Saudi Arabia Strengthens National Cyber Posture with OT Cybersecurity Controls Regulations

Saudi Arabia’s National Cybersecurity Authority (NCA) has fulfilled the strategic priority of updating cybersecurity guidance from 2018 to include cutting edge measures to protect national critical infrastructure and industrial sites from cyber attack.
Picture of Courtney Schneider

Courtney Schneider

Saudi Arabia Strengthens National Cyber Posture with OT Cybersecurity Controls Regulations

In recent years, Saudi Arabia has put in place a detailed and comprehensive set of regulations to strengthen national cybersecurity for critical infrastructure and OT networks. Specifically, the Saudi National Cybersecurity Authority (NCA) recently published Operational Technology Cybersecurity Controls (OTCC-1:2022), which outlines controls that must be implemented by applicable organizations as an extension to the NCA’s Essential Cybersecurity Controls (ECC-1: 2018). These measures are compulsory at applicable organizations, and such organizations must comply with not only the NCA’s mandate, but also Royal Decree #57231 (national law).

These guidelines recognize, above all, the necessity to have a distinct set of cyber controls tailored for industrial control systems (ICS) and operational technology (OT) to maximize protection and minimize physical consequences on the networks that maintain national stability and security.

“The NCA’s OTCCs are guidelines for all industrial operations in the Kingdom and are to be applied to industrial and critical control systems that are government operated, as well as private sector organizations which host critical national infrastructure (CNI).”

Applicability

Saudi Arabia Critical InfrastructureThe NCA’s OTCCs are guidelines for all industrial operations in the Kingdom and are to be applied to industrial and critical control systems that are government operated, as well as private sector organizations which host critical national infrastructure (CNI). Industrial Control Systems applies to all networks, systems and devices used to operate or automate industrial processes and therefore fall under the mandate of this regulation. They apply to ICS that reside in facilities deemed critical, operated by the government, private sector organizations operating or owning CNI (whether they are domestic or located abroad). Critical facilities are considered those whose sabotage or mis-operation would lead to the disruption or shut-down of the operations of the organization. That said, these controls are encouraged by the Saudi government to be applied to all OT networks as best practices.

Get a complimentary copy of Andrew Ginter’s latest book
Engineering-grade OT Security – A Manager’s Guide

Based on ECC-1:2018

For a bit of context, the OTCC-1:2022 are an extension of the 2018 Essential Cybersecurity Controls (ECC-1:2018) which were originally developed by the Saudi NCA to protect critical systems and sensitive data. The ECC-1:2018 was created to broadly establish minimum cybersecurity requirements for national organizations in the Kingdom of Saudi Arabia. 

Like the 2022 controls, the ECC-1:2018 is based on an analysis of national and international cybersecurity frameworks, standards, and best practices.  The ECC-1:2018 includes the following categories:

  • Focus: Protecting the confidentiality, integrity, and availability of information,

  • Domains: Five main domains, 29 subdomains, and 114 controls,

  • Themes: Strategy, people, processes, and technology, and

  • Scope: Applies to government organizations, companies, and private sector organizations that own, operate, or host Critical National Infrastructures (CNIs).

The ECC-1:2018 outlines steps for organizations to identify, avoid, or mitigate security risks. The controls attempt to encourage a multi-faceted defense strategy against a range of cyber threats. The 2022 OTCC regulations are an extension of this baseline cybersecurity set of standards to extend to more nationally critical operational networks that present unacceptable levels of consequences when not appropriately protected.

OTCC Security Levels

Logo of Saudi National Cybersecurity AuthorityThere are three OT security control levels defined in the OTCC-1:2022 document. Facilities are assigned to one of these levels of criticality based entirely on an assessment of consequences of compromise, consequences for health, safety & environment, and national economy and security. Level 1 is the highest criticality level. The NCA has issued a tool (OTCC:1-2022 Facility Level Identification Tool) to walk applicable sites through the process of determining which of the three levels of criticality applies to the site. All Level 3 (low) security controls also apply to Level 2 and Level 1 facilities, and all Level 2 (medium) controls also apply to Level 1 (high) facilities.

The Operational Technology Cybersecurity Controls document (OTCC) is structured into four main OTCC Domains: Governance, Defense, Resilience, and Third Party Cybersecurity (i.e.: supply chain).

How Waterfall Unidirectional Gateways streamline compliance with OTCC

There are several required controls and sub-controls where Waterfall Unidirectional Security Gateways can assist or fulfill compliance for applicable organizations for the OTCC Guidelines. The main four control areas are ICS Project Management, Identity & Access Management, System Protection, Network Security Management, and Business Continuity Management.

Cybersecurity Risk Management

Sub-Control 1-3-1-7 states that, in the event of risk acceptance, alternative cybersecurity controls must be clearly defined, documented, approved by the Authorizing Official, and implemented effectively for a defined period of time while reassessing the risk continuously. For the most critically sensitive ICS, it is very often necessary to accept the risk of vulnerabilities because it is difficult to patch systems promptly. This latter is because of the need to carry out exhaustive testing of new security updates and patches to assure that the new software does not itself introduce unacceptable risk to safety-critical or reliability-critical malfunctions in the physical process. Thus critical systems often have no choice but to accept the risk of software that is out of date at least temporarily and must implement compensating measures. Waterfall’s Unidirectional Security Gateways are powerful compensating measures. When deployed as recommended – as the sole connection between IT & OT networks – the gateways are physically incapable of propagating a cyber attack from the IT network back into the OT network to reach still-vulnerable assets.

Identity and Access Management

Control 2-2. Identity and Access Management is another sub-control which closely aligns with Waterfall’s technology offering. Sub-control 2-2-1-1 effectively forbids what other standards call “shared trusts,” where OT systems trust credentials managed in an IT network. Such shared trusts are singularly dangerous – a common attack technique on IT networks is to compromise the identity management system, e.g. a Windows Active Directory Server, in order to create new OT credentials so that attackers can simply connect to OT assets through IT/OT firewalls, log into those assets using the new credentials, and work their will upon the OT network. Waterfall’s Unidirectional Gateways render such shared trusts impossible, because IT credential information and permissions are not physically able to be communicated through an outbound-only Unidirectional Gateway.

Sub-control 2-2-1-7 stipulates that remote access to OT networks must be restricted and only enabled when necessary and justified. Waterfall’s Unidirectional Gateways support a range of remote access technologies to implement this control. Waterfall’s Secure Bypass product is hardware that provides protected OT sites with physical control over when and for how long conventional software-based, 2FA remote access is enabled. Waterfall’s Remote Screen View provides remote support personnel with a physically read-only view of activity inside the OT network, so that they can provide advice to site personnel without ever engaging in dangerous remote control. And Waterfall’s new HERA product provides true hardware-enforced, unattended remote access, with session recording and monitoring facilities.

Safety-Instrumented Systems

Section 2-3-1 specifies a number of controls that must be applied Safety-Instrumented Systems (SIS) – the very most sensitive systems in most OT facilities, tasked with protecting human life and the environment. Waterfall’s Unidirectional Gateways directly address the needs of requirement 2-3-1-1 which requires advanced techniques to reliably prevent the propagation of malware and advanced attacks from any external source into SIS systems and networks. Waterfall’s Unidirectional Gateways, deployed to connect SIS systems and networks to OT networks, enable real-time monitoring of SIS components, while physically preventing malware, interactive attacks and other cyber-sabotage attack information from penetrating into SIS components.

Tamper-Proof Forensics

In terms of system logs protection in requirement 2-3-1-10, the Waterfall BlackBox provides a tamper-proof online repository that can survive a cyber attack, preventing attackers from hiding evidence of how they entered a network and their malicious actions within it. Just as an aircraft’s black-box survives a crash, the Waterfall BlackBox survives a cyber attack – keeping protected system logs secure from external tampering. The Waterfall BlackBox also provides unidirectional protection for logs preventing all external tampering and sabotage with hardware-enforced technology.

Network Security Management

When it comes to the 16 sub-controls in section 2-3-1, almost all of these controls are thoroughly satisfied by the use of Unidirectional Gateways. These sub-controls include requirements for:

  • Logical or physical segmentation of the OT/ICS environment,

  • Segmentation of Safety Instrumented Systems (SIS),

  • Limitations of network connection points between different criticality zones,

  • Prevention of direct remote authentication and access on external-facing hosts,

  • Limited accessibility to services with known vulnerabilities must be limited to the greatest extent possible,

  • Dedicated gateways to segment OT/ICS networks from corporate zone, and

  • Strict limitation of industrial protocols and ports to the minimum to meet operational, maintenance, and safety requirements.

 

Unlike firewalls which provide logical, software and rules-based data filtering, Unidirectional Gateways are hardware-enforced; physically enabling only the outbound transfer of information while providing physical protection from inbound attacks. This physical protection is the strongest network segmentation available in the marketplace that maintains straightforward integration of OT systems and data with IT-based business automation systems essential to efficient operations.

Security Monitoring

Section 2-11-1 include ten requirements for security monitoring. What is not said in the regulation is where the monitoring information is used. In practice, most OT organizations have a central Security Operations Center (SOC) that aggregates and analyses monitoring information from all of the organization’s facilities. Unidirectional Gateway technology helps enormously in facilitating this central aggregation and analysis.

Unidirectional Gateways are routinely configured to transmit logs, Syslog, SNMP traps and other alerts from OT sources to a central IT SOC, through an outbound Unidirectional Gateway deployed at the IT/OT interface. In addition, OT network intrusion detection (IDS) sensors are most easily managed by IT SOC analysts when those sensors are hosted on IT networks. The Waterfall for IDS product is a Common-Criteria-certified technology that replicates switch mirror and SPAN ports to IT IDS sensors for analysis, without risk of attacks pivoting back through those IDS sensors into OT networks.

Cybersecurity Resilience and Business Continuity

Sub-controls 3-1-1-1 Activities necessary to sustain minimum operations of OT/ICS systems and 3-1-1-5 In the event of a system failure due to a cyberattack, OT/ICS assets or systems must operate on an acceptable safe mode to achieve a continuous operation, reinforce the OT security principle to keep a base level of operational functionality in the event of an enterprise or IT networks outage or compromise.

Unidirectional Gateways are powerful tools to support this objective. When Unidirectional Gateways, oriented from the OT network to the IT network, are the sole connection between IT and critical OT networks, no malware, ransomware or compromise of IT systems can “leak” through the gateways into OT networks to put physical operations at risk.

How Waterfall is an Obvious Partner in OTCC Compliance Efforts

Waterfall is proud to protect the most secure industrial sites in the world. To this end, Unidirectional Gateway technology is meeting the most ambitious internal security goals as well as compulsory regulatory requirements, resulting in continuous, reliable and untampered operational networks. Saudi Arabia’s OTCC requirements is an excellent step in both securing its own national infrastructure as well as providing a strong example and guidance to other nations’ critical infrastructures and heavy industries. Waterfall’s Unidirectional Gateways are powerful tools in pursuit of secure-by-design goals and objectives, secure remote access to critical networks, the strongest of network segmentation, and the goal of maintaining operational continuity in the face of IT/enterprise network compromise. For more information, please visit waterfall-security.com or write to us at info@waterfall-security.com.

About the author
Picture of Courtney Schneider

Courtney Schneider

Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox