The Saudi National Cybersecurity Authority's OT Cybersecurity Controls (OTCC-1:2022, with ECC alignment) expect operators of critical national infrastructure to establish and periodically test an OT incident-response capability. CyberICS delivers 300+ ready-to-run OT scenarios — wiper containment, desalination and refinery process manipulation, EPC/vendor access compromise — with AI-generated After Action Reports as the periodic test record. It anchors readiness across GCC regimes.
The OT Cybersecurity Controls apply to operators of OT/ICS environments within Saudi critical national infrastructure, with ECC alignment. The controls expect a tested OT incident-response capability and continuity arrangements — both tracked here as live practice clocks.
Oil & gas, power, and water operators running OT/ICS environments within scope of the OTCC must establish, and periodically test, an OT incident-response capability with national reporting to the CERT and sector regulator.
Water-production and process facilities must exercise process-integrity response — dosing/brine-recovery setpoint tampering, safe-state decisions, and product-quality assessment with public-supply consequences.
Operators commissioning plants via EPC contractors — a dominant regional risk pattern — must exercise compromised third-party access, mid-commissioning re-credentialing, and controller-logic verification against baselines.
The OTCC incident-management and BCM domains, with ECC governance alignment, are the ones most directly addressed by tabletop exercises. The periodic OT-IR test and OT-BCM test are tracked as live practice clocks.
| Standard | Title | Key Requirement Addressed | CyberICS Capability | Relevance |
|---|---|---|---|---|
| OTCC IM | OT Incident Management & Response | Establish and periodically test the OT incident-response capability (OTCC-1:2022), with escalation, isolation authorities, and evidence handling. | A formal, evaluated OT-IR exercise with named roles; the AAR is the periodic test record on the 12-month practice clock. | Direct |
| ECC 2-13 | Cybersecurity Incident & Threat Management | Detection escalation, national reporting thresholds, and coordinated response for cybersecurity incidents. | In-exercise reporting-decision timestamps for national CERT / sector-regulator notification; drip micro-drills reinforce thresholds. | Direct |
| OTCC/ECC BCM | OT Business Continuity & Recovery | Test business-continuity and recovery arrangements covering OT environments after a destructive event. | A BCM activation exercise restoring OT from backups (one generation fails); measured recovery findings feed the remediation tracker. | Direct |
| ECC 4-1 | Third-Party & EPC Access | Control and monitor third-party and contractor access to OT; contain a compromised EPC access path. | EPC/vendor scenarios exercise severing and re-credentialing access mid-commissioning and verifying controller logic against baselines. | Scenario |
| OTCC OT Prot. | OT Protection & Safety Integration | Protect the process and integrate safety when OT is manipulated; make safe-state decisions. | Desalination and refinery-utilities scenarios exercise safe-state reversion, product-quality assessment, and utility/health coordination. | Scenario |
| ECC Governance | Governance, Roles & Coordination | Demonstrate cybersecurity roles, reporting, and multi-site coordination across the enterprise. | Participation records and framework-tagged decision logs; the capstone multi-site campaign exercises national coordination and board decisioning. | Supporting |
Three platform capabilities work together to test the OT incident-response capability and produce the evidence an NCA assessment expects.
Live Session mode provides a structured, real-time exercise environment. Participants join by code, respond to scenario steps, and all activity is timestamped — creating an auditable exercise record.
CyberICS's AI engine generates a structured AAR immediately after each exercise — documenting gaps identified, recommended corrective actions, and framework alignment.
The Compliance Dashboard generates per-framework evidence packages — a multi-page audit PDF covering exercise log, controls mapping, gap analysis, remediation timeline, and formal attestation page.
Six high-fidelity OT scenarios reflecting the region's real threat pattern are immediately available, sequenced from foundational to advanced. Each exercises OTCC procedures across your OT, national-reporting, and executive teams.
A Shamoon-lineage wiper detonates across corporate workstations; staging artifacts sit on the OT jump servers — not yet fired. Tests boundary isolation before a kill-time, national reporting, and foothold hunting.
Dosing and brine-recovery setpoints drift outside spec, traced to an off-hours engineering session. Tests verified-safe-state reversion, product-water assessment, and utility/health coordination.
During commissioning, the EPC contractor's remote platform is breached; their accounts hold DCS write access. Tests mid-commissioning re-credentialing, logic verification, and schedule-vs-security pressure.
A planned, evaluated exercise on a refinery-utilities scenario — OT-SOC escalation, isolation authorities, national reporting thresholds, and recovery rights. Deviations become the periodic test record.
The wiper destroys OT historians and engineering servers at one site. Tests BCM activation, rebuild from gold images (one generation fails), safe restart sequencing, and ministry-level status reporting.
Both gas-processing sites show the same pattern within hours; the national CERT calls first. Tests parallel site response under one crisis structure, indicator sharing, and board-level curtailment decisions.
Plus 59 additional scenarios across Power, Water, Manufacturing, Maritime, and more — adaptable across GCC regimes. Browse the full library →
Every CyberICS exercise automatically generates four categories of evidence that map directly to OTCC / ECC documentation expectations.
AI-generated structured PDF with gap analysis, corrective actions, and framework references. Ready within minutes of exercise completion.
Multi-page per-framework audit PDF: exercise log, controls mapping, gap analysis, remediation timeline, and signed attestation page.
Timestamped record of all participant responses, host actions, and step progression. Demonstrates real exercise activity to auditors.
Gaps identified in the exercise are automatically pushed to ServiceNow or Jira as remediation tickets — creating a documented corrective action trail.
CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start free with a 14-day trial — no credit card required. Or talk to our GCC team about OTCC exercise programs across your production sites.
Also explore: IEC 62443 Toolkit · ISO 27001 Toolkit · NIST SP 800-82 Toolkit