCC requires is not a one-time compliance exercise. It is an ongoing management practice that needs to be embedded in the organization’s standard operating procedures.
OT Security Controls covers the technical measures that protect OT environments. Network segmentation between IT and OT networks is the most fundamental control — and the one most frequently absent in older facilities. Access controls including multi-factor authentication for remote connections. Configuration management for controllers and systems, ensuring that changes to OT system configurations are tracked, approved, and reversible. Patch management processes designed for the OT environment, which often cannot be patched on the same schedule as IT systems without affecting process continuity.
OT Security Operations covers the monitoring, detection, and incident response capabilities that enable organizations to identify threats and respond to them. This is the area where most OT environments are most exposed. Network monitoring that is standard in enterprise IT — intrusion detection, anomaly alerting, traffic analysis — is frequently absent in OT networks. The monitoring gap is significant: you cannot detect and respond to threats you cannot see.
OT Supply Chain Security addresses the security of third-party vendors, integrators, and service providers who have access to OT systems. This is particularly relevant for infrastructure projects where the controls vendor, commissioning team, and ongoing support provider all typically have remote access paths into the OT environment. The OTCC requires that these access paths be managed — not just opened and forgotten.
What This Means for Project Design
For infrastructure projects in design or construction, OTCC requirements translate into specific design decisions that need to be made while the project is still being engineered. Network architecture must provide appropriate IT/OT segmentation. Control system design must accommodate the access control requirements the OTCC specifies. Commissioning procedures must include OT security validation alongside process safety validation.
The critical point is timing. These are not features that can be economically retrofitted after commissioning. They are design decisions. A network segmentation architecture specified at 30% design completion costs a fraction of what the same segmentation costs after a system has been commissioned with a flat network architecture.
At Concept Dash, our OT cybersecurity team — working through our partnership with our NACSA-licensed cybersecurity partner — helps project teams translate OTCC requirements into design specifications and commissioning requirements before the design window closes. Reach out for a complimentary gap assessment if your infrastructure project has not yet addressed OT security in the design scope.
Leave a Reply