Saudi Arabia: Adopted Operational Technology Cybersecurity Controls for Infrastructure Providers

In April 2022, the National Cybersecurity Authority (NCA) of Saudi Arabia adopted the Operational Technology Cybersecurity Controls (OTCC-1:2022). The OTCC was developed as part of Saudi Arabia's Vision 2030 initiative and serves to establish cybersecurity standards for critical infrastructure. The OTCC apply to Industrial Control Systems in government organisations and private organisations operating Critical National Infrastructure. The OTCC is aligned with international cybersecurity standards and best practices, thereby extending the NCA's Essential Cybersecurity Controls (ECC). The OTCC is comprised of four domains: Governance, Defence, Resilience, and Third-Party Cybersecurity. These domains encompass a total of 47 main controls and 122 subcontrols. Each domain is designed to secure different aspects of OT, covering policies, roles, risk management, asset protection, access control, and related matters. The document places considerable emphasis on the necessity of ongoing compliance and the importance of regular audits, including self-assessment and third-party evaluations.