What’s in the Standard
This ICS security standard document provides the minimum controls that need to be incorporated or addressed for any ICS system that has been determined to be critical. The current version of the standard identifies only certain control system networks in Qatar’s electric sector as critical. The scope of this document is therefore directly comparable to the scope of the NA NERC CIP standards. The document describes what security controls are optional and which are required, but provides little explanation as to why these controls were selected, or what risks they are intended to address.
This document is to be used together with a suitable risk based security management program.
The document is an easier read than the NERC CIP standards, and is a mix of stronger and weaker requirements than CIP. Unlike CIP, the Qatari standard does not distinguish between security controls appropriate to networks at different levels of criticality. The document does say unidirectional gateways should be used whenever practical, but provides no examples of where the gateways or any other technology might be practical or impractical.