The Compliance Gap Is Real and Documented
The National Cybersecurity Authority’s assessments of OT cybersecurity posture across Saudi Arabia’s critical infrastructure sectors consistently find a significant gap between the OTCC requirements and the actual security posture of operational facilities. Industry analysis suggests that a substantial majority of OT environments in the Kingdom’s critical infrastructure — estimates range from 65-80% — do not fully meet the OTCC baseline requirements.
This is not a surprising finding to anyone who has assessed OT environments in the Kingdom. Most of the facilities currently operating in Saudi Arabia’s energy, water, transport, and industrial sectors were designed and commissioned before OT cybersecurity was a defined engineering requirement. The control systems are functional and often well-maintained from a process engineering perspective. But the cybersecurity dimensions — network segmentation, access control, monitoring, incident response capability — were not part of the original design scope because they were not required when the systems were built.
Why the Gap Exists
The OT cybersecurity compliance gap in Saudi Arabia has three primary sources.
Legacy systems designed without security. Most operational OT environments in the Kingdom were commissioned between the 1980s and the 2010s — before OT cybersecurity frameworks existed and before the threat landscape had developed to the point where OT attacks were considered a realistic operational risk. The engineers who designed those systems were not negligent; they designed to the standards and threat understanding of their time. But the systems they designed are now connected to broader networks in ways that were not anticipated, running software versions that are no longer supported, and exposed to threat actors whose capability has grown significantly since commissioning.
The IT/OT organizational split. In most Saudi critical infrastructure operators, the IT function and the OT function are organizationally separate and often have limited interaction. IT security teams understand network security, identity management, and cyber incident response in the IT context. OT engineering teams understand process control, instrumentation, and operational continuity. The intersection — OT cybersecurity — requires both sets of expertise, and the organizational structure rarely creates effective collaboration between them.
Project scope exclusion. Even new facilities being designed and commissioned now frequently do not include OT cybersecurity requirements in their design scope. The project team is an engineering team. The controls integrator is a specialist in process control, not cybersecurity. Unless OT cybersecurity requirements are explicitly included in the project scope — which requires the project owner to specify them and the project team to price them — they will not appear in the delivered system.
The Regulatory Trend
The NCA’s enforcement engagement across sectors has been progressively increasing. The OTCC is not a voluntary framework and the NCA’s posture has shifted from guidance and awareness to compliance assessment and enforcement. Organizations that are not addressing the compliance gap are accumulating regulatory exposure that is distinct from — and in addition to — the operational security risk they carry.
The enforcement approach the NCA has developed draws on the model established by other mature regulatory frameworks for critical infrastructure: assessment of compliance posture against the framework requirements, identification of material gaps, issuance of remediation requirements with defined timelines, and escalating consequence for organizations that fail to demonstrate progress against those requirements.
What Organizations Need to Do
The practical path to OTCC compliance starts with an honest assessment of current posture. Not a self-assessment produced by the OT engineering team, which will reflect what the team knows how to assess, but an independent OT security assessment conducted by specialists with both OT knowledge and cybersecurity expertise. That assessment establishes the gap against the OTCC framework, prioritizes findings by risk level, and produces a remediation roadmap that the organization can execute against.
For facilities currently in design or construction, the most cost-effective approach is to address OT security requirements in the design scope before the network architecture is locked and before control system procurement is completed. Changing a network architecture at 60% design is expensive. Changing it after commissioning is very expensive. Not changing it and receiving a compliance finding is potentially more expensive still.
Concept Dash offers complimentary OT gap assessments for infrastructure operators in the Kingdom. If your facility is among the majority that have not yet fully addressed the OTCC compliance requirements, a conversation now is significantly less expensive than a compliance enforcement action later. Visit conceptdash.ca or send a direct message.