The Operational Technology Cybersecurity Controls (OTCC)
What does it mean to you and your organisation?
As part of the Kingdom of Saudi Arabia’s (KSA) ‘Vision 2030’ programme, the National Cybersecurity Authority was established and launched the Essential Cybersecurity Controls (ECC) which consisted of 5 domains including Domain 5 – Industrial Control Systems (ICS) Cybersecurity.
The ECC set the minimum cybersecurity requirements for organisations that fall within the scope and lays down requirements for compliance and monitoring to be carried out by those organisations. Domain 5 was subdivided into one sub-Domain 5-1 Industrial Control Systems (ICS) Protection which was further split into 4 Controls. This was deemed sufficient at the time until further research and feedback could be received.
Fast forward a couple of years and the advancements in Operational Technology (OT) and ICS forced a complete review of how successful Domain 5 was. Following the review, the NCA has launched the new and much improved, Operational Technology Cybersecurity Controls (OTCC-1:2022) for implementation as an extension to the ECC.
What is the OTCC?
The OTCC will focus on how applicable organisations must improve their overall cybersecurity posture which, in turn, will contribute to the KSA National cybersecurity goals and contains:
- 4 Main Domains
- Cybersecurity Governance
- Cybersecurity Defence
- Cybersecurity Resilience and
- Third-party cybersecurity
- 23 Subdomains
- 47 Main Controls
- 122 Sub-controls
These are addressed across the 4 traditional cybersecurity pillars of:
- Strategy
- People
- Process
- Technology
Who does it cover?
Organisations within the scope include government organisations that own or operate ICS that reside in facilities deemed critical as well as private sector organisations that own, operate or host Critical National Infrastructures (CNIs) even if they are not in the Kingdom. Therefore, if your organisation has interests or assets in the Kingdom that fall under the umbrella of CNI, you will have responsibilities and requirements under the OTCC.
Tools to help
To help organisations understand whether they are within scope or not as well as identifying the level of your requirements, the NCA issued a Facility Level Identification Tool as well as an Assessment and Compliance Tool, both of which are linked below.
The Facility Level Identification Tool will define which of three levels your organisation falls into and, as a result, how many controls/sub-controls you must satisfy e.g. Level 1 (L1) has 151 controls and sub-controls (which includes all L2 and L3 controls) whereas L3 only has 56. This is dependent on:
- The criticality, consequences and impact on the availability of the organisations business and services
- Any negative impact on Health, Safety and/or Environment of the organisation and
- The negative impact on the KSA national economy, national security or social influence
Level | Description | Number of Controls |
Level 1 (L1) | The criticality level of the facility is High and an incident will have severe adverse effects, consequences and/or impacts to operations, or assets, resources or the health, Safety and Environment (HSE) of the organisation | 151 controls and sub-controls (including all L2 and L3 controls) |
Level 2 (L2) | The criticality of the facility is Moderate and an incident may have significant effects, consequences and/or impacts to operations, assets, resources or the Health, Safety and Environment (HSE) of the organisation. | 117 controls and sub-controls (including all L3 controls) |
Level 3 (L3) | The criticality of the facility is Low and an incident may have moderate adverse effects, consequences and/or impacts to operations, assets, resources or Health, Safety and Environment (HSE) of the organisation. | 56 controls and sub-controls |
The 3 OTCC Control Levels based on the outcome of the Facility Level Identification Tool
Organisational compliance will be initially a self-assessment process (similar to the NIS CAF process) followed by a series of audits and/or field visits by either the NCA staff or designated third parties.
How can Siker help you?
Here at Siker, we can assist you with completion of the self-assessment or other activities to aid you with discovering a better understanding of your overall posture for reporting purposes. These activities can include:
- Asset discovery and inventory
- Architecture reviews and assessments
- Risk assessments (IT and 62443-3-2) and Cyber PHA
- Functional Safety Assessments
- Penetration testing and physical site assessments
- Incident response planning including OT playbook creation
- Incident exercising and drills
- Staff capability assessments including gap analysis and Training Needs Analysis
- OT Cybersecurity Governance including Policy and Procedures
- Structured awareness and training
Author – Tim Harwood, CEO, Siker Limited
References:
- NCA Home Page – https://www.nca.gov.sa
- ECC Home Page – https://www.nca.gov.sa/en/legislation?item=191&slug=controls-list
- OTCC Home Page – https://www.nca.gov.sa/en/legislation?item=195&slug=controls-list
- Facility Level Identification tool – https://nca.gov.sa/OTCC_Facility_level_Identification_Tool.xlsx
- OT Compliance and Assessment tool – https://backend.nca.gov.sa/api/public/cms/files/c1bfb4c5-cb24-4815-b97a-23381b867bd2_OTCC-1-2022-Assessment-and-Compliance-Tool.xlsx