🛡️ Saudi NCA OTCC / GCC Toolkit

Meet Saudi NCA OTCC OT Incident-Response Expectations
with AI-Powered OT/ICS Tabletop Scenarios

The Saudi National Cybersecurity Authority's OT Cybersecurity Controls (OTCC-1:2022, with ECC alignment) expect operators of critical national infrastructure to establish and periodically test an OT incident-response capability. CyberICS delivers 300+ ready-to-run OT scenarios — wiper containment, desalination and refinery process manipulation, EPC/vendor access compromise — with AI-generated After Action Reports as the periodic test record. It anchors readiness across GCC regimes.

OTCC-1:2022 — OT Incident-Response Capability Tested
ECC-Aligned Governance & Reporting
National CERT / Sector-Regulator Reporting
GCC Anchor — Regional Wiper History Taken Seriously
Start Free — 14-Day Trial Talk to Our GCC / Middle East Team
Compliance Note: CyberICS's exercise scenarios reference the Saudi NCA OT Cybersecurity Controls (OTCC-1:2022) and Essential Cybersecurity Controls (ECC) as part of a structured training and preparedness program. Exercising on this platform supports — but does not replace — formal NCA assessment and compliance, which requires engagement with your cybersecurity governance function and the relevant national authorities. Consult qualified legal and compliance counsel for official determinations.
Applicability

Who Must Comply with NCA OTCC

The OT Cybersecurity Controls apply to operators of OT/ICS environments within Saudi critical national infrastructure, with ECC alignment. The controls expect a tested OT incident-response capability and continuity arrangements — both tracked here as live practice clocks.

⚡ Energy & Utilities CNI Operators

Oil & gas, power, and water operators running OT/ICS environments within scope of the OTCC must establish, and periodically test, an OT incident-response capability with national reporting to the CERT and sector regulator.

💧 Desalination & Process Facilities

Water-production and process facilities must exercise process-integrity response — dosing/brine-recovery setpoint tampering, safe-state decisions, and product-quality assessment with public-supply consequences.

🏗️ EPC-Heavy Megaprojects

Operators commissioning plants via EPC contractors — a dominant regional risk pattern — must exercise compromised third-party access, mid-commissioning re-credentialing, and controller-logic verification against baselines.

Standards Alignment

OTCC / ECC Domains — How CyberICS Maps to Each

The OTCC incident-management and BCM domains, with ECC governance alignment, are the ones most directly addressed by tabletop exercises. The periodic OT-IR test and OT-BCM test are tracked as live practice clocks.

NCA OTCC / ECC Domain Mapping Reference

Relevance: Direct = exercise explicitly required  |  Supporting = exercise validates controls  |  Scenario = scenario content covers the threat domain

Standard Title Key Requirement Addressed CyberICS Capability Relevance
OTCC IM OT Incident Management & Response Establish and periodically test the OT incident-response capability (OTCC-1:2022), with escalation, isolation authorities, and evidence handling. A formal, evaluated OT-IR exercise with named roles; the AAR is the periodic test record on the 12-month practice clock. Direct
ECC 2-13 Cybersecurity Incident & Threat Management Detection escalation, national reporting thresholds, and coordinated response for cybersecurity incidents. In-exercise reporting-decision timestamps for national CERT / sector-regulator notification; drip micro-drills reinforce thresholds. Direct
OTCC/ECC BCM OT Business Continuity & Recovery Test business-continuity and recovery arrangements covering OT environments after a destructive event. A BCM activation exercise restoring OT from backups (one generation fails); measured recovery findings feed the remediation tracker. Direct
ECC 4-1 Third-Party & EPC Access Control and monitor third-party and contractor access to OT; contain a compromised EPC access path. EPC/vendor scenarios exercise severing and re-credentialing access mid-commissioning and verifying controller logic against baselines. Scenario
OTCC OT Prot. OT Protection & Safety Integration Protect the process and integrate safety when OT is manipulated; make safe-state decisions. Desalination and refinery-utilities scenarios exercise safe-state reversion, product-quality assessment, and utility/health coordination. Scenario
ECC Governance Governance, Roles & Coordination Demonstrate cybersecurity roles, reporting, and multi-site coordination across the enterprise. Participation records and framework-tagged decision logs; the capstone multi-site campaign exercises national coordination and board decisioning. Supporting
Platform Capabilities

How CyberICS Directly Supports NCA OTCC Readiness

Three platform capabilities work together to test the OT incident-response capability and produce the evidence an NCA assessment expects.

🎲
OT-IR Periodic Test

Documented Exercise Execution

Live Session mode provides a structured, real-time exercise environment. Participants join by code, respond to scenario steps, and all activity is timestamped — creating an auditable exercise record.

  • Timestamped participant activity log
  • Step-by-step scenario walkthrough record
  • Host control bar with session metadata
  • Exercise duration and completion record
📋
OT-IR Periodic Test

AI-Generated After Action Report

CyberICS's AI engine generates a structured AAR immediately after each exercise — documenting gaps identified, recommended corrective actions, and framework alignment.

  • Structured gap analysis with severity ratings
  • Framework reference per identified gap
  • Corrective action recommendations
  • Downloadable PDF in minutes, not days
📄
Audit Evidence Package

Compliance Evidence Export

The Compliance Dashboard generates per-framework evidence packages — a multi-page audit PDF covering exercise log, controls mapping, gap analysis, remediation timeline, and formal attestation page.

  • Exercise date, participants, and scenario record
  • Framework controls coverage map
  • Gap-to-remediation timeline
  • Attestation page for compliance files
Scenario Library

GCC OT Scenarios — Ready to Run

Six high-fidelity OT scenarios reflecting the region's real threat pattern are immediately available, sequenced from foundational to advanced. Each exercises OTCC procedures across your OT, national-reporting, and executive teams.

IT/OT Boundary
Wiper on the OT Boundary

A Shamoon-lineage wiper detonates across corporate workstations; staging artifacts sit on the OT jump servers — not yet fired. Tests boundary isolation before a kill-time, national reporting, and foothold hunting.

OTCC IM ECC 2-13 Containment
Water Production
Desalination Process Manipulation

Dosing and brine-recovery setpoints drift outside spec, traced to an off-hours engineering session. Tests verified-safe-state reversion, product-water assessment, and utility/health coordination.

OT Protection Safety Public Supply
Third-Party Access
EPC / Vendor Remote Access Compromise

During commissioning, the EPC contractor's remote platform is breached; their accounts hold DCS write access. Tests mid-commissioning re-credentialing, logic verification, and schedule-vs-security pressure.

ECC 4-1 Vendor Commissioning
Formal Exercise
OT-IR Capability Test (Formal)

A planned, evaluated exercise on a refinery-utilities scenario — OT-SOC escalation, isolation authorities, national reporting thresholds, and recovery rights. Deviations become the periodic test record.

OTCC IM Periodic Test Governance
Business Continuity
BCM Activation — OT Recovery

The wiper destroys OT historians and engineering servers at one site. Tests BCM activation, rebuild from gold images (one generation fails), safe restart sequencing, and ministry-level status reporting.

OTCC BCM Recovery Executive
Multi-Site Campaign
Coordinated Campaign + Sector Coordination

Both gas-processing sites show the same pattern within hours; the national CERT calls first. Tests parallel site response under one crisis structure, indicator sharing, and board-level curtailment decisions.

National Coord Crisis Board

Plus 59 additional scenarios across Power, Water, Manufacturing, Maritime, and more — adaptable across GCC regimes. Browse the full library →

Evidence Artifacts

Audit-Ready Documentation — Every Exercise

Every CyberICS exercise automatically generates four categories of evidence that map directly to OTCC / ECC documentation expectations.

📋
After Action Report (AAR)

AI-generated structured PDF with gap analysis, corrective actions, and framework references. Ready within minutes of exercise completion.

OT-IR Periodic Test Record
📈
Compliance Evidence Package

Multi-page per-framework audit PDF: exercise log, controls mapping, gap analysis, remediation timeline, and signed attestation page.

OTCC / ECC Domains
🕑
Session Activity Transcript

Timestamped record of all participant responses, host actions, and step progression. Demonstrates real exercise activity to auditors.

National Reporting Log
🔗
Gap-to-Ticket Tracking

Gaps identified in the exercise are automatically pushed to ServiceNow or Jira as remediation tickets — creating a documented corrective action trail.

Remediation Evidence

Explore the Full Regulatory Toolkit Library

CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

Ready to Test Your OT Incident-Response Capability?

Start free with a 14-day trial — no credit card required. Or talk to our GCC team about OTCC exercise programs across your production sites.

Also explore: IEC 62443 Toolkit  ·  ISO 27001 Toolkit  ·  NIST SP 800-82 Toolkit