The Operational Technology Cybersecurity Controls (OTCC)

The Operational Technology Cybersecurity Controls (OTCC)

What does it mean to you and your organisation?

As part of the Kingdom of Saudi Arabia’s (KSA) ‘Vision 2030’ programme, the National Cybersecurity Authority was established and launched the Essential Cybersecurity Controls (ECC) which consisted of 5 domains including Domain 5 – Industrial Control Systems (ICS) Cybersecurity.

The ECC set the minimum cybersecurity requirements for organisations that fall within the scope and lays down requirements for compliance and monitoring to be carried out by those organisations. Domain 5 was subdivided into one sub-Domain 5-1 Industrial Control Systems (ICS) Protection which was further split into 4 Controls. This was deemed sufficient at the time until further research and feedback could be received.

Fast forward a couple of years and the advancements in Operational Technology (OT) and ICS forced a complete review of how successful Domain 5 was. Following the review, the NCA has launched the new and much improved, Operational Technology Cybersecurity Controls (OTCC-1:2022) for implementation as an extension to the ECC.

What is the OTCC?

The OTCC will focus on how applicable organisations must improve their overall cybersecurity posture which, in turn, will contribute to the KSA National cybersecurity goals and contains:

4 Main Domains
- Cybersecurity Governance
- Cybersecurity Defence
- Cybersecurity Resilience and
- Third-party cybersecurity
23 Subdomains
47 Main Controls
122 Sub-controls

These are addressed across the 4 traditional cybersecurity pillars of:

Strategy
People
Process
Technology

Who does it cover?

Organisations within the scope include government organisations that own or operate ICS that reside in facilities deemed critical as well as private sector organisations that own, operate or host Critical National Infrastructures (CNIs) even if they are not in the Kingdom. Therefore, if your organisation has interests or assets in the Kingdom that fall under the umbrella of CNI, you will have responsibilities and requirements under the OTCC.

Tools to help

To help organisations understand whether they are within scope or not as well as identifying the level of your requirements, the NCA issued a Facility Level Identification Tool as well as an Assessment and Compliance Tool, both of which are linked below.

The Facility Level Identification Tool will define which of three levels your organisation falls into and, as a result, how many controls/sub-controls you must satisfy e.g. Level 1 (L1) has 151 controls and sub-controls (which includes all L2 and L3 controls) whereas L3 only has 56. This is dependent on:

The criticality, consequences and impact on the availability of the organisations business and services
Any negative impact on Health, Safety and/or Environment of the organisation and
The negative impact on the KSA national economy, national security or social influence

Level	Description	Number of Controls
Level 1 (L1)	The criticality level of the facility is High and an incident will have severe adverse effects, consequences and/or impacts to operations, or assets, resources or the health, Safety and Environment (HSE) of the organisation	151 controls and sub-controls (including all L2 and L3 controls)
Level 2 (L2)	The criticality of the facility is Moderate and an incident may have significant effects, consequences and/or impacts to operations, assets, resources or the Health, Safety and Environment (HSE) of the organisation.	117 controls and sub-controls (including all L3 controls)
Level 3 (L3)	The criticality of the facility is Low and an incident may have moderate adverse effects, consequences and/or impacts to operations, assets, resources or Health, Safety and Environment (HSE) of the organisation.	56 controls and sub-controls

The 3 OTCC Control Levels based on the outcome of the Facility Level Identification Tool

Organisational compliance will be initially a self-assessment process (similar to the NIS CAF process) followed by a series of audits and/or field visits by either the NCA staff or designated third parties.

How can Siker help you?

Here at Siker, we can assist you with completion of the self-assessment or other activities to aid you with discovering a better understanding of your overall posture for reporting purposes. These activities can include:

Asset discovery and inventory
Architecture reviews and assessments
Risk assessments (IT and 62443-3-2) and Cyber PHA
Functional Safety Assessments
Penetration testing and physical site assessments
Incident response planning including OT playbook creation
Incident exercising and drills
Staff capability assessments including gap analysis and Training Needs Analysis
OT Cybersecurity Governance including Policy and Procedures
Structured awareness and training

Author – Tim Harwood, CEO, Siker Limited

References:

NCA Home Page – https://www.nca.gov.sa
ECC Home Page – https://www.nca.gov.sa/en/legislation?item=191&slug=controls-list
OTCC Home Page – https://www.nca.gov.sa/en/legislation?item=195&slug=controls-list
Facility Level Identification tool – https://nca.gov.sa/OTCC_Facility_level_Identification_Tool.xlsx
OT Compliance and Assessment tool – https://backend.nca.gov.sa/api/public/cms/files/c1bfb4c5-cb24-4815-b97a-23381b867bd2_OTCC-1-2022-Assessment-and-Compliance-Tool.xlsx

Architecture

Leadership

Frameworks

Assurance

Workplace Development

Courses

Bespoke Digit al Learning

Company

Registered office and postal address:

Whiteleaf Business Centre,
11 Little Balmer,
Buckingham,
United Kingdom,
MK18 1TF

Our regional office is located in: Edinburgh, UK

Socials & Contact

Quick Links