Saudi Arabia Operational Technology Cybersecurity Controls (OTCC) Explained

Author photo: Larry O'Brien
By Larry O'Brien

Keywords: Saudi Arabia, OT Cybersecurity Controls, Cybersecurity Regulations, Physical Security, Risk-Based Cybersecurity, ARC Advisory Group.


The regulatory environment for OT cybersecurity is heating up as attacks on critical infrastructure persist and the private sector continues to lose billions to ransomware and other forms of cyber-attack. Cyber-attacks have now become a major source of unplanned downtime for industry and infrastructure. Many countries are putting stricter cybersecurity controls in place, mandated at the government level. As the largest crude oil exporter in the world, the Kingdom of Saudi Arabia is no exception. The country’s National Cybersecurity Authority (NCA) released its Operational Technology Cybersecurity Controls (OTCC) in 2022 as a comprehensive cybersecurity mandate to address the country’s own challenges in protecting its national critical infrastructure, which is not just limited to upstream and downstream oil and gas. The OTCC is a comprehensive list of cybersecurity controls that all critical facilities must adhere to. 

Since OTCC is informed by the ISA/IEC 62443 cybersecurity set of standards as well as information from other sources, it’s a great example of a comprehensive set of cybersecurity controls that can be used by any end user in the industrial or critical infrastructure sector to improve their own cybersecurity programs and controls. Automation and OT level cybersecurity suppliers must also be cognizant of OTCC if they are selling products and solutions into the Saudi Arabia market. OTCC has some particularly relevant guidance on areas such as the integration of physical and cybersecurity, cybersecurity of third parties, cybersecurity resilience, and incorporates a risk-based approach.

Cybersecurity ControlsMain Domains of OTCC

OTCC is divided into primary domains of cybersecurity governance, defense, resilience, and third-party cybersecurity. Let’s take a brief look at what is covered in each domain.

Cybersecurity Governance

Governance includes aspects such as policies and procedures, roles and responsibilities, and cybersecurity risk management. Change management, review and audits, and awareness and training are also covered under governance. More importantly, cybersecurity in industrial control system project management is included here, which is becoming an increasing focal point for OT cybersecurity. As end users struggle with inadequate resources, it makes sense to build as much cybersecurity and physical security as possible into the design and engineering of industrial control systems. 

Cybersecurity Defense

Cybersecurity defense covers a broad range of topics, which most end users would normally associate with routine OT cybersecurity functions. Asset management (including asset identification), identity and access management, backup and recovery, pen testing, network security management, data and information protection, event log management, and backup and recovery are all included here. It’s also worth noting that Cybersecurity Defense does encompass mobile device security and physical security, which are key issues that we will discuss more in depth later. 

Cybersecurity Resilience

The cyber resilience aspects of business continuity management are treated as their own domain in OTCC. The Cybersecurity Resilience domain includes implementation of redundant ICS networks, connections and devices, as well as placing OT/ICS cybersecurity requirements into the business continuity plan, business impact analysis, recovery time objectives, and recovery point objectives. 


ARC Advisory Group clients can view the complete report at the ARC Client Portal. 

Please Contact Us if you would like to speak with the author.

You can learn more about cybersecurity at Industrial Cybersecurity Market Analysis Research


Engage with ARC Advisory Group

Representative End User Clients
Representative Automation Clients
Representative Software Clients